Edit tour

Windows Analysis Report
EpH9QFlrm2.exe

Overview

General Information

Sample name:	EpH9QFlrm2.exe renamed because original name is a hash value
Original sample name:	ee23238fc24de9406effe1973b94c05c19e1347c38046ae74dc07159bec01f3c.exe
Analysis ID:	1588010
MD5:	5f7d704d6ccc83f30d9f758b2323e59c
SHA1:	4a67f80a42d4169122058bbd099a0feadf944a83
SHA256:	ee23238fc24de9406effe1973b94c05c19e1347c38046ae74dc07159bec01f3c
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

EpH9QFlrm2.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\EpH9QFlrm2.exe" MD5: 5F7D704D6CCC83F30D9F758B2323E59C)

RegSvcs.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\EpH9QFlrm2.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1731244005.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 24 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2951140084.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 24 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000001.00000002.2952346612.00000000031CB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7408	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 24 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.55f0000.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.55f0000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2ece886.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2ece886.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2ecf76e.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2ecf76e.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2ece886.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2ece886.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.5790000.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5790000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.41b4590.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.41b4590.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.2ecf76e.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.2ecf76e.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.4176458.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.4176458.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 24 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
1.2.RegSvcs.exe.5790000.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.5790000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.55f0ee8.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.55f0ee8.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.4176458.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.4176458.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.55f0ee8.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.55f0ee8.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.55f0000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.55f0000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.RegSvcs.exe.41b4590.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.41b4590.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.EpH9QFlrm2.exe.38e0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 F5 88 44 24 2B 88 44 24 2F B0 24 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Click to see the 26 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7408, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:30:50.697434+0100	2030171	1	A Network Trojan was detected	192.168.2.4	49730	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:30:57.973920+0100	2855542	1	A Network Trojan was detected	192.168.2.4	49730	199.79.62.115	587	TCP

ETPRO MALWARE Agent Tesla Exfil via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:30:57.973920+0100	2855245	1	A Network Trojan was detected	192.168.2.4	49730	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:30:50.697434+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.4	49730	199.79.62.115	587	TCP

ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:30:50.697434+0100	2840032	1	A Network Trojan was detected	192.168.2.4	49730	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.41b4590.3.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: EpH9QFlrm2.exe	Virustotal: Detection: 70%			Perma Link
Source: EpH9QFlrm2.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: EpH9QFlrm2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: /log.tmp
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>[
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ]<br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Time:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>User Name:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>Computer Name:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>OSFullName:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>CPU:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>RAM:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IP Address:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <hr>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: New
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IP Address:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: *o9H+18Q4%;M
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: false
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: appdata
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: KTvkzEc
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: KTvkzEc.exe
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: KTvkzEc
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Type
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <hr>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <b>[
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ]</b> (
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: )<br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {BACK}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {ALT+TAB}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {ALT+F4}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {TAB}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {ESC}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {Win}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {CAPSLOCK}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {KEYUP}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {KEYDOWN}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {KEYLEFT}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {KEYRIGHT}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {DEL}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {END}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {HOME}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {Insert}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {NumLock}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {PageDown}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {PageUp}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {ENTER}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F1}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F2}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F3}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F4}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F5}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F6}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F7}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F8}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F9}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F10}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F11}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {F12}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: control
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {CTRL}
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: &
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: >
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: "
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <hr>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: logins
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IE/Edge
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Secure Note
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Web Password Credential
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Credential Picker Protector
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Web Credentials
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Credentials
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Domain Certificate Credential
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Domain Password Credential
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Extended Credential
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SchemaId
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pResourceElement
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pIdentityElement
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pPackageSid
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pAuthenticatorElement
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IE/Edge
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UC Browser
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UCBrowser\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Login Data
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: journal
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: wow_logins
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Safari for Windows
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <array>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <dict>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <string>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </string>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <string>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </string>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <data>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </data>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: -convert xml1 -s -o "
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \fixed_keychain.xml"
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Microsoft\Credentials\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Microsoft\Protect\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: credential
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: QQ Browser
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Default\EncryptedStorage
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Profile
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \EncryptedStorage
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: entries
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: category
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: str3
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: str2
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: blob0
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: password_value
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IncrediMail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PopPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SmtpPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Accounts_New
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PopPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SmtpPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SmtpServer
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: EmailAddress
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Eudora
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: current
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Settings
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SavePasswordText
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Settings
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ReturnAddress
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Falkon Browser
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \falkon\profiles\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: profiles.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: profiles.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \browsedata.db
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: autofill
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ClawsMail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Claws-mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \clawsrc
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \clawsrc
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passkey0
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \accountrc
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: smtp_server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: address
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: account
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \passwordstorerc
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: {(.),(.)}(.*)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Flock Browser
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: APPDATA
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Flock\Browser\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: signons3.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: DynDns
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ALLUSERSPROFILE
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: username=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: password=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: https://account.dyn.com/
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: t6KzXhCh
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ALLUSERSPROFILE
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: global
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: accounts
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: account.
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: username
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: account.
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Psi/Psi+
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: name
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Psi/Psi+
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: APPDATA
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Psi\profiles
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: APPDATA
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Psi+\profiles
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \accounts.xml
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \accounts.xml
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: OpenVPN
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: username
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: auth-data
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: entropy
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: USERPROFILE
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \OpenVPN\config\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: remote
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: remote
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: NordVPN
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: NordVPN
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: NordVpn.exe*
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: user.config
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: //setting[@name='Username']/value
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: //setting[@name='Password']/value
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: NordVPN
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Private Internet Access
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: %ProgramW6432%
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Private Internet Access\data
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles(x86)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Private Internet Access\data
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \account.json
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ."username":"(.?)"
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ."password":"(.?)"
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Private Internet Access
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: privateinternetaccess.com
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FileZilla
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: APPDATA
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: APPDATA
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Server>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Host>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Host>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </Host>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Port>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </Port>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <User>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <User>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </User>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Pass encoding="base64">
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Pass encoding="base64">
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </Pass>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Pass>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <Pass encoding="base64">
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </Pass>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: CoreFTP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: User
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Host
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Port
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: hdfzpysvpzimorhk
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: WinSCP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HostName
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UserName
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PublicKeyFile
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PortNumber
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: WinSCP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ABCDEF
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Flash FXP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: port
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: user
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pass
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: quick.dat
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Sites.dat
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \FlashFXP\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \FlashFXP\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FTP Navigator
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SystemDrive
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: No Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: User
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SmartFTP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: APPDATA
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: WS_FTP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: appdata
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HOST
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PWD=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PWD=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FtpCommander
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SystemDrive
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SystemDrive
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SystemDrive
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \cftp\Ftplist.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;Password=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;User=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;Server=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;Port=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;Port=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;Password=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;User=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ;Anonymous=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FTPGetter
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \FTPGetter\servers.xml
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_ip>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_ip>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </server_ip>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_port>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </server_port>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_user_name>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_user_name>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </server_user_name>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_user_password>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: <server_user_password>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: </server_user_password>
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FTPGetter
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: The Bat!
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: appdata
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \The Bat!
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Account.CFN
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Account.CFN
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Becky!
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: DataDir
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Folder.lst
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Mailbox.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Account
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PassWd
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Account
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SMTPServer
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Account
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: MailAddress
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Becky!
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Outlook
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IMAP Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: POP3 Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HTTP Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SMTP Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IMAP Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: POP3 Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HTTP Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SMTP Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Windows Mail App
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SchemaId
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pResourceElement
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pIdentityElement
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pPackageSid
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: pAuthenticatorElement
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: syncpassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: mailoutgoing
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FoxMail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Executable
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: FoxmailPath
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Storage\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Storage\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Accounts\Account.rec0
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Accounts\Account.rec0
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Account.stg
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Account.stg
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: POP3Host
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SMTPHost
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: IncomingServer
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Account
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: MailAddress
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: POP3Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Opera Mail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: opera:
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PocoMail
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: appdata
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Pocomail\accounts.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: POPPass
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SMTPPass
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SMTP
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: eM Client
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: eM Client\accounts.dat
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: eM Client
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Accounts
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: "Username":"
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: "Secret":"
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: "ProviderName":"
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: o6806642kbM7c5
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Mailbird
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SenderIdentities
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Accounts
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Server_Host
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Accounts
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Email
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Username
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: EncryptedPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Mailbird
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: RealVNC 4.x
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: RealVNC 3.x
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: RealVNC 4.x
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: RealVNC 3.x
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\ORL\WinVNC3
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: TightVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\TightVNC\Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: TightVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\TightVNC\Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: PasswordViewOnly
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: TightVNC ControlPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\TightVNC\Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ControlPassword
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: TigerVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\TigerVNC\Server
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Password
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles(x86)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles(x86)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd2
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd2
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd2
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles(x86)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: UltraVNC
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: ProgramFiles(x86)
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: passwd2
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: JDownloader 2.0
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: JDownloader 2.0\cfg
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: JDownloader 2.0\cfg
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Paltalk
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 1.2.RegSvcs.exe.41b4590.3.unpack	String decryptor: nickname

Source: EpH9QFlrm2.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: EpH9QFlrm2.exe, 00000000.00000003.1729121519.0000000003980000.00000004.00001000.00020000.00000000.sdmp, EpH9QFlrm2.exe, 00000000.00000003.1729951049.0000000003B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: EpH9QFlrm2.exe, 00000000.00000003.1729121519.0000000003980000.00000004.00001000.00020000.00000000.sdmp, EpH9QFlrm2.exe, 00000000.00000003.1729951049.0000000003B20000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0054445A
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054C6D1 FindFirstFileW,FindClose,	0_2_0054C6D1
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0054C75C
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0054EF95
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0054F0F2
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0054F3F3
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005437EF
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00543B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00543B12
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0054BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49730 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49730 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49730 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49730 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49730 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 199.79.62.115:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_005522EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005522EE

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: RegSvcs.exe, 00000001.00000002.2952346612.00000000031CB000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://mail.mbarieservicesltd.com

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00554164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00554164

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00554164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00554164

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00553F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00553F66

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0054001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0054001C

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0056CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0056CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.EpH9QFlrm2.exe.38e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1731244005.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000001.00000002.2951140084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: This is a third-party compiled AutoIt script.	0_2_004E3B3A
Source: EpH9QFlrm2.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: EpH9QFlrm2.exe, 00000000.00000000.1692088215.0000000000594000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_449259d0-d
Source: EpH9QFlrm2.exe, 00000000.00000000.1692088215.0000000000594000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_271a4592-f
Source: EpH9QFlrm2.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_591eedcc-f
Source: EpH9QFlrm2.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_dc862c5c-4

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0054A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0054A1EF

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00538310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00538310

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_005451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005451BD

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004EE6A0	0_2_004EE6A0
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050D975	0_2_0050D975
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004EFCE0	0_2_004EFCE0
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005021C5	0_2_005021C5
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005162D2	0_2_005162D2
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005603DA	0_2_005603DA
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0051242E	0_2_0051242E
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005025FA	0_2_005025FA
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0053E616	0_2_0053E616
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F66E1	0_2_004F66E1
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0051878F	0_2_0051878F
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00560857	0_2_00560857
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00516844	0_2_00516844
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F8808	0_2_004F8808
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00548889	0_2_00548889
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050CB21	0_2_0050CB21
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00516DB6	0_2_00516DB6
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F6F9E	0_2_004F6F9E
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F3030	0_2_004F3030
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050F1D9	0_2_0050F1D9
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00503187	0_2_00503187
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004E1287	0_2_004E1287
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00501484	0_2_00501484
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F5520	0_2_004F5520
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00507696	0_2_00507696
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F5760	0_2_004F5760
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00501978	0_2_00501978
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00519AB5	0_2_00519AB5
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00567DDB	0_2_00567DDB
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00501D90	0_2_00501D90
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050BDA6	0_2_0050BDA6
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004EDF00	0_2_004EDF00
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004F3FE0	0_2_004F3FE0
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_010D69F0	0_2_010D69F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040DC11	1_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00407C3F	1_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418CCC	1_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00406CA0	1_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004028B0	1_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041A4BE	1_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418244	1_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00401650	1_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402F20	1_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004193C4	1_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00418788	1_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402F89	1_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00402B90	1_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004073A0	1_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02CBDB50	1_2_02CBDB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02CBCF38	1_2_02CBCF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02CBD280	1_2_02CBD280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02CB0FC8	1_2_02CB0FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02CB1021	1_2_02CB1021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_02CB1030	1_2_02CB1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06680040	1_2_06680040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06680006	1_2_06680006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B5E6B0	1_2_06B5E6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B5A2F8	1_2_06B5A2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B53A40	1_2_06B53A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B500F9	1_2_06B500F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B52840	1_2_06B52840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B52FC8	1_2_06B52FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B5C928	1_2_06B5C928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B9DF68	1_2_06B9DF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B90040	1_2_06B90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B93E08	1_2_06B93E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B95570	1_2_06B95570

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: String function: 00508900 appears 42 times
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: String function: 004E7DE1 appears 36 times
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: String function: 00500AE3 appears 70 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 43 times

Source: EpH9QFlrm2.exe, 00000000.00000003.1728715673.0000000003AA3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs EpH9QFlrm2.exe
Source: EpH9QFlrm2.exe, 00000000.00000003.1727632660.0000000003BFD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs EpH9QFlrm2.exe
Source: EpH9QFlrm2.exe, 00000000.00000002.1731244005.00000000038E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs EpH9QFlrm2.exe

Source: EpH9QFlrm2.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.EpH9QFlrm2.exe.38e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1731244005.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000001.00000002.2951140084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@3/1

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0054A06A GetLastError,FormatMessageW,

0_2_0054A06A

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005381CB AdjustTokenPrivileges,CloseHandle,		0_2_005381CB
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005387E1

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0054B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0054B333

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0055EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0055EE0D

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0054C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0054C397

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004E4E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

File created: C:\Users\user\AppData\Local\Temp\aut75A6.tmp

Jump to behavior

Source: EpH9QFlrm2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EpH9QFlrm2.exe	Virustotal: Detection: 70%
Source: EpH9QFlrm2.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\EpH9QFlrm2.exe "C:\Users\user\Desktop\EpH9QFlrm2.exe"
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EpH9QFlrm2.exe"
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EpH9QFlrm2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: EpH9QFlrm2.exe

Static file information: File size 1185792 > 1048576

Source: EpH9QFlrm2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EpH9QFlrm2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EpH9QFlrm2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EpH9QFlrm2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EpH9QFlrm2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EpH9QFlrm2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: EpH9QFlrm2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: EpH9QFlrm2.exe, 00000000.00000003.1729121519.0000000003980000.00000004.00001000.00020000.00000000.sdmp, EpH9QFlrm2.exe, 00000000.00000003.1729951049.0000000003B20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: EpH9QFlrm2.exe, 00000000.00000003.1729121519.0000000003980000.00000004.00001000.00020000.00000000.sdmp, EpH9QFlrm2.exe, 00000000.00000003.1729951049.0000000003B20000.00000004.00001000.00020000.00000000.sdmp

Source: EpH9QFlrm2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EpH9QFlrm2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EpH9QFlrm2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EpH9QFlrm2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EpH9QFlrm2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E4B37 LoadLibraryA,GetProcAddress,

0_2_004E4B37

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004EC4C6 push A3004EBAh; retn 004Eh	0_2_004EC50D
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054848F push FFFFFF8Bh; iretd	0_2_00548491
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050E70F push edi; ret	0_2_0050E711
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050E828 push esi; ret	0_2_0050E82A
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00508945 push ecx; ret	0_2_00508958
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050EA03 push esi; ret	0_2_0050EA05
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050EAEC push edi; ret	0_2_0050EAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C40C push cs; iretd	1_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00423149 push eax; ret	1_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C50E push cs; iretd	1_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004231C8 push eax; ret	1_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E21D push ecx; ret	1_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0041C6BE push ebx; ret	1_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040BB97 push dword ptr [ecx-75h]; iretd	1_2_0040BBA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06688740 push es; ret	1_2_0668874C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0668ABC1 push es; ret	1_2_0668ABD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0668F331 push 74069FAEh; retf 0667h	1_2_0668F35D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B9EFEB push dword ptr [ecx+ecx-75h]; iretd	1_2_06B9EFF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B99B10 pushfd ; ret	1_2_06B99B12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B99B73 pushfd ; ret	1_2_06B99B76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B9C9AE push es; retf	1_2_06B9C9B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06B9C9F6 push es; ret	1_2_06B9CA04

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_004E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004E48D7
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00565376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00565376

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00503187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00503187

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

API/Special instruction interceptor: Address: 10D6614

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

1_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1809			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5856			Jump to behavior

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0054445A
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054C6D1 FindFirstFileW,FindClose,	0_2_0054C6D1
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0054C75C
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0054EF95
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0054F0F2
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0054F3F3
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_005437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005437EF
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00543B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00543B12
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0054BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0054BCBC

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004E49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99755	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98716	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97919	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97606	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97348	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2954000909.00000000059B2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlltion* 8-QoS Packet Scheduler-0000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00553F09 BlockInput,

0_2_00553F09

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004E3B3A

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00515A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00515A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

1_2_004019F0

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E4B37 LoadLibraryA,GetProcAddress,

0_2_004E4B37

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_010D5250 mov eax, dword ptr fs:[00000030h]	0_2_010D5250
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_010D6880 mov eax, dword ptr fs:[00000030h]	0_2_010D6880
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_010D68E0 mov eax, dword ptr fs:[00000030h]	0_2_010D68E0

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_005380A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_005380A9

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0050A155
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_0050A124 SetUnhandledExceptionFilter,	0_2_0050A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_004123F1 SetUnhandledExceptionFilter,	1_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E67008

Jump to behavior

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_005387B1 LogonUserW,

0_2_005387B1

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_004E3B3A

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004E48D7

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00544C53 mouse_event,

0_2_00544C53

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EpH9QFlrm2.exe"

Jump to behavior

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00537CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00537CAF

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0053874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0053874B

Source: EpH9QFlrm2.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: EpH9QFlrm2.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_0050862B cpuid

0_2_0050862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

1_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00514E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00514E87

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00521E06 GetUserNameW,

0_2_00521E06

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_00513F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00513F3A

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe

Code function: 0_2_004E49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004E49A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2952346612.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: EpH9QFlrm2.exe	Binary or memory string: WIN_81
Source: EpH9QFlrm2.exe	Binary or memory string: WIN_XP
Source: EpH9QFlrm2.exe	Binary or memory string: WIN_XPe
Source: EpH9QFlrm2.exe	Binary or memory string: WIN_VISTA
Source: EpH9QFlrm2.exe	Binary or memory string: WIN_7
Source: EpH9QFlrm2.exe	Binary or memory string: WIN_8
Source: EpH9QFlrm2.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2952346612.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ece886.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.2ecf76e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.5790000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.4176458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0ee8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.55f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.41b4590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00556283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00556283
Source: C:\Users\user\Desktop\EpH9QFlrm2.exe	Code function: 0_2_00556747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00556747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	148 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EpH9QFlrm2.exe	71%	Virustotal		Browse
EpH9QFlrm2.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
EpH9QFlrm2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.mbarieservicesltd.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.mbarieservicesltd.com	RegSvcs.exe, 00000001.00000002.2952346612.00000000031CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588010
Start date and time:	2025-01-10 20:29:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EpH9QFlrm2.exe renamed because original name is a hash value
Original Sample Name:	ee23238fc24de9406effe1973b94c05c19e1347c38046ae74dc07159bec01f3c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@3/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 49 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:30:53	API Interceptor	36x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote1000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176

Process:	C:\Users\user\Desktop\EpH9QFlrm2.exe
File Type:	data
Category:	dropped
Size (bytes):	265728
Entropy (8bit):	7.892438344719724
Encrypted:	false
SSDEEP:	6144:NhxYSzjLdy5PkMFZmiUy1Hh79uPzWbaXQkYv4+tPaG7LM:N7Y4MySZm/yjiWbaA5weY
MD5:	F116536E146BA9B14B9CB3A20AC53D6C
SHA1:	44BC0BA67ECA7E86B675B5AF61E95253EB923447
SHA-256:	43D6728A93D1FEF4E6A997D9FAE7366D796AB34DC29751239ADAC2C97A65EC80
SHA-512:	0051328EE5BB8C109015FE0784B3B446825606F01E930B32168549C3F8A5946B8276BC03E30435AFD5B029CC2D64413742E6E05B2421B273E402B7F212EF7EC7
Malicious:	false
Reputation:	low
Preview:	...WHLWBQ45W..LU.M7MYQFF.KLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM.MYQHY.EL.K...V..m. $Dm)#)!%!w!4Z[8 q.0h?B#y8(f...w/:PPyY\FqHM7MYQF.G.a{3.J.&./`$.3.n&/y7.5G..+.D.}=.6.F.'ce()W=.<g.\). .+znL3t .8."/?n$.KWTQLUHM7MYQFFWKL>x.W5WTQ..HM{L]Q2.W.LWBU45WT.LvIF6DYQ.GWK>UBU45W{.LUH]7MY.GFWK.WBE45WVQLPHM7MYQFCWKLWBU45.PQLQHM.v[QDFW.LWRU4%WTQLEHM'MYQFFW[LWBU45WTQLU.X5M.QFFW+NW..55WTQLUHM7MYQFFWKLWBU45WTQ..IM+MYQFFWKLWBU45WTQLUHM7MYQFFW.AUB.45WTQLUHM7MY.GF.JLWBU45WTQLUHM7MYQFFWKLWBU4.#1)8UHM/.XQFVWKL.CU41WTQLUHM7MYQFFWkLW"{FQ6 0LU. 7MY.GFW%LWB.55WTQLUHM7MYQF.WK.y&4@TWTQ.eHM7m[QFPWKL]@U45WTQLUHM7MY.FF.e>$0645W..MUH-5MY.GFWkNWBU45WTQLUHM7.YQ.FWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WT

C:\Users\user\AppData\Local\Temp\camellin

Download File

Process:	C:\Users\user\Desktop\EpH9QFlrm2.exe
File Type:	data
Category:	dropped
Size (bytes):	265728
Entropy (8bit):	7.892438344719724
Encrypted:	false
SSDEEP:	6144:NhxYSzjLdy5PkMFZmiUy1Hh79uPzWbaXQkYv4+tPaG7LM:N7Y4MySZm/yjiWbaA5weY
MD5:	F116536E146BA9B14B9CB3A20AC53D6C
SHA1:	44BC0BA67ECA7E86B675B5AF61E95253EB923447
SHA-256:	43D6728A93D1FEF4E6A997D9FAE7366D796AB34DC29751239ADAC2C97A65EC80
SHA-512:	0051328EE5BB8C109015FE0784B3B446825606F01E930B32168549C3F8A5946B8276BC03E30435AFD5B029CC2D64413742E6E05B2421B273E402B7F212EF7EC7
Malicious:	false
Reputation:	low
Preview:	...WHLWBQ45W..LU.M7MYQFF.KLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM.MYQHY.EL.K...V..m. $Dm)#)!%!w!4Z[8 q.0h?B#y8(f...w/:PPyY\FqHM7MYQF.G.a{3.J.&./`$.3.n&/y7.5G..+.D.}=.6.F.'ce()W=.<g.\). .+znL3t .8."/?n$.KWTQLUHM7MYQFFWKL>x.W5WTQ..HM{L]Q2.W.LWBU45WT.LvIF6DYQ.GWK>UBU45W{.LUH]7MY.GFWK.WBE45WVQLPHM7MYQFCWKLWBU45.PQLQHM.v[QDFW.LWRU4%WTQLEHM'MYQFFW[LWBU45WTQLU.X5M.QFFW+NW..55WTQLUHM7MYQFFWKLWBU45WTQ..IM+MYQFFWKLWBU45WTQLUHM7MYQFFW.AUB.45WTQLUHM7MY.GF.JLWBU45WTQLUHM7MYQFFWKLWBU4.#1)8UHM/.XQFVWKL.CU41WTQLUHM7MYQFFWkLW"{FQ6 0LU. 7MY.GFW%LWB.55WTQLUHM7MYQF.WK.y&4@TWTQ.eHM7m[QFPWKL]@U45WTQLUHM7MY.FF.e>$0645W..MUH-5MY.GFWkNWBU45WTQLUHM7.YQ.FWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WTQLUHM7MYQFFWKLWBU45WT

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.166251131387512
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EpH9QFlrm2.exe
File size:	1'185'792 bytes
MD5:	5f7d704d6ccc83f30d9f758b2323e59c
SHA1:	4a67f80a42d4169122058bbd099a0feadf944a83
SHA256:	ee23238fc24de9406effe1973b94c05c19e1347c38046ae74dc07159bec01f3c
SHA512:	91d94e82c017d324e451845b79afaf1d5bd900ec2bf85c054202ad36789f083ddc9beada1f737d14eac46a0c608f76617dbfbb2c842a1f279f6b14e42c02ad49
SSDEEP:	24576:Wu6J33O0c+JY5UZ+XC0kGso6FaGB+F60ukZesCankWY:4u0c++OCvkGs9FaGBc/7AsxY
TLSH:	5545CF2273DEC360CB669173BF69B7016EBF7C610630B85B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B787F [Thu Dec 12 23:57:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FDFB8BD940Ah
jmp 00007FDFB8BCC1D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FDFB8BCC35Ah
cmp edi, eax
jc 00007FDFB8BCC6BEh
bt dword ptr [004C31FCh], 01h
jnc 00007FDFB8BCC359h
rep movsb
jmp 00007FDFB8BCC66Ch
cmp ecx, 00000080h
jc 00007FDFB8BCC524h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FDFB8BCC360h
bt dword ptr [004BE324h], 01h
jc 00007FDFB8BCC830h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FDFB8BCC4FDh
test edi, 00000003h
jne 00007FDFB8BCC50Eh
test esi, 00000003h
jne 00007FDFB8BCC4EDh
bt edi, 02h
jnc 00007FDFB8BCC35Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FDFB8BCC363h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FDFB8BCC3B5h
bt esi, 03h
jnc 00007FDFB8BCC408h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x58e98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x58e98	0x59000	16ed1c8bd92519b25f31d8d511efc736	False	0.9257922226123596	data	7.89065804737971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5015d	data			1.0003383847159855
RT_GROUP_ICON	0x11f918	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11f990	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11f9a4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11f9b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11f9cc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11faa8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:30:50.697434+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.4	49730	199.79.62.115	587	TCP
2025-01-10T20:30:50.697434+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.4	49730	199.79.62.115	587	TCP
2025-01-10T20:30:50.697434+0100	2840032	ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	1	192.168.2.4	49730	199.79.62.115	587	TCP
2025-01-10T20:30:57.973920+0100	2855245	ETPRO MALWARE Agent Tesla Exfil via SMTP	1	192.168.2.4	49730	199.79.62.115	587	TCP
2025-01-10T20:30:57.973920+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.4	49730	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:30:56.314294100 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:56.319293976 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:56.319428921 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:56.948724985 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:56.950150013 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:56.954997063 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.096122980 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.097111940 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.101913929 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.242958069 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.243259907 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.248048067 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.521991014 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.522399902 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.527292013 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.668442011 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.668710947 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.673506975 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.827138901 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.827321053 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.832139015 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.973054886 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.973844051 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.973920107 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.973953962 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.973978996 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:30:57.978658915 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.978671074 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.978842020 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:57.978852034 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:58.216949940 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:30:58.259850979 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:32:33.964015007 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:32:33.968951941 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:32:34.311254978 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:32:34.311310053 CET	587	49730	199.79.62.115	192.168.2.4
Jan 10, 2025 20:32:34.311415911 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:32:34.311610937 CET	49730	587	192.168.2.4	199.79.62.115
Jan 10, 2025 20:32:34.316514969 CET	587	49730	199.79.62.115	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:30:53.950181961 CET	57555	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:30:54.964452982 CET	57555	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:30:55.978704929 CET	57555	53	192.168.2.4	1.1.1.1
Jan 10, 2025 20:30:56.285713911 CET	53	57555	1.1.1.1	192.168.2.4
Jan 10, 2025 20:30:56.285779953 CET	53	57555	1.1.1.1	192.168.2.4
Jan 10, 2025 20:30:56.285816908 CET	53	57555	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:30:53.950181961 CET	192.168.2.4	1.1.1.1	0xdcc8	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:30:54.964452982 CET	192.168.2.4	1.1.1.1	0xdcc8	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:30:55.978704929 CET	192.168.2.4	1.1.1.1	0xdcc8	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:30:56.285713911 CET	1.1.1.1	192.168.2.4	0xdcc8	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:30:56.285779953 CET	1.1.1.1	192.168.2.4	0xdcc8	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:30:56.285816908 CET	1.1.1.1	192.168.2.4	0xdcc8	No error (0)	mail.mbarieservicesltd.com	199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 20:30:56.948724985 CET	587	49730	199.79.62.115	192.168.2.4	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Sat, 11 Jan 2025 01:00:56 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 20:30:56.950150013 CET	49730	587	192.168.2.4	199.79.62.115	EHLO 899552
Jan 10, 2025 20:30:57.096122980 CET	587	49730	199.79.62.115	192.168.2.4	250-md-54.webhostbox.net Hello 899552 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 10, 2025 20:30:57.097111940 CET	49730	587	192.168.2.4	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Jan 10, 2025 20:30:57.242958069 CET	587	49730	199.79.62.115	192.168.2.4	334 UGFzc3dvcmQ6
Jan 10, 2025 20:30:57.521991014 CET	587	49730	199.79.62.115	192.168.2.4	235 Authentication succeeded
Jan 10, 2025 20:30:57.522399902 CET	49730	587	192.168.2.4	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Jan 10, 2025 20:30:57.668442011 CET	587	49730	199.79.62.115	192.168.2.4	250 OK
Jan 10, 2025 20:30:57.668710947 CET	49730	587	192.168.2.4	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Jan 10, 2025 20:30:57.827138901 CET	587	49730	199.79.62.115	192.168.2.4	250 Accepted
Jan 10, 2025 20:30:57.827321053 CET	49730	587	192.168.2.4	199.79.62.115	DATA
Jan 10, 2025 20:30:57.973054886 CET	587	49730	199.79.62.115	192.168.2.4	354 Enter message, ending with "." on a line by itself
Jan 10, 2025 20:30:57.973978996 CET	49730	587	192.168.2.4	199.79.62.115	.
Jan 10, 2025 20:30:58.216949940 CET	587	49730	199.79.62.115	192.168.2.4	250 OK id=1tWKif-001YtW-2s
Jan 10, 2025 20:32:33.964015007 CET	49730	587	192.168.2.4	199.79.62.115	QUIT
Jan 10, 2025 20:32:34.311254978 CET	587	49730	199.79.62.115	192.168.2.4	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	14:30:47
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\EpH9QFlrm2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EpH9QFlrm2.exe"
Imagebase:	0x4e0000
File size:	1'185'792 bytes
MD5 hash:	5F7D704D6CCC83F30D9F758B2323E59C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1731244005.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:30:51
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EpH9QFlrm2.exe"
Imagebase:	0xcc0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2953253177.0000000004171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000001.00000002.2951140084.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2952346612.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2953794085.0000000005790000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2952346612.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2953428892.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000001.00000002.2952128669.0000000002E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	172

Executed Functions

Function 004E3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004E3B68
IsDebuggerPresent.KERNEL32 ref: 004E3B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,005A52F8,005A52E0,?,?), ref: 004E3BEB

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

Part of subcall function 004F092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004E3C14,005A52F8,?,?,?), ref: 004F096E

SetCurrentDirectoryW.KERNEL32(?), ref: 004E3C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00597770,00000010), ref: 0051D281
SetCurrentDirectoryW.KERNEL32(?,005A52F8,?,?,?), ref: 0051D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00594260,005A52F8,?,?,?), ref: 0051D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0051D346

Part of subcall function 004E3A46: GetSysColorBrush.USER32(0000000F), ref: 004E3A50
Part of subcall function 004E3A46: LoadCursorW.USER32(00000000,00007F00), ref: 004E3A5F
Part of subcall function 004E3A46: LoadIconW.USER32(00000063), ref: 004E3A76
Part of subcall function 004E3A46: LoadIconW.USER32(000000A4), ref: 004E3A88
Part of subcall function 004E3A46: LoadIconW.USER32(000000A2), ref: 004E3A9A
Part of subcall function 004E3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004E3AC0
Part of subcall function 004E3A46: RegisterClassExW.USER32(?), ref: 004E3B16

Part of subcall function 004E39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004E3A03
Part of subcall function 004E39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004E3A24
Part of subcall function 004E39D5: ShowWindow.USER32(00000000,?,?), ref: 004E3A38
Part of subcall function 004E39D5: ShowWindow.USER32(00000000,?,?), ref: 004E3A41

Part of subcall function 004E434A: _memset.LIBCMT ref: 004E4370
Part of subcall function 004E434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 004E4415

Strings

This is a third-party compiled AutoIt script., xrefs: 0051D279
runas, xrefs: 0051D33A
%W, xrefs: 004E3C44

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%W
API String ID: 529118366-1565394082
Opcode ID: 1bd48be8ce15bdf9aeade86f369caf5a5af4fd51af808cfb0e3c54d99fc7a4d2
Instruction ID: d93befa473f684224bbdadc2918dee8b6810116ff7075672595e411c6ad1564a
Opcode Fuzzy Hash: 1bd48be8ce15bdf9aeade86f369caf5a5af4fd51af808cfb0e3c54d99fc7a4d2
Instruction Fuzzy Hash: 99513635D08188AEDF01EFB6DC09EED7F78BF56316F10406AF421A3152DA788649DB25

Function 004E49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004E49CD

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

GetCurrentProcess.KERNEL32(?,0056FAEC,00000000,00000000,?), ref: 004E4A9A
IsWow64Process.KERNEL32(00000000), ref: 004E4AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 004E4AE7
FreeLibrary.KERNEL32(00000000), ref: 004E4AF2
GetSystemInfo.KERNEL32(00000000), ref: 004E4B23
GetSystemInfo.KERNEL32(00000000), ref: 004E4B2F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8286bac9704fefc08964478484ae508ba249372aea3af8ada9b5c27aa1aca51b
Instruction ID: 8b6e5485d82d6d2e1429fdca9d3f69bc9b455a3f5b613d606f2ba9efd4f1538d
Opcode Fuzzy Hash: 8286bac9704fefc08964478484ae508ba249372aea3af8ada9b5c27aa1aca51b
Instruction Fuzzy Hash: 3C9102318897C0DED731CBA994501ABFFF4BF6A311B084AAED0C683B41D224B548D76E

Function 004E4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004E4D8E,?,?,00000000,00000000), ref: 004E4E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004E4D8E,?,?,00000000,00000000), ref: 004E4EB0
LoadResource.KERNEL32(?,00000000,?,?,004E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004E4E2F), ref: 0051D937
SizeofResource.KERNEL32(?,00000000,?,?,004E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004E4E2F), ref: 0051D94C
LockResource.KERNEL32(004E4D8E,?,?,004E4D8E,?,?,00000000,00000000,?,?,?,?,?,?,004E4E2F,00000000), ref: 0051D95F

Strings

SCRIPT, xrefs: 004E4EA6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6f605ebd9e29be403707babc9c08ff7d8fb43c960211428fc2e79d3c5540eca5
Instruction ID: aa6208029f461957d05f1541ee6939060e35b2cd2037d5622d5507019676c59e
Opcode Fuzzy Hash: 6f605ebd9e29be403707babc9c08ff7d8fb43c960211428fc2e79d3c5540eca5
Instruction Fuzzy Hash: 30115E75640740BFD7218B6AEC48F677BBAFBC5B12F1042A9F405C7250DBA1E8049A60

Function 004EFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbZ, xrefs: 005249B9
%W, xrefs: 004EFCF3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbZ$%W
API String ID: 3964851224-2685662805
Opcode ID: c14ea9cbf091669b791889952d1f69459d009110175841873d8bbc6fed1d3cd1
Instruction ID: ee62904d0970f5d23e2f0e128cb597db60446e304951d5752aed499e2cb4aceb
Opcode Fuzzy Hash: c14ea9cbf091669b791889952d1f69459d009110175841873d8bbc6fed1d3cd1
Instruction Fuzzy Hash: 179278706083519FD720DF15C480B2BBBE1BF85304F14896EE99A8B3A2D779EC45CB96

Function 004EE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdZ, xrefs: 004EEAC1
DdZ, xrefs: 004EEABA
DdZ, xrefs: 00523B2E
Variable must be of type 'Object'., xrefs: 00523E62
DdZ, xrefs: 00523AF5

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID: DdZ$DdZ$DdZ$DdZ$Variable must be of type 'Object'.
API String ID: 0-4086399601
Opcode ID: 1abe7a42f816da294f2512276d5ff9c091d34ab379af325571b72f111090105d
Instruction ID: aad1971af7338588c5f974d7bfe964c7ee3e281196cfa5c8e89c2915dfb5f49b
Opcode Fuzzy Hash: 1abe7a42f816da294f2512276d5ff9c091d34ab379af325571b72f111090105d
Instruction Fuzzy Hash: E3A2D274A00256CFCB24CF5AC480AAEBBF1FF59315F24846AD9059B391D339ED46CB89

Function 0054445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0051E398), ref: 0054446A
FindFirstFileW.KERNELBASE(?,?), ref: 0054447B
FindClose.KERNEL32(00000000), ref: 0054448B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 590371a43b38339bb088a4b722aa9440d796ed28159978b576f9352c2a346a9e
Instruction ID: e0fc1babc69f01cdb3abe84514a992ce988dcbbb93d37b43f5d7f2644f90c91a
Opcode Fuzzy Hash: 590371a43b38339bb088a4b722aa9440d796ed28159978b576f9352c2a346a9e
Instruction Fuzzy Hash: 9EE0D8368105006746106B3CFC0D5ED7F5CAE15339F100B16F836C21D0E7B45904AE95

Function 004F09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004F0A5B
timeGetTime.WINMM ref: 004F0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004F0E53
Sleep.KERNEL32(0000000A), ref: 004F0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 004F0EFA
DestroyWindow.USER32 ref: 004F0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004F0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00524E83
TranslateMessage.USER32(?), ref: 00525C60
DispatchMessageW.USER32(?), ref: 00525C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00525C82

Strings

@TRAY_ID, xrefs: 0052578F
@GUI_CTRLHANDLE, xrefs: 00524FE4
@GUI_CTRLID, xrefs: 00524F3A
@GUI_WINHANDLE, xrefs: 00524F8F
@COM_EVENTOBJ, xrefs: 005254F0
pbZ, xrefs: 00525003
pbZ, xrefs: 005257B4
pbZ, xrefs: 00524F59
pbZ, xrefs: 00524FAE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbZ$pbZ$pbZ$pbZ
API String ID: 4212290369-2428965523
Opcode ID: 9c8a260284441b22a67af81f3478cba56bc95448a028197eedf92fdc0a852864
Instruction ID: 8d37566e0a72d36194d97f8bf70f9cf1afcbccdae5627f3035286929cd25305a
Opcode Fuzzy Hash: 9c8a260284441b22a67af81f3478cba56bc95448a028197eedf92fdc0a852864
Instruction Fuzzy Hash: 92B20370608741DFD728DF24D884BAEBBE4BF85304F14491EE58A972E2DB74E844DB86

Function 00549155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00548F5F: __time64.LIBCMT ref: 00548F69

Part of subcall function 004E4EE5: _fseek.LIBCMT ref: 004E4EFD

__wsplitpath.LIBCMT ref: 00549234

Part of subcall function 005040FB: __wsplitpath_helper.LIBCMT ref: 0050413B

_wcscpy.LIBCMT ref: 00549247
_wcscat.LIBCMT ref: 0054925A
__wsplitpath.LIBCMT ref: 0054927F
_wcscat.LIBCMT ref: 00549295
_wcscat.LIBCMT ref: 005492A8

Part of subcall function 00548FA5: _memmove.LIBCMT ref: 00548FDE
Part of subcall function 00548FA5: _memmove.LIBCMT ref: 00548FED

_wcscmp.LIBCMT ref: 005491EF

Part of subcall function 00549734: _wcscmp.LIBCMT ref: 00549824
Part of subcall function 00549734: _wcscmp.LIBCMT ref: 00549837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00549452
_wcsncpy.LIBCMT ref: 005494C5
DeleteFileW.KERNEL32(?,?), ref: 005494FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00549511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00549522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00549534

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0a43a912cc364a81b8972867f8de65cf3bae798cd5043af3a50ba505009b5292
Instruction ID: 9489f43e9ea5fdf29c00125e422567fc56b5e9ee587df9b2c2b066c62cd66aa7
Opcode Fuzzy Hash: 0a43a912cc364a81b8972867f8de65cf3bae798cd5043af3a50ba505009b5292
Instruction Fuzzy Hash: A2C139B1D00219AADF21DF95CC86ADFBBB9FF85314F0044AAF609E7141EB709A448F65

Function 004E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004E3074
RegisterClassExW.USER32(00000030), ref: 004E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004E30AF
InitCommonControlsEx.COMCTL32(?), ref: 004E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004E30DC
LoadIconW.USER32(000000A9), ref: 004E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004E3101

Strings

TaskbarCreated, xrefs: 004E30A4
+, xrefs: 004E305D
0, xrefs: 004E3056
AutoIt v3 GUI, xrefs: 004E3090

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 978733aabe0cedd69a5260fce1a7376332187f441c0107acbccd620a131c6898
Instruction ID: d43c1153af5c1a3b8cb0552cbe04417bd52f9c4dec1060b50a74b100709d9499
Opcode Fuzzy Hash: 978733aabe0cedd69a5260fce1a7376332187f441c0107acbccd620a131c6898
Instruction Fuzzy Hash: A2314971C45345AFDB10CFA4EC89A9DBFF4FB1A310F24456EE580A62A1E3B90548DF51

Function 004E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004E3074
RegisterClassExW.USER32(00000030), ref: 004E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004E30AF
InitCommonControlsEx.COMCTL32(?), ref: 004E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004E30DC
LoadIconW.USER32(000000A9), ref: 004E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004E3101

Strings

TaskbarCreated, xrefs: 004E30A4
+, xrefs: 004E305D
0, xrefs: 004E3056
AutoIt v3 GUI, xrefs: 004E3090

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6c2be82d7c73a0139fb4329282afaa63666aa6914811b80bfacb1951c86a9029
Instruction ID: 8d6311c85c27de05b60d27ea8e284dd8cdf4d8f737a540d1b3148e0e0334117d
Opcode Fuzzy Hash: 6c2be82d7c73a0139fb4329282afaa63666aa6914811b80bfacb1951c86a9029
Instruction Fuzzy Hash: F821F4B1D01209AFDB00DFA8EC89B9DBBF4FB19710F10412AF911A72A0E7B54548AF91

Function 004E708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005A52F8,?,004E37AE,?), ref: 004E4724

Part of subcall function 0050050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,004E7165), ref: 0050052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004E71A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0051E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0051E909
RegCloseKey.ADVAPI32(?), ref: 0051E947
_wcscat.LIBCMT ref: 0051E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 004E719E
\Include\, xrefs: 004E7165
Include, xrefs: 0051E8BF, 0051E900
\, xrefs: 0051E9C3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 23f6d2c0f8192943bd72699b8bd3c75792eed33e504b0700aa940fa3e971d061
Instruction ID: 75ea1fa2daef3151960a32510d4b57983cc3f920db9ffb3eed25ae747d59fa72
Opcode Fuzzy Hash: 23f6d2c0f8192943bd72699b8bd3c75792eed33e504b0700aa940fa3e971d061
Instruction Fuzzy Hash: EC71D0754083019ED304EF66EC86AAFBFE8FFA5314F44092EF445872A0DB709948DB56

Function 004E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004E36D2
KillTimer.USER32(?,00000001), ref: 004E36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004E371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004E372A
CreatePopupMenu.USER32 ref: 004E373E
PostQuitMessage.USER32(00000000), ref: 004E374D

Strings

TaskbarCreated, xrefs: 004E3725
%W, xrefs: 0051D081, 0051D0CF

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%W
API String ID: 129472671-3174300001
Opcode ID: 611ad61350622b1ec7d166c5fd9dd1be1d43105dcb6283d8f0727e9330807c17
Instruction ID: 0e20145bf0edc888875401791c9fa8a7e6de1184e2c490d0a33d5d444bec11fb
Opcode Fuzzy Hash: 611ad61350622b1ec7d166c5fd9dd1be1d43105dcb6283d8f0727e9330807c17
Instruction Fuzzy Hash: 29414CB1600585BBDB215F75EC0DF7E3B94FB55303F10012BF502872A1EA6C5D45A36A

Function 004E3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 004E3A50
LoadCursorW.USER32(00000000,00007F00), ref: 004E3A5F
LoadIconW.USER32(00000063), ref: 004E3A76
LoadIconW.USER32(000000A4), ref: 004E3A88
LoadIconW.USER32(000000A2), ref: 004E3A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 004E3AC0
RegisterClassExW.USER32(?), ref: 004E3B16

Part of subcall function 004E3041: GetSysColorBrush.USER32(0000000F), ref: 004E3074
Part of subcall function 004E3041: RegisterClassExW.USER32(00000030), ref: 004E309E
Part of subcall function 004E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004E30AF
Part of subcall function 004E3041: InitCommonControlsEx.COMCTL32(?), ref: 004E30CC
Part of subcall function 004E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004E30DC
Part of subcall function 004E3041: LoadIconW.USER32(000000A9), ref: 004E30F2
Part of subcall function 004E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 004E3101

Strings

#, xrefs: 004E3AFB
AutoIt v3, xrefs: 004E3B05
0, xrefs: 004E3AF4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: b07aad7bacaf06f3e71962fa73a4ed6913e0bda4d2da9af7dbdbdcbf94d013a2
Instruction ID: 4aad6112ca04ee638caf45d734b28730da35ea0807dcc7ee690b4a0083a0717b
Opcode Fuzzy Hash: b07aad7bacaf06f3e71962fa73a4ed6913e0bda4d2da9af7dbdbdcbf94d013a2
Instruction Fuzzy Hash: CF214B79D00304AFEB11DFB9EC49F9D7BB0FB29712F10012AE500A72A1E3B55648AF94

Function 004E3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 004E3892
/ErrorStdOut, xrefs: 004E387D
RZ, xrefs: 0051D213
CMDLINE, xrefs: 004E3822
/AutoIt3ExecuteLine, xrefs: 004E38A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004E37AE
/AutoIt3ExecuteScript, xrefs: 004E38BC
CMDLINERAW, xrefs: 004E37FB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RZ
API String ID: 1825951767-509773670
Opcode ID: 5c54d42c98958f9f533243b8a8938b62862cd462690870b697d722a40acee93e
Instruction ID: 6e6d67d7a31091e0c252653bab138533f3000c18df755039ce1c2b9c51e24cf0
Opcode Fuzzy Hash: 5c54d42c98958f9f533243b8a8938b62862cd462690870b697d722a40acee93e
Instruction Fuzzy Hash: B4A18E7190025DAACF05EFA6DC45EEEBB78BF15316F40042EF415A7192EF386A08CB64

Function 004EF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00500162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00500193
Part of subcall function 00500162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0050019B
Part of subcall function 00500162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005001A6
Part of subcall function 00500162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005001B1
Part of subcall function 00500162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005001B9
Part of subcall function 00500162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005001C1

Part of subcall function 004F60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,004EF930), ref: 004F6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 004EF9CD
OleInitialize.OLE32(00000000), ref: 004EFA4A
CloseHandle.KERNEL32(00000000), ref: 005245C8

Strings

SZ, xrefs: 004EF7EB
<WZ, xrefs: 004EF930
\TZ, xrefs: 004EF7F7
%W, xrefs: 004EF796, 004EF7A8, 004EF96E, 004EFA51

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WZ$\TZ$%W$SZ
API String ID: 1986988660-2648872808
Opcode ID: b0ad6a1553c8011819e70fd54c203469a6286026e647d3a14079bc35a14ec285
Instruction ID: af682994469d5302441d44ac375e78463f01f1a7d82704e0bd4b5a3f5f536bae
Opcode Fuzzy Hash: b0ad6a1553c8011819e70fd54c203469a6286026e647d3a14079bc35a14ec285
Instruction Fuzzy Hash: 4C81CCB0905A40DFCB84DF3AA844E187FE5FBAE35A750852ED119CB262F7B4448CAF15

Function 010D59D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010D5AA1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010D5CC7

Memory Dump Source

Source File: 00000000.00000002.1730887289.00000000010D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d3000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 48a4bcb59cf054f1c5e0989ea55e3c106c859e1cd3d0d92494c6f467cc93c8f4
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 2FA1F670E00309EFDB14CFA8C994BEEBBB5BF48314F208599E641AB281D7759A81CF55

Function 004E39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 004E3A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004E3A24
ShowWindow.USER32(00000000,?,?), ref: 004E3A38
ShowWindow.USER32(00000000,?,?), ref: 004E3A41

Strings

edit, xrefs: 004E3A1E
AutoIt v3, xrefs: 004E39FB, 004E3A00, 004E3A01

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 5a665fbd18806755f6c3a75bf74a39a459c207621bd8ef6052cf574f93b53e08
Instruction ID: a934f25499f629898b2a8897111c6a8162aa5de984b30215bf887aa2504bc7d7
Opcode Fuzzy Hash: 5a665fbd18806755f6c3a75bf74a39a459c207621bd8ef6052cf574f93b53e08
Instruction Fuzzy Hash: A9F03A749002907EEA3057277C08F2B3E7DEBD7F50B00002ABA00A3170D6610844EAB0

Function 010D5790 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010D5680: Sleep.KERNELBASE(000001F4), ref: 010D5691

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010D58BC

Strings

QFFWKLWBU45WTQLUHM7MY, xrefs: 010D591F, 010D5922

Memory Dump Source

Source File: 00000000.00000002.1730887289.00000000010D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d3000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateFileSleep
String ID: QFFWKLWBU45WTQLUHM7MY
API String ID: 2694422964-3189196604
Opcode ID: 37bd8664cc435824f36ae891e21953871ede33aca4ab032e16e5059a866766b8
Instruction ID: 977cd79563183f0afeaf1c9f45aa64d6f326623baebb8a6abb76527d9e474f1a
Opcode Fuzzy Hash: 37bd8664cc435824f36ae891e21953871ede33aca4ab032e16e5059a866766b8
Instruction Fuzzy Hash: F4519230D04348DAEF11DBB4CC48BEEBBB9AF19304F004199E648BB2C1D6BA1B44CB65

Function 004E407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0051D3D7

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

_memset.LIBCMT ref: 004E40FC
_wcscpy.LIBCMT ref: 004E4150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004E4160

Strings

Line: , xrefs: 0051D400

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 53ccbadc5cfc45acd2c2c6979e40c8448d2e91970eb311b56083ce2bfec44401
Instruction ID: 36321cc2704d6b84eae96cb2977bddd6b946d87b500d4c1a22f93b4cd187339a
Opcode Fuzzy Hash: 53ccbadc5cfc45acd2c2c6979e40c8448d2e91970eb311b56083ce2bfec44401
Instruction Fuzzy Hash: 9A31E6710083856FD721EB62DC49FDB7BD8AF95319F10451FF28582091EB789648C79A

Function 004E686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 004E4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004E4E0F

_free.LIBCMT ref: 0051E263
_free.LIBCMT ref: 0051E2AA

Part of subcall function 004E6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004E6BAD

Strings

Bad directive syntax error, xrefs: 0051E292
>>>AUTOIT SCRIPT<<<, xrefs: 0051E039

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 9af2adab9a46a63fec9420614511dd9366804b33e7dd88b564ac9ae2fe62949d
Instruction ID: 1b5212d84b1b5105b3a86ae9c24d688efad8a2d9c62468940c105b3ad4ef91dc
Opcode Fuzzy Hash: 9af2adab9a46a63fec9420614511dd9366804b33e7dd88b564ac9ae2fe62949d
Instruction Fuzzy Hash: D891AE7190025AAFDF04EFA5CC969EDBBB8FF08314F10442AF815AB2A1DB74AD45CB54

Function 004E35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004E35A1,SwapMouseButtons,00000004,?), ref: 004E35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,004E35A1,SwapMouseButtons,00000004,?,?,?,?,004E2754), ref: 004E35F5
RegCloseKey.KERNELBASE(00000000,?,?,004E35A1,SwapMouseButtons,00000004,?,?,?,?,004E2754), ref: 004E3617

Strings

Control Panel\Mouse, xrefs: 004E35D2

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2b51d401ed12e2ff21ec27f6f342bc9f61f91e016a6fe531715979b75dff1ffa
Instruction ID: 388d97f53048ab51c4b5a443d1a1e3f60d65a2479cf036ab37183a1f20f58ec3
Opcode Fuzzy Hash: 2b51d401ed12e2ff21ec27f6f342bc9f61f91e016a6fe531715979b75dff1ffa
Instruction Fuzzy Hash: B0114871910248BFDB21CFB9EC489AFB7B8EF05752F01456AE805D7210D2719E44A764

Function 010D4680 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010D4EAD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010D4ED1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D4EF3

Memory Dump Source

Source File: 00000000.00000002.1730887289.00000000010D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d3000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: ceea3c3c8fadfeae36155b63b4fcef0d41ecb5bc7720df0705ef87ae9d6092f1
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 62621B30A142589BEB24CFA4CC54BDEB772EF58300F1091A9E54DEB390E7769E81CB59

Function 0054955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 004E4EE5: _fseek.LIBCMT ref: 004E4EFD

Part of subcall function 00549734: _wcscmp.LIBCMT ref: 00549824
Part of subcall function 00549734: _wcscmp.LIBCMT ref: 00549837

_free.LIBCMT ref: 005496A2
_free.LIBCMT ref: 005496A9
_free.LIBCMT ref: 00549714

Part of subcall function 00502D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00509A24), ref: 00502D69
Part of subcall function 00502D55: GetLastError.KERNEL32(00000000,?,00509A24), ref: 00502D7B

_free.LIBCMT ref: 0054971C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 75d6610559536d9ac3afa9981a3ef85ea09c29fefc719d185fc0783210d2a9f5
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 0B514CB1904259AFDF259F65DC85AEEBBB9FF88304F10049EB209A3241DB715A81CF58

Function 0050470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005047A0
__flush.LIBCMT ref: 005047C0
__write.LIBCMT ref: 005047F3
__flsbuf.LIBCMT ref: 00504821

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: e7fe2a0b89ea8e9c466d672ee100d57043b2dd720eeaf5a21486d10002f284d9
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: B541B3F5A007469BDB288EA9C8949AE7FA5FF85360B24C93DEA15C76C0E770DD418F40

Function 004E44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004E44CF

Part of subcall function 004E407C: _memset.LIBCMT ref: 004E40FC
Part of subcall function 004E407C: _wcscpy.LIBCMT ref: 004E4150
Part of subcall function 004E407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004E4160

KillTimer.USER32(?,00000001,?,?), ref: 004E4524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004E4533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0051D4B9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: c7f627f482dba6e69e14e3b4dcc42c119062f0ff4988bb60128c5899acaf9d8e
Instruction ID: 23a2e1f3d8135353c0f29b40896cc4bfccf4f37e35215bad40443da22ca0b6e0
Opcode Fuzzy Hash: c7f627f482dba6e69e14e3b4dcc42c119062f0ff4988bb60128c5899acaf9d8e
Instruction Fuzzy Hash: 0F212870804384AFFB328B249845BEBBFFCAF11305F04049EE38A57241C3B82988D755

Function 004E4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004E4CBA

Strings

AU3!P/W, xrefs: 004E4CB4
EA06, xrefs: 0051D8CC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/W$EA06
API String ID: 4104443479-1271071975
Opcode ID: 657203665f43fccc45fedc92b52185fad053ad7152bf1ebba92de92fb54729e9
Instruction ID: 4fbc2d892e98834f2ef8971f69719ff66b35b100a290903ac1420739217441ba
Opcode Fuzzy Hash: 657203665f43fccc45fedc92b52185fad053ad7152bf1ebba92de92fb54729e9
Instruction Fuzzy Hash: 4B419F219001D857DF115B578C51BBF7FA1DBC5306F2844ABEC8297382D62C5D4583AA

Function 004E7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0051EA39
GetOpenFileNameW.COMDLG32(?), ref: 0051EA83

Part of subcall function 004E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E4743,?,?,004E37AE,?), ref: 004E4770

Part of subcall function 00500791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005007B0

Strings

X, xrefs: 0051EA51

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 92c3f45387d9310c815e6984e0d5f6dc9b538f726e5c9e2ad438db8155225034
Instruction ID: 385d6e40a4a1ed788545f9361e101fb9d604d79382006c36905ad464a676b4e4
Opcode Fuzzy Hash: 92c3f45387d9310c815e6984e0d5f6dc9b538f726e5c9e2ad438db8155225034
Instruction Fuzzy Hash: D921D531A002889BDF01DF95CC49BEE7FF8BF49715F00405AE508A7281DBF859898FA5

Function 005498E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005498F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0054990F

Strings

aut, xrefs: 00549909

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d108c27c8aa65a75416d639ed5000f29d3138e268ee902502e25555b041ca1bb
Instruction ID: 7644fbe72e7fb3c407d4f537779ad9753cd9367d7b02301259ae439d8da47e87
Opcode Fuzzy Hash: d108c27c8aa65a75416d639ed5000f29d3138e268ee902502e25555b041ca1bb
Instruction Fuzzy Hash: DBD05E7994030DABDB509BA4EC0EFAA7B3CE714704F0006B1FA54920A1EAB0959C9FA1

Function 0055CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45e9e740c178423cafd8c8fbb5eeee90e33a9d79f5eb2297f1a27243b97022c
Instruction ID: abf2b764f65888bcaab29b2ea866a6ecd17f169d3ee3e5c01731530e1de3fd04
Opcode Fuzzy Hash: d45e9e740c178423cafd8c8fbb5eeee90e33a9d79f5eb2297f1a27243b97022c
Instruction Fuzzy Hash: CAF168706083419FCB14DF29C494A6ABBE5FF88318F14892EF8999B251D734E949CF82

Function 004E434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004E4370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 004E4415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 004E4432

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: b2efcc5d9b1d459bc590744121656cb6cdbfc19c250b5d22ca8a75e9bdf88767
Instruction ID: bdf76cdf468a47d958138ce9eb0f1bbe7c38e33d86375f283880e62ef7d11bc7
Opcode Fuzzy Hash: b2efcc5d9b1d459bc590744121656cb6cdbfc19c250b5d22ca8a75e9bdf88767
Instruction Fuzzy Hash: 1831B1706047419FC720DF25D884B9BBBF8FF99309F00092EE58A82291E775A948CB56

Function 0050571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00505733

Part of subcall function 0050A16B: __NMSG_WRITE.LIBCMT ref: 0050A192
Part of subcall function 0050A16B: __NMSG_WRITE.LIBCMT ref: 0050A19C

__NMSG_WRITE.LIBCMT ref: 0050573A

Part of subcall function 0050A1C8: GetModuleFileNameW.KERNEL32(00000000,005A33BA,00000104,?,00000001,00000000), ref: 0050A25A
Part of subcall function 0050A1C8: ___crtMessageBoxW.LIBCMT ref: 0050A308

Part of subcall function 0050309F: ___crtCorExitProcess.LIBCMT ref: 005030A5
Part of subcall function 0050309F: ExitProcess.KERNEL32 ref: 005030AE

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,?,?,?,00500DD3,?), ref: 0050575F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: fd79f241926b1c0b604e35a07574465b2300837425c94c10560ef9a44ae1e1b7
Instruction ID: 92e54d7c2778868b3b2fae4ae56f8ece4fc3721f8d4e3199699636bf6a2acea3
Opcode Fuzzy Hash: fd79f241926b1c0b604e35a07574465b2300837425c94c10560ef9a44ae1e1b7
Instruction Fuzzy Hash: C4018035240B02DAD6102738EC8AB7F7F48FBD27A1F500926F4059A1C1EEB09C00AA61

Function 005498A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00549548,?,?,?,?,?,00000004), ref: 005498BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00549548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005498D1
CloseHandle.KERNEL32(00000000,?,00549548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005498D8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a39b6ff1ab28b7f573d3be5e90b1f1d5aa724bac63a59dbadfae85685ebb2ee4
Instruction ID: cba0d64ab42a871e61275cb71d4a330060a8f2710b8b3e8088f3329d3f8e8594
Opcode Fuzzy Hash: a39b6ff1ab28b7f573d3be5e90b1f1d5aa724bac63a59dbadfae85685ebb2ee4
Instruction Fuzzy Hash: 7EE08632641214B7D7211B58FC0AFCA7F59AB167A5F104220FB146A1E087F11515A798

Function 00548D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00548D1B

Part of subcall function 00502D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00509A24), ref: 00502D69
Part of subcall function 00502D55: GetLastError.KERNEL32(00000000,?,00509A24), ref: 00502D7B

_free.LIBCMT ref: 00548D2C
_free.LIBCMT ref: 00548D3E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 9d22388005706ff41f6ea823eafaddd494774a85c730dccc5e6fd17aaf74c6cb
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: BCE012B2A0261246CB24A5B8B948AEB1BDC6F9C756B54091DB40DD71C6CE64FC438124

Function 004EA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0051FC01

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f7ebd3500b082cb0ab6e9eb83a1b668726f609a195fb8945286ec201f97e917c
Instruction ID: cf49f4b21cb32e6ca9aa294529463abe362eebb145f15c1a3f93b015a6522be8
Opcode Fuzzy Hash: f7ebd3500b082cb0ab6e9eb83a1b668726f609a195fb8945286ec201f97e917c
Instruction Fuzzy Hash: 92229C70508381DFD724DF15C494A6ABBE1FF85305F14896EE88A8B3A2D739EC45CB86

Function 004E7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004E7AAB
_memmove.LIBCMT ref: 004E7B16

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 8f4f811398bbc21718e23e58569944c591c7af64f08643ebffd139a5de27ba8a
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 2E31C9B1604506AFC704DF69C8D1E69B7A9FF44320714862AE519CB391EB34E951CB94

Function 004E47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 004E4834

Part of subcall function 0050336C: __lock.LIBCMT ref: 00503372
Part of subcall function 0050336C: DecodePointer.KERNEL32(00000001,?,004E4849,00537C74), ref: 0050337E
Part of subcall function 0050336C: EncodePointer.KERNEL32(?,?,004E4849,00537C74), ref: 00503389

Part of subcall function 004E48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 004E4915
Part of subcall function 004E48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004E492A

Part of subcall function 004E3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004E3B68
Part of subcall function 004E3B3A: IsDebuggerPresent.KERNEL32 ref: 004E3B7A
Part of subcall function 004E3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005A52F8,005A52E0,?,?), ref: 004E3BEB
Part of subcall function 004E3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 004E3C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 004E4874

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 59ad8ac374f7b2ded16bdbfb114d18833f16e6c6ca43dd98dc07aeb828943fb0
Instruction ID: 859ad1f62fd0d1b658a2ccedd344975cf5357501c60db9e2867b90ccdf7c3746
Opcode Fuzzy Hash: 59ad8ac374f7b2ded16bdbfb114d18833f16e6c6ca43dd98dc07aeb828943fb0
Instruction Fuzzy Hash: C5116D719083859BC700EF7AE84594ABFE8FFA9754F10491FF044832B1DBB09949DB96

Function 00500DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0050571C: __FF_MSGBANNER.LIBCMT ref: 00505733
Part of subcall function 0050571C: __NMSG_WRITE.LIBCMT ref: 0050573A
Part of subcall function 0050571C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,?,?,?,00500DD3,?), ref: 0050575F

std::exception::exception.LIBCMT ref: 00500DEC
__CxxThrowException@8.LIBCMT ref: 00500E01

Part of subcall function 0050859B: RaiseException.KERNEL32(?,?,?,00599E78,00000000,?,?,?,?,00500E06,?,00599E78,?,00000001), ref: 005085F0

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: bb4084001e54070164fe005d20d75d9c0d3b8c246c56f5d47d5202cd77ae57ee
Instruction ID: cebef24e7a9e826986bce77035199829922e542bc47b278e141ff6944e8784be
Opcode Fuzzy Hash: bb4084001e54070164fe005d20d75d9c0d3b8c246c56f5d47d5202cd77ae57ee
Instruction Fuzzy Hash: 5CF0A47250031F66DB20BA98EC09AEF7FACFF41351F10442AF959A62C1DF709A41D6E1

Function 005053A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

__lock_file.LIBCMT ref: 005053EB

Part of subcall function 00506C11: __lock.LIBCMT ref: 00506C34

__fclose_nolock.LIBCMT ref: 005053F6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b9d1e4f423fa82c8d093e272397f88049d705685933c88fefb5d961ce1dda8fd
Instruction ID: 1d78993c29850a07b34c8681587d69e64d9fbd37fe02aa64f5cbc7f85d71b7b0
Opcode Fuzzy Hash: b9d1e4f423fa82c8d093e272397f88049d705685933c88fefb5d961ce1dda8fd
Instruction Fuzzy Hash: 21F09631800A069ADB107F65980ABEE7EA07F81374F258A14A464AB1C1DBBC89415F61

Function 010D467D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010D4EAD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010D4ED1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010D4EF3

Memory Dump Source

Source File: 00000000.00000002.1730887289.00000000010D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d3000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: feef3e094ed8267ca8719d5b67b06808e5b40aca708bf303a449aa0f16df1988
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: F412EF24E18658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 00500C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00500CB7

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6559448374e42be1e7fab1a054aed13f941be8d94073dbaea01cdd321a9a32ee
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: AD31A370A001059BE718DF58C484A6DFBA6FB59310F6896A5E80ACB3D5D731EDC1DB80

Function 0051FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0051FCB7

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ea5e0d85d53a5012685b7e8b5476e5a5f6146a1fdbee12d9d29d6662879e3279
Instruction ID: 94b6e3be2958ce9912b57d2727f6aeb479e0238236e040eb189f0c28516bfdc6
Opcode Fuzzy Hash: ea5e0d85d53a5012685b7e8b5476e5a5f6146a1fdbee12d9d29d6662879e3279
Instruction Fuzzy Hash: 0B4136745043419FDB14DF15C448B1ABBE1BF85319F1988ADE8998B3A2C335EC45CB86

Function 004E7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004E7BB3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 78b614299b8cf297b746acf5967d5ac720681347b7a33d1e36f4b8d56f7334a6
Instruction ID: 465fadd4dbadfd24b5f819a67ced0ecd85e4e5cecd03fd2cab35890db617e486
Opcode Fuzzy Hash: 78b614299b8cf297b746acf5967d5ac720681347b7a33d1e36f4b8d56f7334a6
Instruction Fuzzy Hash: BA213872A04A09EBEB144F16EC427AE7FB8FF54365F21846FE845C5190EB3094E0E785

Function 004E4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 004E4BEF

Part of subcall function 0050525B: __wfsopen.LIBCMT ref: 00505266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004E4E0F

Part of subcall function 004E4B6A: FreeLibrary.KERNEL32(00000000), ref: 004E4BA4

Part of subcall function 004E4C70: _memmove.LIBCMT ref: 004E4CBA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 6a1b4cd4ec45640da7fc8571d0ffa359a0546885b1b743f7c8d6975dbf62266b
Instruction ID: bda541516bb0d4032ab9236199ecd7f77de5d1c577de55f79680ebe14f9bb629
Opcode Fuzzy Hash: 6a1b4cd4ec45640da7fc8571d0ffa359a0546885b1b743f7c8d6975dbf62266b
Instruction Fuzzy Hash: C411E731600246ABCF10AF76CC16FAE77A5AFC4715F10882EF541A7181DB799A019B55

Function 0051FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0051FD91

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 04419d43c43f27e7e810b4e29d474ac267c61673695ebde1fcc6a336c499408f
Instruction ID: d98bc4d2c2e34a9dfdb70d0f223151d76baddb30d0dd26b1cfbadc06f48e6dc4
Opcode Fuzzy Hash: 04419d43c43f27e7e810b4e29d474ac267c61673695ebde1fcc6a336c499408f
Instruction Fuzzy Hash: 972133B0908341DFCB14DF25C844B1ABBE1BF88305F05896DE88A9B7A2D735F815CB96

Function 00504863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005048A6

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: d72add9018d874432f8f89efcd00cd8ecb4e28416cff2adbe3e247d2d8e17f2c
Instruction ID: 5443791241f8faf7c210dd132479496a08290d1cafbbaf01b8e2573ec69d270f
Opcode Fuzzy Hash: d72add9018d874432f8f89efcd00cd8ecb4e28416cff2adbe3e247d2d8e17f2c
Instruction Fuzzy Hash: 7DF0C871900606EBDF11AF748C09BAE3FA0BF41325F198914F5149A1D1CB788D51DF51

Function 004E4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004E4E7E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5b9fc5dffaab56e5037c2b67ed0359b5302414cf2b5152c2b224d2dfdcefcfda
Instruction ID: 9af3f5c199164f4be8bf9cc063dafff5dc1838ac4d36aaedad0e4c4232806158
Opcode Fuzzy Hash: 5b9fc5dffaab56e5037c2b67ed0359b5302414cf2b5152c2b224d2dfdcefcfda
Instruction Fuzzy Hash: 47F0A070500741CFCB348F29E484813BBE0BF903263108D7FE1D682610C3359840DF04

Function 00500791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005007B0

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 303cbdab34c928131cb515a903bb7a4e3321e0f781c073af9fa0c6d3f2a02175
Instruction ID: 444f05714b5c482184e99af76b034de190ea6b90460734aaf6232349c965addc
Opcode Fuzzy Hash: 303cbdab34c928131cb515a903bb7a4e3321e0f781c073af9fa0c6d3f2a02175
Instruction Fuzzy Hash: 7CE086369041285BC72096599C05FEA779DDB886A1F0441F6FD08D7204D964AC808694

Function 0050525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00505266

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a8e3c8e6ce24e50b29eb74eb49f0ce1951b18cccb6bfccf378f104b8a69abd3d
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E7B0927A44020D77CE012A92EC06A4A3F19AB81764F408020FB0C181A2A673A6649A89

Function 010D5680 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010D5691

Memory Dump Source

Source File: 00000000.00000002.1730887289.00000000010D3000.00000040.00000020.00020000.00000000.sdmp, Offset: 010D3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10d3000_EpH9QFlrm2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: cc33ca2b93fce385d93d32564aa7600a3f998e81b9e6949c998cf4998029eee2
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B3E0E67494020DDFDB00EFB4D9496DE7FB4EF04301F100161FD01E3281D6309D508A62

Non-executed Functions

Function 0056CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0056CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0056CB95
GetWindowLongW.USER32(?,000000F0), ref: 0056CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0056CC00
SendMessageW.USER32 ref: 0056CC29
_wcsncpy.LIBCMT ref: 0056CC95
GetKeyState.USER32(00000011), ref: 0056CCB6
GetKeyState.USER32(00000009), ref: 0056CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0056CCD9
GetKeyState.USER32(00000010), ref: 0056CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0056CD0C
SendMessageW.USER32 ref: 0056CD33
SendMessageW.USER32(?,00001030,?,0056B348), ref: 0056CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0056CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0056CE60
SetCapture.USER32(?), ref: 0056CE69
ClientToScreen.USER32(?,?), ref: 0056CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0056CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0056CEF5
ReleaseCapture.USER32 ref: 0056CF00
GetCursorPos.USER32(?), ref: 0056CF3A
ScreenToClient.USER32(?,?), ref: 0056CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0056CFA3
SendMessageW.USER32 ref: 0056CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0056D00E
SendMessageW.USER32 ref: 0056D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0056D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0056D06D
GetCursorPos.USER32(?), ref: 0056D08D
ScreenToClient.USER32(?,?), ref: 0056D09A
GetParent.USER32(?), ref: 0056D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0056D123
SendMessageW.USER32 ref: 0056D154
ClientToScreen.USER32(?,?), ref: 0056D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0056D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0056D20C
SendMessageW.USER32 ref: 0056D22F
ClientToScreen.USER32(?,?), ref: 0056D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0056D2B5

Part of subcall function 004E25DB: GetWindowLongW.USER32(?,000000EB), ref: 004E25EC

GetWindowLongW.USER32(?,000000F0), ref: 0056D351

Strings

@GUI_DRAGID, xrefs: 0056CE9C
pbZ, xrefs: 0056CEAF
F, xrefs: 0056D235

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbZ
API String ID: 3977979337-2312454947
Opcode ID: 8ab67128c0634a6d8d48effba5ea080ffc6ce106954246777492a0acd9a53e5e
Instruction ID: 697523d416cdddef09251bd57e3de9aeda96ff97e73df15218ded44585309ced
Opcode Fuzzy Hash: 8ab67128c0634a6d8d48effba5ea080ffc6ce106954246777492a0acd9a53e5e
Instruction Fuzzy Hash: 3142CA34604281AFDB20CF29D848EBABFE5FF49310F540919F5A6872B1D775D844EBA2

Function 004F6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004F71C3
_memset.LIBCMT ref: 004F7539
_memmove.LIBCMT ref: 004F76AC

Strings

[:>:]], xrefs: 004F7492
[:<:]], xrefs: 004F7479
]Y, xrefs: 00531A22
\b(?=\w), xrefs: 00533769
Q\E, xrefs: 004F7FCB
_O, xrefs: 005323CB
DEFINE, xrefs: 00532103
\b(?<=\w), xrefs: 00533773
3cO, xrefs: 005323A0
P\Y, xrefs: 00531AB8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]Y$3cO$DEFINE$P\Y$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_O
API String ID: 1357608183-3732191728
Opcode ID: 8c5e3263c65e2d2cc1677971aa3233e438f600310dbe787c54052d2ce4e234fb
Instruction ID: 963f8a2828832dfbe20c2373fa7316c4b7e9948718cf71564ca4c45be3a66b04
Opcode Fuzzy Hash: 8c5e3263c65e2d2cc1677971aa3233e438f600310dbe787c54052d2ce4e234fb
Instruction Fuzzy Hash: 2293A171A00619DBDB24CF98C881BBDBBB1FF48310F25856AE945EB381E7749E81CB54

Function 004E48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004E48DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0051D665
IsIconic.USER32(?), ref: 0051D66E
ShowWindow.USER32(?,00000009), ref: 0051D67B
SetForegroundWindow.USER32(?), ref: 0051D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0051D69B
GetCurrentThreadId.KERNEL32 ref: 0051D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0051D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0051D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0051D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0051D6CF
SetForegroundWindow.USER32(?), ref: 0051D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0051D6E7
keybd_event.USER32(00000012,00000000), ref: 0051D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0051D6FC
keybd_event.USER32(00000012,00000000), ref: 0051D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0051D70A
keybd_event.USER32(00000012,00000000), ref: 0051D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0051D719
keybd_event.USER32(00000012,00000000), ref: 0051D71E
SetForegroundWindow.USER32(?), ref: 0051D721
AttachThreadInput.USER32(?,?,00000000), ref: 0051D748

Strings

Shell_TrayWnd, xrefs: 0051D660

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4569ee890326c731945821c467cec841983131636122e35107c20d9a5aa0cf90
Instruction ID: a2ec2263830ae7b3410723e97dbe5d52d2da1e8e30e1a7b99afbc2bdc5554d45
Opcode Fuzzy Hash: 4569ee890326c731945821c467cec841983131636122e35107c20d9a5aa0cf90
Instruction Fuzzy Hash: AC315E71A40318BAFB216B65AC89FBF7E6CFB54B50F104025FA05EB1D1CAB05D41ABB1

Function 00538310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0053882B
Part of subcall function 005387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00538858
Part of subcall function 005387E1: GetLastError.KERNEL32 ref: 00538865

_memset.LIBCMT ref: 00538353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005383A5
CloseHandle.KERNEL32(?), ref: 005383B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005383CD
GetProcessWindowStation.USER32 ref: 005383E6
SetProcessWindowStation.USER32(00000000), ref: 005383F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0053840A

Part of subcall function 005381CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00538309), ref: 005381E0
Part of subcall function 005381CB: CloseHandle.KERNEL32(?,?,00538309), ref: 005381F2

Strings

default, xrefs: 00538405
, xrefs: 00538362
winsta0, xrefs: 005383C8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 9aed331992756f0c00f984582b1f09460086000c2dad211285b65730fe4f8956
Instruction ID: bfba342059453389a3466a39124064d8f44b2cfd0819641328997d62873cf1e3
Opcode Fuzzy Hash: 9aed331992756f0c00f984582b1f09460086000c2dad211285b65730fe4f8956
Instruction Fuzzy Hash: 18813672900209BFDF159FA4DC49ABEBFB9FF08304F144169F911A7261DB718A19EB60

Function 0054C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0054C78D
FindClose.KERNEL32(00000000), ref: 0054C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0054C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0054C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0054C844
__swprintf.LIBCMT ref: 0054C890
__swprintf.LIBCMT ref: 0054C8D3

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

__swprintf.LIBCMT ref: 0054C927

Part of subcall function 00503698: __woutput_l.LIBCMT ref: 005036F1

__swprintf.LIBCMT ref: 0054C975

Part of subcall function 00503698: __flsbuf.LIBCMT ref: 00503713
Part of subcall function 00503698: __flsbuf.LIBCMT ref: 0050372B

__swprintf.LIBCMT ref: 0054C9C4
__swprintf.LIBCMT ref: 0054CA13
__swprintf.LIBCMT ref: 0054CA62

Strings

%02d, xrefs: 0054C91B, 0054C925, 0054C973, 0054C9C2, 0054CA11, 0054CA60
%4d%02d%02d%02d%02d%02d, xrefs: 0054C88A
%4d, xrefs: 0054C8CD

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: e4c14e18b2609837f9ac14d33823e7d9ca99e4d5ef1ca142a808a35efb63add3
Instruction ID: 54263d26f6cd5d229eafd01ccd82bb8ca28edeaf801e2e827fa0be7c677a97f6
Opcode Fuzzy Hash: e4c14e18b2609837f9ac14d33823e7d9ca99e4d5ef1ca142a808a35efb63add3
Instruction Fuzzy Hash: 91A14BB1408244ABC750EFA6C885DAFB7ECFF95709F40092EF58587191EB35DA08CB66

Function 0054EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0054EFB6
_wcscmp.LIBCMT ref: 0054EFCB
_wcscmp.LIBCMT ref: 0054EFE2
GetFileAttributesW.KERNEL32(?), ref: 0054EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0054F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0054F026
FindClose.KERNEL32(00000000), ref: 0054F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0054F04D
_wcscmp.LIBCMT ref: 0054F074
_wcscmp.LIBCMT ref: 0054F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0054F09D
SetCurrentDirectoryW.KERNEL32(00598920), ref: 0054F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0054F0C5
FindClose.KERNEL32(00000000), ref: 0054F0D2
FindClose.KERNEL32(00000000), ref: 0054F0E4

Strings

*.*, xrefs: 0054F048

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 4230bca19a11b0e5e262f29da409faa22ae0d2ae5d944c255ddca547c61fc4d9
Instruction ID: 326d2f470a2a3724c4a9513f2093b765f34d646a7b158e99219acf51caa6b91f
Opcode Fuzzy Hash: 4230bca19a11b0e5e262f29da409faa22ae0d2ae5d944c255ddca547c61fc4d9
Instruction Fuzzy Hash: DF31C3369012196ADB14DBA8EC5DAEE7FACBF89364F100176E809D30A1DB70DA44DF61

Function 00560857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00560953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0056F910,00000000,?,00000000,?,?), ref: 005609C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00560A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00560A92
RegCloseKey.ADVAPI32(?), ref: 00560DB2
RegCloseKey.ADVAPI32(00000000), ref: 00560DBF

Strings

REG_SZ, xrefs: 00560AD0
REG_BINARY, xrefs: 00560D4D
REG_EXPAND_SZ, xrefs: 00560A2F
REG_DWORD, xrefs: 00560C83
REG_MULTI_SZ, xrefs: 00560B7A
REG_QWORD, xrefs: 00560D00

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9824064af749b6d0af93efe236392c006c8298eed87ea0a20507d6630527ca01
Instruction ID: 90daa0c27bc7da120e123de27249e1f15a996eb5eb7c12e636d38ea16ee2d431
Opcode Fuzzy Hash: 9824064af749b6d0af93efe236392c006c8298eed87ea0a20507d6630527ca01
Instruction Fuzzy Hash: 03025C756006519FCB14EF19C845E2ABBE5FF89324F04895DF88A9B3A2CB34EC45CB85

Function 004F66E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

LF), xrefs: 005312A4
ANYCRLF), xrefs: 005312FB
CR), xrefs: 00531287
pGX, xrefs: 004F6751
LIMIT_RECURSION=, xrefs: 005311FC
BSR_UNICODE), xrefs: 00531338
NO_AUTO_POSSESS), xrefs: 0053112E
0FX, xrefs: 004F6747
LIMIT_MATCH=, xrefs: 00531170
0EX, xrefs: 004F673D
UTF), xrefs: 005310FA
3cO, xrefs: 004F68FF
ANY), xrefs: 005312DE
0DX, xrefs: 004F6733
NO_START_OPT), xrefs: 0053114F
BSR_ANYCRLF), xrefs: 0053131E
UCP), xrefs: 0053110D
UTF16), xrefs: 005310CF
CRLF), xrefs: 005312C1
_O, xrefs: 00531465, 0053150C, 005315B4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID: 0DX$0EX$0FX$3cO$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGX$_O
API String ID: 0-3103761002
Opcode ID: 4b2e5132f9f519f5802590a3106a6b55bef028f11d67ee6d892769001c76aff9
Instruction ID: 93663507649545c471309234c4a8fbd991054e65e9a9af520b9a4956bf25382f
Opcode Fuzzy Hash: 4b2e5132f9f519f5802590a3106a6b55bef028f11d67ee6d892769001c76aff9
Instruction Fuzzy Hash: EC727F75E006199BDF14CF69C8807BEBBB5FF48310F15816AE945EB290EB349D81CB94

Function 0054F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0054F113
_wcscmp.LIBCMT ref: 0054F128
_wcscmp.LIBCMT ref: 0054F13F

Part of subcall function 00544385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005443A0

FindNextFileW.KERNEL32(00000000,?), ref: 0054F16E
FindClose.KERNEL32(00000000), ref: 0054F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0054F195
_wcscmp.LIBCMT ref: 0054F1BC
_wcscmp.LIBCMT ref: 0054F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0054F1E5
SetCurrentDirectoryW.KERNEL32(00598920), ref: 0054F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0054F20D
FindClose.KERNEL32(00000000), ref: 0054F21A
FindClose.KERNEL32(00000000), ref: 0054F22C

Strings

*.*, xrefs: 0054F190

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 7e5cda7e6ef887e628b7890946e2d47f3d6962720298ffde119d855ab7a241ce
Instruction ID: bbed9d899b51fdbd0f53cdba6264a895371f40cb51b0ab24a6d57176d4184917
Opcode Fuzzy Hash: 7e5cda7e6ef887e628b7890946e2d47f3d6962720298ffde119d855ab7a241ce
Instruction Fuzzy Hash: 9931E73A90521A6ADF149F68EC59AEE7FACBF85368F100171E800E31A0DB70DE45DB54

Function 0054A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0054A20F
__swprintf.LIBCMT ref: 0054A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0054A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0054A293
_memset.LIBCMT ref: 0054A2B2
_wcsncpy.LIBCMT ref: 0054A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0054A323
CloseHandle.KERNEL32(00000000), ref: 0054A32E
RemoveDirectoryW.KERNEL32(?), ref: 0054A337
CloseHandle.KERNEL32(00000000), ref: 0054A341

Strings

\, xrefs: 0054A247
:, xrefs: 0054A252
\??\%s, xrefs: 0054A22B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a961659f5da910d4a71959fb3a5105480deb3dc49fe901cc450e193c29c49048
Instruction ID: 13be8174989258a07e53b7406d86f38baf1e0daaddf7d60628c1a8f2706d876a
Opcode Fuzzy Hash: a961659f5da910d4a71959fb3a5105480deb3dc49fe901cc450e193c29c49048
Instruction Fuzzy Hash: 6331B0B594410AABDB209FA4DC49FEF3BBCFF89744F1041B6F608D6160EBB096449B25

Function 0054001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00540097
SetKeyboardState.USER32(?), ref: 00540102
GetAsyncKeyState.USER32(000000A0), ref: 00540122
GetKeyState.USER32(000000A0), ref: 00540139
GetAsyncKeyState.USER32(000000A1), ref: 00540168
GetKeyState.USER32(000000A1), ref: 00540179
GetAsyncKeyState.USER32(00000011), ref: 005401A5
GetKeyState.USER32(00000011), ref: 005401B3
GetAsyncKeyState.USER32(00000012), ref: 005401DC
GetKeyState.USER32(00000012), ref: 005401EA
GetAsyncKeyState.USER32(0000005B), ref: 00540213
GetKeyState.USER32(0000005B), ref: 00540221

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9d39754a3e516b73cab364c917547ab605f2e009b47f009667aa16f966bbd8ed
Instruction ID: 8bc81cab28b10a4a04c17ba34c932244db8ec62dacc5c38b5293d9b0be0627e8
Opcode Fuzzy Hash: 9d39754a3e516b73cab364c917547ab605f2e009b47f009667aa16f966bbd8ed
Instruction Fuzzy Hash: 3C512E3090478829FB34DBB088587EABFB4AF41384F58559DD6C61B1C3DAB49B8CCB61

Function 005603DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00560E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055FDAD,?,?), ref: 00560E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005604AC

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0056054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005605E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00560822
RegCloseKey.ADVAPI32(00000000), ref: 0056082F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: d91dbf65a1bceae38daf3f68ec0d5699fb66ea67295a21baa2a05b3f8d9ef19c
Instruction ID: dd976e8f7f6c9bdfe636f7689586d7297c895a2a7b5f1c236476581646696653
Opcode Fuzzy Hash: d91dbf65a1bceae38daf3f68ec0d5699fb66ea67295a21baa2a05b3f8d9ef19c
Instruction Fuzzy Hash: F1E15D71604204AFCB14DF29C895E2BBBE4FF89314F04996DF84ADB2A1DA30ED05CB91

Function 00554164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0055418B
EmptyClipboard.USER32 ref: 00554191
GlobalAlloc.KERNEL32(00000002,?), ref: 005541A6
CloseClipboard.USER32 ref: 00554245

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 5b37fe3fe333d6e581e7c3b6c1b643ad74f2b84c8207a9ca4936d9e9ed22899c
Instruction ID: 60e0102efa80b5143b017c34c701299499c50989a2898ae3c90dee07154f5b7f
Opcode Fuzzy Hash: 5b37fe3fe333d6e581e7c3b6c1b643ad74f2b84c8207a9ca4936d9e9ed22899c
Instruction Fuzzy Hash: F821BF39600610AFDB00AF29EC19B6D7BA8FF54716F00802AF946DB2B1DBB4AC44DF55

Function 005437EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E4743,?,?,004E37AE,?), ref: 004E4770

Part of subcall function 00544A31: GetFileAttributesW.KERNEL32(?,0054370B), ref: 00544A32

FindFirstFileW.KERNEL32(?,?), ref: 005438A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0054394B
MoveFileW.KERNEL32(?,?), ref: 0054395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0054397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0054399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 005439B9

Strings

\*.*, xrefs: 0054384E, 00543857, 0054386C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 01bb2d4b2e0b397e40aa22f16588fa7a722c870114ae3d1eace392deae195116
Instruction ID: 739d669745119312a4001fc405f4ae1e50f31a69d34c3403e131480a8fa4d82d
Opcode Fuzzy Hash: 01bb2d4b2e0b397e40aa22f16588fa7a722c870114ae3d1eace392deae195116
Instruction Fuzzy Hash: A151B33180518DAACF01EFA2D9969EDBB78BF10319F60006AE406771A2EF746F0DCB54

Function 0054F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0054F440
Sleep.KERNEL32(0000000A), ref: 0054F470
_wcscmp.LIBCMT ref: 0054F484
_wcscmp.LIBCMT ref: 0054F49F
FindNextFileW.KERNEL32(?,?), ref: 0054F53D
FindClose.KERNEL32(00000000), ref: 0054F553

Strings

*.*, xrefs: 0054F425

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b13847741123e372a228ddca709723359ba6db305844e02dc174d128bec70b45
Instruction ID: a78d9b1f89b6ca7628c5d8c9c466c83ceb37263d3e188cb579c79070ee6a21a8
Opcode Fuzzy Hash: b13847741123e372a228ddca709723359ba6db305844e02dc174d128bec70b45
Instruction Fuzzy Hash: 99415A7190025AABCF14DF69DC49AEEBBB8FF05328F14446AE815A3191EB309A44CB50

Function 004F3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_O, xrefs: 004F3322
3cO, xrefs: 004F3225

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cO$_O
API String ID: 674341424-2029810506
Opcode ID: e0578c06d12bdd826bd226d71072774c2cfa347002ca7f1fd7615696b282f23e
Instruction ID: b7ea279a6a1f681aed7e5225e591b4d45a9aacbfa55ebfe241607f5899e4d1ba
Opcode Fuzzy Hash: e0578c06d12bdd826bd226d71072774c2cfa347002ca7f1fd7615696b282f23e
Instruction Fuzzy Hash: 5B2298716083059FC724DF25D881B6BBBE4BF85314F00492EFA9A97291DB38ED05CB96

Function 004F5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004F58A5
_memmove.LIBCMT ref: 004F58F5
_memmove.LIBCMT ref: 004F595B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f1ceba78b6583357e23f68af84701a2f643770ff01a5758e79b14f3e7977b550
Instruction ID: aebb4a87288e780d7ecf931bb74f0f991735dc3475f7db5905264573092b43cb
Opcode Fuzzy Hash: f1ceba78b6583357e23f68af84701a2f643770ff01a5758e79b14f3e7977b550
Instruction Fuzzy Hash: 2412BDB0A00609DFDF04DFA5D991AAEB7F5FF48300F10452AE906E7290EB39AD21CB54

Function 00543B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E4743,?,?,004E37AE,?), ref: 004E4770

Part of subcall function 00544A31: GetFileAttributesW.KERNEL32(?,0054370B), ref: 00544A32

FindFirstFileW.KERNEL32(?,?), ref: 00543B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00543BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00543BEA
FindClose.KERNEL32(00000000), ref: 00543C01
FindClose.KERNEL32(00000000), ref: 00543C0A

Strings

\*.*, xrefs: 00543B5B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5be6b860443b4c55e260ce203da559ce18c2aee18a3d605fe7a50006424f8d46
Instruction ID: 88c4547cd73e39f6f0ab4814c4fc27be00e49ae94e56d3dc0ccead02c4d66f17
Opcode Fuzzy Hash: 5be6b860443b4c55e260ce203da559ce18c2aee18a3d605fe7a50006424f8d46
Instruction Fuzzy Hash: 2C3190310083859BC301EF65D8918EFBBA8BF91319F400D2EF4D5931A1EB249A0CCB57

Function 005451BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005387E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0053882B
Part of subcall function 005387E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00538858
Part of subcall function 005387E1: GetLastError.KERNEL32 ref: 00538865

ExitWindowsEx.USER32(?,00000000), ref: 005451F9

Strings

, xrefs: 005451E7
@, xrefs: 005451EC
SeShutdownPrivilege, xrefs: 005451C9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 2b8ee027f6a874d1e1579764bc8d1b09efeca9f77d7a23d3f4c1ab6033de1df2
Instruction ID: cc7fd3ef435b2da41c83f0f5b724765db21303d919814a2b85b1ae795543fc9b
Opcode Fuzzy Hash: 2b8ee027f6a874d1e1579764bc8d1b09efeca9f77d7a23d3f4c1ab6033de1df2
Instruction Fuzzy Hash: F301FC396996115BE72C6678AC5AFFB7B58F715748F540822FA13E20D3F9D15C008590

Function 00556283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005562DC
WSAGetLastError.WSOCK32(00000000), ref: 005562EB
bind.WSOCK32(00000000,?,00000010), ref: 00556307
listen.WSOCK32(00000000,00000005), ref: 00556316
WSAGetLastError.WSOCK32(00000000), ref: 00556330
closesocket.WSOCK32(00000000,00000000), ref: 00556344

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2423d0be35c62ed7a4f08b59d97d0cda36f20f7fdcaa85115cf99975f9da252e
Instruction ID: ee49e10381ada872adab47894da271f5d45e4dd24eaf617bb752f956eea8dccc
Opcode Fuzzy Hash: 2423d0be35c62ed7a4f08b59d97d0cda36f20f7fdcaa85115cf99975f9da252e
Instruction Fuzzy Hash: 5321D535600204AFCB00EF68D859A6EBBA9FF44326F55456AEC16973D1C770AC09DB51

Function 004F5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00500DB6: std::exception::exception.LIBCMT ref: 00500DEC
Part of subcall function 00500DB6: __CxxThrowException@8.LIBCMT ref: 00500E01

_memmove.LIBCMT ref: 00530258
_memmove.LIBCMT ref: 0053036D
_memmove.LIBCMT ref: 00530414

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: fafd72f6000359584b25dadc3876ae08dbb7b66383ed7b8caa9003906e28a0ab
Instruction ID: 92aecb1ae4253e4ffd7c1cf9d7501d204b4c0031cb614630933d17fdf64fcd96
Opcode Fuzzy Hash: fafd72f6000359584b25dadc3876ae08dbb7b66383ed7b8caa9003906e28a0ab
Instruction Fuzzy Hash: C002E2B0A00209DBDF04DF65D991ABE7BF5FF84300F11846AE90ADB295EB34D914CB95

Function 004E1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004E19FA
GetSysColor.USER32(0000000F), ref: 004E1A4E
SetBkColor.GDI32(?,00000000), ref: 004E1A61

Part of subcall function 004E1290: DefDlgProcW.USER32(?,00000020,?), ref: 004E12D8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 7cd54313680eef8ad18c3a7445a47657b06de30e2e4a4d7ace40634138af8bec
Instruction ID: 3f5fe5b60f3427e930f632207f1bbd1f9fc6acb1250c0ba42775865f38b77ca8
Opcode Fuzzy Hash: 7cd54313680eef8ad18c3a7445a47657b06de30e2e4a4d7ace40634138af8bec
Instruction Fuzzy Hash: 4EA119B11415C5BAF624AA2B4C48DBF3D5DFB46387B14022BF502D62B2DA389D42D27A

Function 00556747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00557D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00557DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0055679E
WSAGetLastError.WSOCK32(00000000), ref: 005567C7
bind.WSOCK32(00000000,?,00000010), ref: 00556800
WSAGetLastError.WSOCK32(00000000), ref: 0055680D
closesocket.WSOCK32(00000000,00000000), ref: 00556821

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 84af4a45fe6f02e320fbd37a0a12e46d8eab2d8c5892e46cb86ef24033a0e1bc
Instruction ID: e77ee07ca6937359e42143dce224ee9bcf370e4481d94a43f65be3d4f4b9e17b
Opcode Fuzzy Hash: 84af4a45fe6f02e320fbd37a0a12e46d8eab2d8c5892e46cb86ef24033a0e1bc
Instruction Fuzzy Hash: FE410475A002446FDB10BF268C86F3E77E8EF48719F44846EF919AB3D2CA749D048795

Function 00565376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005653C5
IsWindowEnabled.USER32 ref: 005653D3
GetForegroundWindow.USER32(?,?,00000001), ref: 005653E0
IsIconic.USER32 ref: 005653EE
IsZoomed.USER32 ref: 005653FC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 316c4772ba1728dd5933f3676b39992dabf6e5ec6bfd02f3f9aac415ca90d3c1
Instruction ID: 5866cfc009b83f078dcd7cbee66b7ca1fcaa5de0595b5495bb357dfd0d33f49f
Opcode Fuzzy Hash: 316c4772ba1728dd5933f3676b39992dabf6e5ec6bfd02f3f9aac415ca90d3c1
Instruction Fuzzy Hash: 081190317409116BDB216F27DC44A6A7F98FF94BA1F404839F846D7251EBB49C0187A4

Function 005380A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005380C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005380CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005380D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005380E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005380F6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0d9b56796e8671610a27d4af356f56e9330695a029969c7634bc2e1ef3e8dbda
Instruction ID: c08f6cb9b001caadbf6c6eb64b4ca4eb7eb407c0d04c4c8fe4afc7f6cb9eda74
Opcode Fuzzy Hash: 0d9b56796e8671610a27d4af356f56e9330695a029969c7634bc2e1ef3e8dbda
Instruction Fuzzy Hash: 24F03C71644304AFEB100FA9EC8DE7B3FACFF9A795F000025F94587150CAA19C45EB60

Function 0054C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0054C432
CoCreateInstance.OLE32(00572D6C,00000000,00000001,00572BDC,?), ref: 0054C44A

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

CoUninitialize.OLE32 ref: 0054C6B7

Strings

.lnk, xrefs: 0054C3C6, 0054C3EE, 0054C3F8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 3a11034201d2f9471e860a345f0b2825448dbb2e00c05e6a0c95cd6aeb7be092
Instruction ID: 8cfc51759ceb1ecade83d5568a3367a7f0ffc38f516cbdd91921d39d93775a04
Opcode Fuzzy Hash: 3a11034201d2f9471e860a345f0b2825448dbb2e00c05e6a0c95cd6aeb7be092
Instruction Fuzzy Hash: A0A16AB1104245AFD700EF55C881EABB7E8FF85319F00496DF159871A2EB71EE09CB56

Function 004E4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004E4AD0), ref: 004E4B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 004E4B57

Strings

kernel32.dll, xrefs: 004E4B40
GetNativeSystemInfo, xrefs: 004E4B51

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 1b9291583d94638f28034daee31983af606fa4b55eb627dce6b7b990e34a2c4b
Instruction ID: c635b6b821ce3155cc00a4c0494112c12a0de3cdc3494fb160efc9a37dcafbf6
Opcode Fuzzy Hash: 1b9291583d94638f28034daee31983af606fa4b55eb627dce6b7b990e34a2c4b
Instruction Fuzzy Hash: 71D0EC34E10712CFD7209F36E818B0677D4AF55391B11887AD485D7260D6B4E480C758

Function 0055EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0055EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0055EE4B

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Process32NextW.KERNEL32(00000000,?), ref: 0055EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0055EF1A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8d1516079236c12f8113e6cd2f46dc394508afc83cec08677372dcf8b9f21b7b
Instruction ID: 004517ba1821b1fb592554c8f363450883dc80f18a6807732b89e7cde8cffbdd
Opcode Fuzzy Hash: 8d1516079236c12f8113e6cd2f46dc394508afc83cec08677372dcf8b9f21b7b
Instruction Fuzzy Hash: 30517E71504341AFD310EF26D886E6BBBE8FF94715F00482EF995962A1DB709D08CB96

Function 0053E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0053E628

Strings

(, xrefs: 0053E66E
|, xrefs: 0053E658

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d9fccbced62bcf8f3687ff602cf87383632d43d0da9b02c366575a34f6c0e0a9
Instruction ID: 564cd3af8a0abe265bf829c65daf6a62f2b9a40cd186ecec13897a34f53b9dc0
Opcode Fuzzy Hash: d9fccbced62bcf8f3687ff602cf87383632d43d0da9b02c366575a34f6c0e0a9
Instruction Fuzzy Hash: A4321575A006059FDB28CF19D486AAABBF1FF48310F15C56EE89ADB3A1D770E941CB40

Function 005522EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0055180A,00000000), ref: 005523E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00552418

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 9f2bf61c6a7702a6a8a2be873fbf3c2387dc02f00eafe655dd3ca15b40c8ff9f
Instruction ID: ee08119e7ef8606c80d186b125ea772a19ad8fd4eaa108b127dbf1d26451be4d
Opcode Fuzzy Hash: 9f2bf61c6a7702a6a8a2be873fbf3c2387dc02f00eafe655dd3ca15b40c8ff9f
Instruction Fuzzy Hash: 9941B171904209FFEF109E95DC95EBF7FACFB42316F10446BFA01A6180EA74AE499760

Function 0054B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0054B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0054B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0054B3EA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 665c1e7c4582a8279a3b5819f19956f183e35708c0daa1fea60319fd80fab8e0
Instruction ID: 46d97c1d88c05cfbd5f65153ca09406fb868cab9b291b9d04dc190e90e875d5e
Opcode Fuzzy Hash: 665c1e7c4582a8279a3b5819f19956f183e35708c0daa1fea60319fd80fab8e0
Instruction Fuzzy Hash: 6B217475A00108EFCB00EF96D885AEDFBB8FF49315F1480AAE905AB361CB319D19CB55

Function 005387E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00500DB6: std::exception::exception.LIBCMT ref: 00500DEC
Part of subcall function 00500DB6: __CxxThrowException@8.LIBCMT ref: 00500E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0053882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00538858
GetLastError.KERNEL32 ref: 00538865

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 2359baefdb39fb61f2e3e1bc35610b213df40f2ddd88ce43c8ea0ab328121fd1
Instruction ID: ffc95eb5db9b70015890356487d46507e82bd8522784c71adb2b293f7212169f
Opcode Fuzzy Hash: 2359baefdb39fb61f2e3e1bc35610b213df40f2ddd88ce43c8ea0ab328121fd1
Instruction Fuzzy Hash: 5E1160B2914305AFD718DF54EC89D6BBBA8FB44710B20852EF45697241DA70BC448B60

Function 0053874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00538774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0053878B
FreeSid.ADVAPI32(?), ref: 0053879B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 22936dbbefeb6380526cd82885749581b98e19af72fa287bc7903216e005be66
Instruction ID: 25027224f424a1eac234bc2bdd11079f7d2a06872d5828a1e05cb2a32c5f2690
Opcode Fuzzy Hash: 22936dbbefeb6380526cd82885749581b98e19af72fa287bc7903216e005be66
Instruction Fuzzy Hash: 26F03C75D11308BBDB04DFE4DD89AADBBB8EF08211F1044A9E502E2181D6755A489B50

Function 00548889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0054889B

Part of subcall function 0050520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00548F6E,00000000,?,?,?,?,0054911F,00000000,?), ref: 00505213
Part of subcall function 0050520A: __aulldiv.LIBCMT ref: 00505233

Strings

0eZ, xrefs: 00548892

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eZ
API String ID: 2893107130-1209932682
Opcode ID: f4b2541153fd5137d23a9cb2b3e40c659bd47110da2b0971fd34ed6c9cbd9776
Instruction ID: 093a0b7fdb3787b8d95b00beed4466bb3b7710b45436df7c3b9c580aa383e255
Opcode Fuzzy Hash: f4b2541153fd5137d23a9cb2b3e40c659bd47110da2b0971fd34ed6c9cbd9776
Instruction Fuzzy Hash: FF21E432A356108BC329CF25D841AA6B7E1EFA5310B688E6CE0F5CB2C0CA34B905DB54

Function 0054C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0054C6FB
FindClose.KERNEL32(00000000), ref: 0054C72B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a69cb02b75cc4a7680f527f6f2bc0654bad957ad2278e38d7efb26b7385b15e7
Instruction ID: 1d912e44501c4da06535224e791100d2bad3f4ef7a9ee65c030333a9abb7d64e
Opcode Fuzzy Hash: a69cb02b75cc4a7680f527f6f2bc0654bad957ad2278e38d7efb26b7385b15e7
Instruction Fuzzy Hash: 8211A5756102009FDB10EF29D84596AFBE4FF95325F00851EF8A5C72A0DB74AC05CF81

Function 0054A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00559468,?,0056FB84,?), ref: 0054A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00559468,?,0056FB84,?), ref: 0054A0A9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 86bf724b5dd87dc27d147bf86df36c9ff6469c7d3f745c59909cb96397690eff
Instruction ID: a91a8e7057b69ee5474063e15a357d24f978a13e886f9586806b583685c55ef3
Opcode Fuzzy Hash: 86bf724b5dd87dc27d147bf86df36c9ff6469c7d3f745c59909cb96397690eff
Instruction Fuzzy Hash: EFF0E23554522DABDB609FA4DC48FEA776CFF18361F004266F918D3180C6709944CBA1

Function 005381CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00538309), ref: 005381E0
CloseHandle.KERNEL32(?,?,00538309), ref: 005381F2

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 1d35f56528d06ff91034c6efa9302037561b22681dbc7e54a94952992ede629b
Instruction ID: 45c5e5c10b090d71bc987f31de3e5a42a98fa81d5d12cdcc43a97db0ac494771
Opcode Fuzzy Hash: 1d35f56528d06ff91034c6efa9302037561b22681dbc7e54a94952992ede629b
Instruction Fuzzy Hash: 7CE0E672014611AFE7252B64FC09E7B7BEDFF44351B24982DF456854B0DB616C91DB10

Function 0050A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00508D57,?,?,?,00000001), ref: 0050A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0050A163

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 59efda462a0ee0b57be9bc34aa5000c0b1844c801aecd7016dd51d24cb402092
Instruction ID: 4510323f333617d759eaa424ab833a7b291de85b66fc61ff16b2379061503b8e
Opcode Fuzzy Hash: 59efda462a0ee0b57be9bc34aa5000c0b1844c801aecd7016dd51d24cb402092
Instruction Fuzzy Hash: E6B09231658208ABCA002B99FC09B883F68EB54AA2F404420F60D86260EBA25454AB91

Function 0050F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42f2698fa3a39b54125638afbeda6cd392c21b9a7ac484837136accabb7248c
Instruction ID: 9aeae1bf10182f0e423a1ff8d04489286c37fa3acd9e3959465be124b31993f1
Opcode Fuzzy Hash: f42f2698fa3a39b54125638afbeda6cd392c21b9a7ac484837136accabb7248c
Instruction Fuzzy Hash: 5232E121D29F054DD7239634E82233AA649BFB73D4F15D737E81AB5DA6EB29C4C36200

Function 0051242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97f53a0537134fc4d24a41ccbc90fd597c8d5f5c15936f0872026338f1771b4
Instruction ID: f62f389016d74c09c3c8f0f3ddcc9b0c132f2edcf0e522ffca21d4745eace320
Opcode Fuzzy Hash: e97f53a0537134fc4d24a41ccbc90fd597c8d5f5c15936f0872026338f1771b4
Instruction Fuzzy Hash: 22B1EF20D2AF404DD6239A38983533ABA5CAFFB2C5F51D71BFC1A74D22EB2285C76141

Function 00544C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00544C76

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 58ba744737767b465da6d21b081a5d45a33d04952da70122dc9637254dab2977
Instruction ID: b13acdad38b95098a73dea18983b801bd73eaca43ae0a2df3cdbf561a4a46a1c
Opcode Fuzzy Hash: 58ba744737767b465da6d21b081a5d45a33d04952da70122dc9637254dab2977
Instruction Fuzzy Hash: 4AD05EB01E260979FE2807209DCFFFE1909F3C0789F8C854AB242870C0E8D05C00AC35

Function 005387B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00538389), ref: 005387D1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 46df70a6c1ba0d690f76ede28a2ba6f775a3138cf13b0796643877b946795686
Instruction ID: 6ead207f49fa4924c446a6cb87821239410c2c0619d46030bf073fa97d8e6b80
Opcode Fuzzy Hash: 46df70a6c1ba0d690f76ede28a2ba6f775a3138cf13b0796643877b946795686
Instruction Fuzzy Hash: CED05E3226050EBBEF018EA8ED05EAE3B69EB04B01F408111FE16C60A1C7B5D835AB60

Function 0050A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0050A12A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 53337b8b2ee4ddf5ff8c186bb73c662d40fc0c99134828ad7fc97cb455950673
Instruction ID: 3646df108a47c3417cfd0f14597fa9253d14db03425bdf83b47d66949ccea7eb
Opcode Fuzzy Hash: 53337b8b2ee4ddf5ff8c186bb73c662d40fc0c99134828ad7fc97cb455950673
Instruction Fuzzy Hash: 0FA0243000010CF7CF001F45FC044447F5CD7001D07004030F40C41131D773541057C0

Function 004F8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e40b3e433fec83b58f889728b923b206a012c30ed5f375e0f892256c1ecbbc5d
Instruction ID: 8b050ce221106a47a5fcf174fc1872b27ab1e5d508a361709d7d775bb2e04e30
Opcode Fuzzy Hash: e40b3e433fec83b58f889728b923b206a012c30ed5f375e0f892256c1ecbbc5d
Instruction Fuzzy Hash: D322483090450ACBDF398B64C4D477E7BA1FB01344F28846FDA828F692EB789D91CB46

Function 005021C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 89e01100bf4f5a8c742a3df8bdab6078bede7abae9d62329300024c6f66b7c11
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: BEC172372055930ADF2D463A847813EFEA17FA27B175A076DD8B3CB1D4EE20C965E620

Function 005025FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 69aa3a9a45cf6de3361d3bddd5e01ec85f8477da6070a74bd1eb5b01b7526c4f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: FDC181372055930ADF2D463AC43813EBEA17FA27B175A076DD4B3DB1D5EE20C925E620

Function 00501978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 4b54fff0616b648004115419aab6f0c3f57c7d1f24576a5ea47a9fecf2ea44f9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 14C17D332099930AEF2D463A847413EBEA17FA27B135A076DD4B3CB1C4EE20C925D665

Function 00557806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0055785B
DeleteObject.GDI32(00000000), ref: 0055786D
DestroyWindow.USER32 ref: 0055787B
GetDesktopWindow.USER32 ref: 00557895
GetWindowRect.USER32(00000000), ref: 0055789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005579DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005579ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557A35
GetClientRect.USER32(00000000,?), ref: 00557A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00557A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557ABB
GlobalLock.KERNEL32(00000000), ref: 00557AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557AD3
GlobalUnlock.KERNEL32(00000000), ref: 00557ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557AE3
GlobalFree.KERNEL32(00000000), ref: 00557AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00572CAC,00000000), ref: 00557B16
GlobalFree.KERNEL32(00000000), ref: 00557B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00557B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00557B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00557D7A

Strings

, xrefs: 00557D00
AutoIt v3, xrefs: 00557A2D
DISPLAY, xrefs: 00557BDD
static, xrefs: 00557A75, 00557BCC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 97a580f3919362b7ebb09d3ab33bb454862a909b13ad01e28321ac908c1013cd
Instruction ID: f2a76a3501a8b91b2b06bc87016da6b9074dc15f9aefd86e034144715cba3673
Opcode Fuzzy Hash: 97a580f3919362b7ebb09d3ab33bb454862a909b13ad01e28321ac908c1013cd
Instruction Fuzzy Hash: 4A029E75900109EFDB14DFA8EC99EAE7BB9FF49311F008169F905AB2A1C770AD05DB60

Function 0056356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0056F910), ref: 00563627
IsWindowVisible.USER32(?), ref: 0056364B

Strings

EDITPASTE, xrefs: 0056395F
CURRENTTAB, xrefs: 005636BD
TABRIGHT, xrefs: 0056369D
HIDEDROPDOWN, xrefs: 00563700
GETCURRENTSELECTION, xrefs: 005637E3
CHECK, xrefs: 0056386D
SELECTSTRING, xrefs: 00563806
SENDCOMMANDID, xrefs: 005639DA
ISVISIBLE, xrefs: 00563637
DELSTRING, xrefs: 00563749
SHOWDROPDOWN, xrefs: 005636E0
GETLINECOUNT, xrefs: 005638C6
ISENABLED, xrefs: 0056366B
ADDSTRING, xrefs: 00563716
GETLINE, xrefs: 0056399B
TABLEFT, xrefs: 00563687
SETCURRENTSELECTION, xrefs: 005637B6
ISCHECKED, xrefs: 00563839
FINDSTRING, xrefs: 00563776
UNCHECK, xrefs: 00563883
GETSELECTED, xrefs: 005638A3
GETCURRENTCOL, xrefs: 00563928
GETCURRENTLINE, xrefs: 005638ED

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: c061feeb5d2879e4d9d3a71d72e689fb956057a2745b74489f8efe6ebb8be07c
Instruction ID: 1cda73c49863ef94ecca688a521d80fc6f197d7e0f98f38a253461ff54bf6296
Opcode Fuzzy Hash: c061feeb5d2879e4d9d3a71d72e689fb956057a2745b74489f8efe6ebb8be07c
Instruction Fuzzy Hash: 7ED15B702183429BCB04EF15C85AA6E7FE5BF95354F14486CF8865B3E2DB21EE4ACB41

Function 0056A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0056A630
GetSysColorBrush.USER32(0000000F), ref: 0056A661
GetSysColor.USER32(0000000F), ref: 0056A66D
SetBkColor.GDI32(?,000000FF), ref: 0056A687
SelectObject.GDI32(?,00000000), ref: 0056A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0056A6C1
GetSysColor.USER32(00000010), ref: 0056A6C9
CreateSolidBrush.GDI32(00000000), ref: 0056A6D0
FrameRect.USER32(?,?,00000000), ref: 0056A6DF
DeleteObject.GDI32(00000000), ref: 0056A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0056A731
FillRect.USER32(?,?,00000000), ref: 0056A763
GetWindowLongW.USER32(?,000000F0), ref: 0056A78E

Part of subcall function 0056A8CA: GetSysColor.USER32(00000012), ref: 0056A903
Part of subcall function 0056A8CA: SetTextColor.GDI32(?,?), ref: 0056A907
Part of subcall function 0056A8CA: GetSysColorBrush.USER32(0000000F), ref: 0056A91D
Part of subcall function 0056A8CA: GetSysColor.USER32(0000000F), ref: 0056A928
Part of subcall function 0056A8CA: GetSysColor.USER32(00000011), ref: 0056A945
Part of subcall function 0056A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0056A953
Part of subcall function 0056A8CA: SelectObject.GDI32(?,00000000), ref: 0056A964
Part of subcall function 0056A8CA: SetBkColor.GDI32(?,00000000), ref: 0056A96D
Part of subcall function 0056A8CA: SelectObject.GDI32(?,?), ref: 0056A97A
Part of subcall function 0056A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0056A999
Part of subcall function 0056A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0056A9B0
Part of subcall function 0056A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0056A9C5
Part of subcall function 0056A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0056A9ED

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: fdfbc57a470150cc213e35d9dbe0d431ca4aeeb9f077ad0261b719b66a0cc524
Instruction ID: db5478ae2bf1f9630f1b50d78806c3cdf35cb3e45b43b4b5f4fb61b1f5764e0d
Opcode Fuzzy Hash: fdfbc57a470150cc213e35d9dbe0d431ca4aeeb9f077ad0261b719b66a0cc524
Instruction Fuzzy Hash: 47918E72808301EFC7109F68EC08A5B7BA9FF99321F105B29F562A71A1D7B1D948DF52

Function 004E2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 004E2CA2
DeleteObject.GDI32(00000000), ref: 004E2CE8
DeleteObject.GDI32(00000000), ref: 004E2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 004E2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 004E2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0051C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0051C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0051C89D

Part of subcall function 004E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004E2036,?,00000000,?,?,?,?,004E16CB,00000000,?), ref: 004E1B9A

SendMessageW.USER32(?,00001053), ref: 0051C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0051C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0051C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0051C912

Strings

0, xrefs: 0051C731

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 3360ed4624d9c8e7680402b7925d43421a2d13f940efdf56124810886cdc227e
Instruction ID: d421299076252b458364d818e08a72f3cc5204cc91130465082981aac5f81fcc
Opcode Fuzzy Hash: 3360ed4624d9c8e7680402b7925d43421a2d13f940efdf56124810886cdc227e
Instruction Fuzzy Hash: 0C12AF30544241EFEB10CF29C988BA9BFE5FF44311F54456AE496CB262C7B2EC82DB91

Function 005574AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005574DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0055759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005575DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005575ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00557633
GetClientRect.USER32(00000000,?), ref: 0055763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00557683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00557692
GetStockObject.GDI32(00000011), ref: 005576A2
SelectObject.GDI32(00000000,00000000), ref: 005576A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005576B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005576BF
DeleteDC.GDI32(00000000), ref: 005576C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005576F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0055770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00557746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0055775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0055776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0055779B
GetStockObject.GDI32(00000011), ref: 005577A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005577B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005577BB

Strings

AutoIt v3, xrefs: 0055762B
DISPLAY, xrefs: 00557688
msctls_progress32, xrefs: 0055773C
static, xrefs: 0055767D, 00557795

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8f7204c49c2616d8559e233c64e42cdfda5887d90853ddd504b997e447481718
Instruction ID: 2037333461094cb7a4ea3c5a9c67dae0e947ef4ae0b259546d41dcbd2e84dd8e
Opcode Fuzzy Hash: 8f7204c49c2616d8559e233c64e42cdfda5887d90853ddd504b997e447481718
Instruction Fuzzy Hash: EFA1A171A00208BFEB10DBA9EC4AFAE7B69FF19715F004115FA15A72E0D7B0AD04DB64

Function 0054AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0054AD1E
GetDriveTypeW.KERNEL32(?,0056FAC0,?,\\.\,0056F910), ref: 0054ADFB
SetErrorMode.KERNEL32(00000000,0056FAC0,?,\\.\,0056F910), ref: 0054AF59

Strings

SAS, xrefs: 0054AF05
PhysicalDrive, xrefs: 0054ADA7
CDROM, xrefs: 0054AE2F
iSCSI, xrefs: 0054AEFE
Virtual, xrefs: 0054AF21
Removable, xrefs: 0054AE4D
1394, xrefs: 0054AEDB
SATA, xrefs: 0054AF0C
ATAPI, xrefs: 0054AECD
Unknown, xrefs: 0054AE1B, 0054AEBF
SSA, xrefs: 0054AEE2
Network, xrefs: 0054AE39
SCSI, xrefs: 0054AEC6
Fixed, xrefs: 0054AE43
Fibre, xrefs: 0054AEE9
FileBackedVirtual, xrefs: 0054AF28
\\.\, xrefs: 0054AD70
RAMDisk, xrefs: 0054AE25
RAID, xrefs: 0054AEF7
SSD, xrefs: 0054AE86
ATA, xrefs: 0054AED4
USB, xrefs: 0054AEF0
MMC, xrefs: 0054AF1A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e71d110faece23a749ed5fe1b7e021ba9afccb0d4f9172005907970b1b4b406d
Instruction ID: 23ba9ef9a0dfbde47dea85960efa579f908ebedb22b5d244e0000f8903cdf327
Opcode Fuzzy Hash: e71d110faece23a749ed5fe1b7e021ba9afccb0d4f9172005907970b1b4b406d
Instruction Fuzzy Hash: E851C3B5688205BB8F84DB21C942CFD7FA1FB4971C724446AE407A72D1EB329D09EB43

Function 004E68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 004E6931
__wcsnicmp.LIBCMT ref: 004E6949
__wcsnicmp.LIBCMT ref: 004E6961
__wcsnicmp.LIBCMT ref: 004E6979
__wcsnicmp.LIBCMT ref: 004E6991
__wcsnicmp.LIBCMT ref: 004E69A9
__wcsnicmp.LIBCMT ref: 004E69C1
__wcsnicmp.LIBCMT ref: 004E69D5
__wcsnicmp.LIBCMT ref: 004E6A16
__wcsnicmp.LIBCMT ref: 004E6A2A
__wcsnicmp.LIBCMT ref: 004E6A3E
__wcsnicmp.LIBCMT ref: 004E6A52

Strings

#cs, xrefs: 004E69CF, 004E6A24
#requireadmin, xrefs: 004E695B
Bad directive syntax error, xrefs: 0051E31A
Unterminated group of comments, xrefs: 0051E403
#pragma compile, xrefs: 004E692B
#comments-start, xrefs: 004E69BB, 004E6A10
#ce, xrefs: 004E6A4C
#notrayicon, xrefs: 004E6943
Cannot parse #include, xrefs: 0051E3F0
#OnAutoItStartRegister, xrefs: 004E6973
#include, xrefs: 004E69A3
#include-once, xrefs: 004E698B
#comments-end, xrefs: 004E6A38

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 544479230760be56700dffe05f4a88d674c99bff8e17528d30f1b67eb766c12c
Instruction ID: 087b7e1227701b27535df7b6ae9cea8ccb28b14a0c06ed4896921a3b2d91a462
Opcode Fuzzy Hash: 544479230760be56700dffe05f4a88d674c99bff8e17528d30f1b67eb766c12c
Instruction Fuzzy Hash: 028117B06002466ADF20AB22EC47FAF3F68FF15745F04402AFC056B1D2EB64DE41D665

Function 0056A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0056A903
SetTextColor.GDI32(?,?), ref: 0056A907
GetSysColorBrush.USER32(0000000F), ref: 0056A91D
GetSysColor.USER32(0000000F), ref: 0056A928
CreateSolidBrush.GDI32(?), ref: 0056A92D
GetSysColor.USER32(00000011), ref: 0056A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0056A953
SelectObject.GDI32(?,00000000), ref: 0056A964
SetBkColor.GDI32(?,00000000), ref: 0056A96D
SelectObject.GDI32(?,?), ref: 0056A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0056A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0056A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0056A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0056A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0056AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0056AA32
DrawFocusRect.USER32(?,?), ref: 0056AA3D
GetSysColor.USER32(00000011), ref: 0056AA4B
SetTextColor.GDI32(?,00000000), ref: 0056AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0056AA67
SelectObject.GDI32(?,0056A5FA), ref: 0056AA7E
DeleteObject.GDI32(?), ref: 0056AA89
SelectObject.GDI32(?,?), ref: 0056AA8F
DeleteObject.GDI32(?), ref: 0056AA94
SetTextColor.GDI32(?,?), ref: 0056AA9A
SetBkColor.GDI32(?,?), ref: 0056AAA4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 7a9d64d18a6e4e4273a05ede48b90760a308ea7e81db28b9bfecc7aed275d597
Instruction ID: 5b6c64a501443a7a8512defb9e2e052117514b2337d219341b6d364966abe94f
Opcode Fuzzy Hash: 7a9d64d18a6e4e4273a05ede48b90760a308ea7e81db28b9bfecc7aed275d597
Instruction Fuzzy Hash: B6512D71D00208EFDB119FA8EC48EAE7B79FB59320F214625F911AB2A1D7B19944DF90

Function 005689D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00568AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00568AD2
CharNextW.USER32(0000014E), ref: 00568B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00568B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00568B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00568B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00568B86
SetWindowTextW.USER32(?,0000014E), ref: 00568BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00568BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00568C1F
_memset.LIBCMT ref: 00568C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00568C8D
_memset.LIBCMT ref: 00568CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00568D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00568D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00568E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00568E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00568E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00568EB4
DrawMenuBar.USER32(?), ref: 00568EC3
SetWindowTextW.USER32(?,0000014E), ref: 00568EEB

Strings

0, xrefs: 00568E55

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 506b9db1c7f32597aab49e19b9489860e037a67f761425f95a2a6bb047360668
Instruction ID: 0ca8247b01c9f9781aa9fa5bd112634147fd941875442a17e6911c0fe170cf99
Opcode Fuzzy Hash: 506b9db1c7f32597aab49e19b9489860e037a67f761425f95a2a6bb047360668
Instruction Fuzzy Hash: 20E15C71904219ABDB209F54DC88EFE7FB9FF49720F108256F915AB2A0DB709984DF60

Function 0056488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005649CA
GetDesktopWindow.USER32 ref: 005649DF
GetWindowRect.USER32(00000000), ref: 005649E6
GetWindowLongW.USER32(?,000000F0), ref: 00564A48
DestroyWindow.USER32(?), ref: 00564A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00564A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00564ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00564AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00564AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00564B09
IsWindowVisible.USER32(?), ref: 00564B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00564B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00564B58
GetWindowRect.USER32(?,?), ref: 00564B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00564B96
GetMonitorInfoW.USER32(00000000,?), ref: 00564BB0
CopyRect.USER32(?,?), ref: 00564BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00564C32

Strings

tooltips_class32, xrefs: 00564A96
(, xrefs: 00564BA3
0, xrefs: 00564975

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 71460974bd770da59ca218c7a552f6d7b78b5ed8aa0fe01937a42d1389373e92
Instruction ID: f42cd5d3404c6e39420ca8e25865d2092d254eb6dcd6cf17d1796abb10d7ea94
Opcode Fuzzy Hash: 71460974bd770da59ca218c7a552f6d7b78b5ed8aa0fe01937a42d1389373e92
Instruction Fuzzy Hash: F9B18971608340AFDB04DF69D848B6ABBE5BF88304F008A1DF9999B2A1D775EC05CF95

Function 004E27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004E28BC
GetSystemMetrics.USER32(00000007), ref: 004E28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004E28EF
GetSystemMetrics.USER32(00000008), ref: 004E28F7
GetSystemMetrics.USER32(00000004), ref: 004E291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004E2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004E2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 004E297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 004E2990
GetClientRect.USER32(00000000,000000FF), ref: 004E29AE
GetStockObject.GDI32(00000011), ref: 004E29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004E29D5

Part of subcall function 004E2344: GetCursorPos.USER32(?), ref: 004E2357
Part of subcall function 004E2344: ScreenToClient.USER32(005A57B0,?), ref: 004E2374
Part of subcall function 004E2344: GetAsyncKeyState.USER32(00000001), ref: 004E2399
Part of subcall function 004E2344: GetAsyncKeyState.USER32(00000002), ref: 004E23A7

SetTimer.USER32(00000000,00000000,00000028,004E1256), ref: 004E29FC

Strings

AutoIt v3 GUI, xrefs: 004E2974

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 62ef9fc79dd6febdb1a71101a5685d8a6d6adb02002323594170b4e547fbba55
Instruction ID: 67a0011af9db2f3765a907ee946306592e8d99b13cc7a79ed146c4707647c694
Opcode Fuzzy Hash: 62ef9fc79dd6febdb1a71101a5685d8a6d6adb02002323594170b4e547fbba55
Instruction Fuzzy Hash: 0BB1B171A4024AEFDB10DFA9DD45BEE7BB4FB18311F104229FA16E7290DBB89840DB54

Function 0051A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0051A92B
___wtomb_environ.LIBCMT ref: 0051A94D

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

__malloc_crt.LIBCMT ref: 0051A975
__malloc_crt.LIBCMT ref: 0051A992
_free.LIBCMT ref: 0051A9C9
__recalloc_crt.LIBCMT ref: 0051AA02
__recalloc_crt.LIBCMT ref: 0051AA47
_strlen.LIBCMT ref: 0051AA73
__calloc_crt.LIBCMT ref: 0051AA7D
_strlen.LIBCMT ref: 0051AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0051AABA
_free.LIBCMT ref: 0051AAD4
_free.LIBCMT ref: 0051AAE1
_free.LIBCMT ref: 0051AAF3
__invoke_watson.LIBCMT ref: 0051AB0D

Strings

{nP, xrefs: 0051A932
{nP, xrefs: 0051AAAD

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {nP${nP
API String ID: 884005220-2651804235
Opcode ID: 1e7483ad990b0281b7ceef3c0f8311b2dbad2b34946b1d6da72fa25fc106b6b5
Instruction ID: ea9673d6d87c3480ddf82614a88006d0b4c76834a69afb700176909ecc0337c2
Opcode Fuzzy Hash: 1e7483ad990b0281b7ceef3c0f8311b2dbad2b34946b1d6da72fa25fc106b6b5
Instruction Fuzzy Hash: 23610372902202AFFB125F24D806BAD7FA8FF91320F214519E805A71D1EB349DC5CB92

Function 0053A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0053A47A
__swprintf.LIBCMT ref: 0053A51B
_wcscmp.LIBCMT ref: 0053A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0053A583
_wcscmp.LIBCMT ref: 0053A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0053A5F6
GetDlgCtrlID.USER32(?), ref: 0053A648
GetWindowRect.USER32(?,?), ref: 0053A67E
GetParent.USER32(?), ref: 0053A69C
ScreenToClient.USER32(00000000), ref: 0053A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0053A71D
_wcscmp.LIBCMT ref: 0053A731
GetWindowTextW.USER32(?,?,00000400), ref: 0053A757
_wcscmp.LIBCMT ref: 0053A76B

Part of subcall function 0050362C: _iswctype.LIBCMT ref: 00503634

Strings

%s%u, xrefs: 0053A515

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: e5850bd239ea8fa1f8299b9655c0b844d5ffe5bef099f00cab0730a972b9c086
Instruction ID: f69e049eff485d869edee55d97729b2dd4383573ea039300060014e800f75eba
Opcode Fuzzy Hash: e5850bd239ea8fa1f8299b9655c0b844d5ffe5bef099f00cab0730a972b9c086
Instruction Fuzzy Hash: A9A1CF71604706AFDB19DF64C888FAABBE8FF44354F008629F9D9D2190DB30E955CB92

Function 0053AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0053AF18
_wcscmp.LIBCMT ref: 0053AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0053AF51
CharUpperBuffW.USER32(?,00000000), ref: 0053AF6E
_wcscmp.LIBCMT ref: 0053AF8C
_wcsstr.LIBCMT ref: 0053AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0053AFD5
_wcscmp.LIBCMT ref: 0053AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0053B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0053B055
_wcscmp.LIBCMT ref: 0053B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0053B08D
GetWindowRect.USER32(00000004,?), ref: 0053B0F6

Strings

@, xrefs: 0053AEF9
ThumbnailClass, xrefs: 0053AFE0, 0053B060

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 81c07ac5086885237fec001c564568bc6f163b808b83af4af3bcd38c53669352
Instruction ID: 1a97af7d3a9b8597f427dd28b57697eff7c8437d1f4b245dbc0a10c79686f03f
Opcode Fuzzy Hash: 81c07ac5086885237fec001c564568bc6f163b808b83af4af3bcd38c53669352
Instruction Fuzzy Hash: B78192711082069FEB05DF15C885FAA7FE8FF94318F04856AFE858A095DB34DD49CBA2

Function 0056C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

DragQueryPoint.SHELL32(?,?), ref: 0056C627

Part of subcall function 0056AB37: ClientToScreen.USER32(?,?), ref: 0056AB60
Part of subcall function 0056AB37: GetWindowRect.USER32(?,?), ref: 0056ABD6
Part of subcall function 0056AB37: PtInRect.USER32(?,?,0056C014), ref: 0056ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0056C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0056C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0056C6BE
_wcscat.LIBCMT ref: 0056C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0056C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0056C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0056C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0056C757
DragFinish.SHELL32(?), ref: 0056C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0056C851

Strings

@GUI_DROPID, xrefs: 0056C77E
@GUI_DRAGID, xrefs: 0056C7C9
pbZ, xrefs: 0056C79B
@GUI_DRAGFILE, xrefs: 0056C800

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbZ
API String ID: 169749273-311814899
Opcode ID: a3f564c20fd650fe489535028de483cdf124e1c3cb92bff0c91f4d68b6bc63d3
Instruction ID: 9a56f6925c0244d3db8060b460b9880fa3e23f73c7799234940268d142e8cfc8
Opcode Fuzzy Hash: a3f564c20fd650fe489535028de483cdf124e1c3cb92bff0c91f4d68b6bc63d3
Instruction Fuzzy Hash: 03617671508341AFCB00EF69DC85DABBFE8FB99314F00092EF5A5931A1DB709A09CB56

Function 0053ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0053AC33

Strings

[REGEXPTITLE:, xrefs: 0053AC5B
[HANDLE:, xrefs: 0053AC3F
ACTIVE, xrefs: 0053AC0E
CLASSNAME=, xrefs: 0053AC70
ALL, xrefs: 0053ACC7
LAST, xrefs: 0053ABF8
[CLASS:, xrefs: 0053AC83
HANDLE=, xrefs: 0053AC2C
[ALL, xrefs: 0053ACD9
REGEXP=, xrefs: 0053AC48
[LAST, xrefs: 0053ACE0
[ACTIVE, xrefs: 0053AC20

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 39017a30225936f8b4f60a1964db46b95b58c870b33b3c9a3e6e5d2e74e5170e
Instruction ID: 4797accbb2263eda27f11a5363d3213799c2fb614b79486ec3f2db94de21586f
Opcode Fuzzy Hash: 39017a30225936f8b4f60a1964db46b95b58c870b33b3c9a3e6e5d2e74e5170e
Instruction Fuzzy Hash: 4F31C43094820EAADF00EA61DD07EEE7F68BF14725F20041EF442710E2EF556F04C65A

Function 00554FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00555013
LoadCursorW.USER32(00000000,00007F00), ref: 0055501E
LoadCursorW.USER32(00000000,00007F03), ref: 00555029
LoadCursorW.USER32(00000000,00007F8B), ref: 00555034
LoadCursorW.USER32(00000000,00007F01), ref: 0055503F
LoadCursorW.USER32(00000000,00007F81), ref: 0055504A
LoadCursorW.USER32(00000000,00007F88), ref: 00555055
LoadCursorW.USER32(00000000,00007F80), ref: 00555060
LoadCursorW.USER32(00000000,00007F86), ref: 0055506B
LoadCursorW.USER32(00000000,00007F83), ref: 00555076
LoadCursorW.USER32(00000000,00007F85), ref: 00555081
LoadCursorW.USER32(00000000,00007F82), ref: 0055508C
LoadCursorW.USER32(00000000,00007F84), ref: 00555097
LoadCursorW.USER32(00000000,00007F04), ref: 005550A2
LoadCursorW.USER32(00000000,00007F02), ref: 005550AD
LoadCursorW.USER32(00000000,00007F89), ref: 005550B8
GetCursorInfo.USER32(?), ref: 005550C8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: f7bfb27cf42b5897f0c9912ac6dd451718e2c021d028030577eadf3cc483c435
Instruction ID: 58eb6d9d6f2ab2b6fc8e19ac04bfa432336ef5d3cd340768a13c4229604aee2d
Opcode Fuzzy Hash: f7bfb27cf42b5897f0c9912ac6dd451718e2c021d028030577eadf3cc483c435
Instruction Fuzzy Hash: D53101B1D083196ADF109FB68C9996EBFE8FF04750F50452BA50CE7280EA78A504CF91

Function 0056A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0056A259
DestroyWindow.USER32(?,?), ref: 0056A2D3

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0056A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0056A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0056A382
DestroyWindow.USER32(00000000), ref: 0056A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,004E0000,00000000), ref: 0056A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0056A3F4
GetDesktopWindow.USER32 ref: 0056A40D
GetWindowRect.USER32(00000000), ref: 0056A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0056A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0056A444

Part of subcall function 004E25DB: GetWindowLongW.USER32(?,000000EB), ref: 004E25EC

Strings

tooltips_class32, xrefs: 0056A346, 0056A3D4
0, xrefs: 0056A26F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f368695a5f23818327192aa39dedb7b809eff99088c67dbc7fa7e3283f826fd8
Instruction ID: a666c15c480b87892e65069565757d73c5c77e83985baa67b3e5479bcbe2fc2b
Opcode Fuzzy Hash: f368695a5f23818327192aa39dedb7b809eff99088c67dbc7fa7e3283f826fd8
Instruction Fuzzy Hash: 8F71F070140201AFDB20CF28CC48F6A7BE5FB89704F04492DF985972A1EBB4E906DF52

Function 00564392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00564424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0056446F

Strings

EXPAND, xrefs: 00564521
CHECK, xrefs: 0056448F
ISCHECKED, xrefs: 005645F2
GETITEMCOUNT, xrefs: 00564551
EXISTS, xrefs: 005644D8
GETTOTALCOUNT, xrefs: 00564456
COLLAPSE, xrefs: 005644B5
UNCHECK, xrefs: 0056464B
GETSELECTED, xrefs: 0056457F
SELECT, xrefs: 00564620
GETTEXT, xrefs: 005645C2

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8ebb89cd41ee435992faaafd887b6a9907c161558f67f7504ce7ed3f3c16fa82
Instruction ID: 6a1a1a5f1773fb2db1608337db802eb181c7510a9fbf4327b30d7cbb4b305cc5
Opcode Fuzzy Hash: 8ebb89cd41ee435992faaafd887b6a9907c161558f67f7504ce7ed3f3c16fa82
Instruction Fuzzy Hash: 9A9148702043429BCB04EF25C456A6EBBE1BF95354F04886DF8965B3E2CB35ED4ACB85

Function 0056B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0056B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00566B11,?), ref: 0056B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0056B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0056B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0056B9C3
FreeLibrary.KERNEL32(?), ref: 0056B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0056B9DF
DestroyIcon.USER32(?), ref: 0056B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0056BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0056BA17

Part of subcall function 00502EFD: __wcsicmp_l.LIBCMT ref: 00502F86

Strings

.exe, xrefs: 0056B84A
.dll, xrefs: 0056B86D
.icl, xrefs: 0056B82A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 1494a06bbe8b70de2618098ff85ce55750b840bdd1be057accf19400e54ab109
Instruction ID: 7402c4116a050a0d948ea7af2e51d724552963b4e518c5881d9f48a6ec4251a8
Opcode Fuzzy Hash: 1494a06bbe8b70de2618098ff85ce55750b840bdd1be057accf19400e54ab109
Instruction Fuzzy Hash: 8861DD71940219BAEB14DF68DC46FBE7BACFB08711F10461AFA15D71D0DBB49980EBA0

Function 0054DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0054DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 0054DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0054DCF8
__wsplitpath.LIBCMT ref: 0054DD56
_wcscat.LIBCMT ref: 0054DD6E
_wcscat.LIBCMT ref: 0054DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0054DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 0054DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 0054DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 0054DDFC
_wcscpy.LIBCMT ref: 0054DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0054DE47

Strings

*.*, xrefs: 0054DE02

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 10a1871c559d6c76cd4def0a7383567210800d8b8dd1642462ced289db243b33
Instruction ID: 85c39c82920d153cf92fd21c291fc8e565629e578387788d50354e20cbd8fe21
Opcode Fuzzy Hash: 10a1871c559d6c76cd4def0a7383567210800d8b8dd1642462ced289db243b33
Instruction Fuzzy Hash: B2617AB25042459FCB10EF25C8849AEB7F8FF89318F04492EF98987251DB75ED45CBA2

Function 00549C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00549C7F

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00549CA0
__swprintf.LIBCMT ref: 00549CF9
__swprintf.LIBCMT ref: 00549D12
_wprintf.LIBCMT ref: 00549DB9
_wprintf.LIBCMT ref: 00549DD7

Strings

Error: , xrefs: 00549D81
"%s" (%d) : ==> %s:, xrefs: 00549DD2
Line %d (File "%s"):, xrefs: 00549CF3, 00549D0C
Incorrect parameters to object property !, xrefs: 00549D5B
^ ERROR , xrefs: 00549D4E
"%s" (%d) : ==> %s:%s%s, xrefs: 00549DB4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: bcd8a3cfaa561944857d71e48efd83a90a82a93c79dd913b2879bd13b25c9147
Instruction ID: 37e24deda379a41b5db036a7b45b79aa75617c3471fb72eef1f8d1d93fa5998c
Opcode Fuzzy Hash: bcd8a3cfaa561944857d71e48efd83a90a82a93c79dd913b2879bd13b25c9147
Instruction Fuzzy Hash: 0151A171D0054AAACF14EBE1DD46EEEBB78BF14319F10006AF505B20A2EB352F58DB64

Function 0054A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

CharLowerBuffW.USER32(?,?), ref: 0054A3CB
GetDriveTypeW.KERNEL32 ref: 0054A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0054A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0054A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0054A4C5

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

Strings

open, xrefs: 0054A3F2
close, xrefs: 0054A3D1
close cd wait, xrefs: 0054A4B0
closed, xrefs: 0054A3DF, 0054A3E8
open , xrefs: 0054A427
set cd door , xrefs: 0054A466
type cdaudio alias cd wait, xrefs: 0054A443
wait, xrefs: 0054A482

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 11e25f0b75509b806d04ccdae9eb20ab79108b9fd065acf7f94e4f0471abefc5
Instruction ID: 659f1381ef82412d69f3eb66ab0eb8d9f74adb1418220c67563ecb43c5a5c699
Opcode Fuzzy Hash: 11e25f0b75509b806d04ccdae9eb20ab79108b9fd065acf7f94e4f0471abefc5
Instruction Fuzzy Hash: 7A515C711043459FCB00EF12C88196EBBE4FF9576DF10486EF896972A1DB35AD09CB46

Function 0053F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0051E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0053F8DF
LoadStringW.USER32(00000000,?,0051E029,00000001), ref: 0053F8E8

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0051E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0053F90A
LoadStringW.USER32(00000000,?,0051E029,00000001), ref: 0053F90D
__swprintf.LIBCMT ref: 0053F95D
__swprintf.LIBCMT ref: 0053F96E
_wprintf.LIBCMT ref: 0053FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0053FA2E

Strings

Error: , xrefs: 0053F9E5
^ ERROR, xrefs: 0053F9C3
Line %d (File "%s"):, xrefs: 0053F957
Line %d:, xrefs: 0053F968
%s (%d) : ==> %s: %s %s, xrefs: 0053FA12

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: c6339cf49604ce676c3525935d4418d2e3bad6d4f5976f16756705a75fcebd9d
Instruction ID: 30fa3b9a643e93c35248aac531a1764a3354c10c4dcc83b744cefbe056a05dee
Opcode Fuzzy Hash: c6339cf49604ce676c3525935d4418d2e3bad6d4f5976f16756705a75fcebd9d
Instruction Fuzzy Hash: 4E413F72C04149AACF04FBE2DD86EEE7B78AF54315F10006AB605B6092EA356F49CB65

Function 0056BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0056BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 0056BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0056BA78
CloseHandle.KERNEL32(00000000), ref: 0056BA85
GlobalLock.KERNEL32(00000000), ref: 0056BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0056BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0056BAA6
CloseHandle.KERNEL32(00000000), ref: 0056BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0056BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00572CAC,?), ref: 0056BAD7
GlobalFree.KERNEL32(00000000), ref: 0056BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 0056BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0056BB36
DeleteObject.GDI32(00000000), ref: 0056BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0056BB74

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 10f2b20af978c3a38f1ac663e11c016a55eb09cbfc5adf71b290dff2864d824f
Instruction ID: 8a9adabc1e7dfb94f6bfc9283f05a008b03f01e8c389f4e9db12e43308b392a2
Opcode Fuzzy Hash: 10f2b20af978c3a38f1ac663e11c016a55eb09cbfc5adf71b290dff2864d824f
Instruction Fuzzy Hash: B3411A75A00204FFDB219FA9EC88EAA7BB9FF99711F104068F905D7260D7709D45DB60

Function 0054D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0054DA10
_wcscat.LIBCMT ref: 0054DA28
_wcscat.LIBCMT ref: 0054DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0054DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0054DA63
GetFileAttributesW.KERNEL32(?), ref: 0054DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0054DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0054DAA7

Strings

*.*, xrefs: 0054DAE6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 68c487fa9d43660718f9262fbffeabb9fa21482951310998b6067aeafd04f951
Instruction ID: b08ea286ccdbea0844f0145274f8da07c18c1d278f2bd49a9e7056f078416781
Opcode Fuzzy Hash: 68c487fa9d43660718f9262fbffeabb9fa21482951310998b6067aeafd04f951
Instruction Fuzzy Hash: D48180725042419FCB64EF65C844AAABBF4BF89318F184C2EF889C7251E634ED45CB62

Function 0056C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0056C1FC
GetFocus.USER32 ref: 0056C20C
GetDlgCtrlID.USER32(00000000), ref: 0056C217
_memset.LIBCMT ref: 0056C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0056C36D
GetMenuItemCount.USER32(?), ref: 0056C38D
GetMenuItemID.USER32(?,00000000), ref: 0056C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0056C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0056C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0056C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0056C489

Strings

0, xrefs: 0056C33A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 2278d20b77f815e0e1f57e4b563805021fe1aa575d552cb93167157bbc1e9248
Instruction ID: 566f9bedff14297cf1dea5f3f477417205317402b43c72cd714675068766aa6c
Opcode Fuzzy Hash: 2278d20b77f815e0e1f57e4b563805021fe1aa575d552cb93167157bbc1e9248
Instruction Fuzzy Hash: 33818870609301AFDB10CF25D894A7ABFE8FB88715F00492EF9D597291DB70D904DBA2

Function 0055731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0055738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0055739B
CreateCompatibleDC.GDI32(?), ref: 005573A7
SelectObject.GDI32(00000000,?), ref: 005573B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00557408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00557444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00557468
SelectObject.GDI32(00000006,?), ref: 00557470
DeleteObject.GDI32(?), ref: 00557479
DeleteDC.GDI32(00000006), ref: 00557480
ReleaseDC.USER32(00000000,?), ref: 0055748B

Strings

(, xrefs: 00557410

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 643528e9a22b4b565e851af4d9300c500a9b0181af2fa19f90870baeae0a62ef
Instruction ID: 74665f8af56f047e9c2d481bb80012000938928c04fe575883e267bf1114f2a5
Opcode Fuzzy Hash: 643528e9a22b4b565e851af4d9300c500a9b0181af2fa19f90870baeae0a62ef
Instruction Fuzzy Hash: 89514971904209EFCB14CFA8DC88EAEBFB9FF48320F14842AF95A97250C771A944DB50

Function 004E6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00500957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,004E6B0C,?,00008000), ref: 00500973

Part of subcall function 004E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E4743,?,?,004E37AE,?), ref: 004E4770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 004E6BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004E6CFA

Part of subcall function 004E586D: _wcscpy.LIBCMT ref: 004E58A5

Part of subcall function 0050363D: _iswctype.LIBCMT ref: 00503645

Strings

Error opening the file, xrefs: 0051E43D, 0051E4B8
EA06, xrefs: 0051E452
Unterminated string, xrefs: 0051E7E4
Bad directive syntax error, xrefs: 0051E79D
>>>AUTOIT SCRIPT<<<, xrefs: 0051E496
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0051E421
AU3!, xrefs: 004E6B61

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: f0e2723b3e84328038398d14b410504d1640b8b1c8e98df6c9a3aa0a1536cae3
Instruction ID: 273af5f3be3aaed959bbe6903198c0c4e76ae0993330e54675b168779fe9560e
Opcode Fuzzy Hash: f0e2723b3e84328038398d14b410504d1640b8b1c8e98df6c9a3aa0a1536cae3
Instruction Fuzzy Hash: B4029C305083819FDB10EF26C881AAFBBE5FF99358F10491EF485972A1DB34D989CB56

Function 00542D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00542D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00542DDD
GetMenuItemCount.USER32(005A5890), ref: 00542E66
DeleteMenu.USER32(005A5890,00000005,00000000,000000F5,?,?), ref: 00542EF6
DeleteMenu.USER32(005A5890,00000004,00000000), ref: 00542EFE
DeleteMenu.USER32(005A5890,00000006,00000000), ref: 00542F06
DeleteMenu.USER32(005A5890,00000003,00000000), ref: 00542F0E
GetMenuItemCount.USER32(005A5890), ref: 00542F16
SetMenuItemInfoW.USER32(005A5890,00000004,00000000,00000030), ref: 00542F4C
GetCursorPos.USER32(?), ref: 00542F56
SetForegroundWindow.USER32(00000000), ref: 00542F5F
TrackPopupMenuEx.USER32(005A5890,00000000,?,00000000,00000000,00000000), ref: 00542F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00542F7E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 678b1129e503cf3a780c32e970e6646579844dce57f64f4e05444cd9ad42d0ac
Instruction ID: fe7f2a28ca77aa90d93d102fc0ee8a42d0f75458d536863aa46d441d73e587ac
Opcode Fuzzy Hash: 678b1129e503cf3a780c32e970e6646579844dce57f64f4e05444cd9ad42d0ac
Instruction Fuzzy Hash: 74713970600225BFEB258F54DC49FEABF68FF04318F900216F615AA1E1C7B15C64DB61

Function 005588AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005588D7
CoInitialize.OLE32(00000000), ref: 00558904
CoUninitialize.OLE32 ref: 0055890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00558A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00558B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00572C0C), ref: 00558B6F
CoGetObject.OLE32(?,00000000,00572C0C,?), ref: 00558B92
SetErrorMode.KERNEL32(00000000), ref: 00558BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00558C25
VariantClear.OLEAUT32(?), ref: 00558C35

Strings

,,W, xrefs: 005588C1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,W
API String ID: 2395222682-36227439
Opcode ID: eed3903d7a6803de1e00cb097922908df78d2f25976de53137925a1e9e90e43c
Instruction ID: a17f25c71f8767a45ba0732c16651b6ef515b7dda7e568755d4ca25a90a92f64
Opcode Fuzzy Hash: eed3903d7a6803de1e00cb097922908df78d2f25976de53137925a1e9e90e43c
Instruction Fuzzy Hash: 25C158B1604305AFC700DF69C89492BBBE9FF89359F00495EF8899B251DB71ED09CB52

Function 005377DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

_memset.LIBCMT ref: 0053786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005378A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005378BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005378D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00537902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0053792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00537935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0053793A

Strings

\CLSID, xrefs: 00537822
\IPC$, xrefs: 00537882
SOFTWARE\Classes\, xrefs: 0053780C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: dc575bbfe95c495a8033499335282d09414781fbb341b27b42798fa809508391
Instruction ID: b1d01efb775496d34e82cbaa0dad6b905f435671c8fa8c9c67c94e600d555dc1
Opcode Fuzzy Hash: dc575bbfe95c495a8033499335282d09414781fbb341b27b42798fa809508391
Instruction Fuzzy Hash: FA413872C1422DABCF21EBA5DC85DEDBB78FF18765F00406AE906A3161DB745D04CB94

Function 00560E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055FDAD,?,?), ref: 00560E31

Strings

HKCC, xrefs: 00560EFF
HKEY_LOCAL_MACHINE, xrefs: 00560E9A
HKLM, xrefs: 00560EAF
HKEY_CURRENT_USER, xrefs: 00560F10
HKCU, xrefs: 00560F21
HKEY_CLASSES_ROOT, xrefs: 00560EC4
HKU, xrefs: 00560F43
HKEY_USERS, xrefs: 00560F32
HKEY_CURRENT_CONFIG, xrefs: 00560EEE
HKCR, xrefs: 00560ED9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 1c825e993c594ef7668eed86c5afb2d51b538c2acca2c7b128ba09762ea389ae
Instruction ID: 3c7916ea5409333473c6ed0001d1808a1d43bf6d375c60f4cdf1b1e8a91d82da
Opcode Fuzzy Hash: 1c825e993c594ef7668eed86c5afb2d51b538c2acca2c7b128ba09762ea389ae
Instruction Fuzzy Hash: 6E416A3121028A8BCF21EF14D895AEF7FA4BF61314F142419FC551B2D2DB35AE5ACBA0

Function 0053F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0051E2A0,00000010,?,Bad directive syntax error,0056F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0053F7C2
LoadStringW.USER32(00000000,?,0051E2A0,00000010), ref: 0053F7C9

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

_wprintf.LIBCMT ref: 0053F7FC
__swprintf.LIBCMT ref: 0053F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0053F88D

Strings

Line %d (File "%s"):, xrefs: 0053F833
%s (%d) : ==> %s.: %s %s, xrefs: 0053F7F7
., xrefs: 0053F873
Error: , xrefs: 0053F85B
Line %d:, xrefs: 0053F818

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 1a477242d60b27f25e1805d5db658481a85dbfbe06843ce53f5eaf618924bb62
Instruction ID: 298d2d18872c8eafc6cf5062b30e9530325947104fa3473bad830904c14fe7d8
Opcode Fuzzy Hash: 1a477242d60b27f25e1805d5db658481a85dbfbe06843ce53f5eaf618924bb62
Instruction Fuzzy Hash: 7F216F31D0021AABCF11EF91CC0AEFE7B39BF14315F04046AF515660A2EA759A18DB55

Function 005452C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

Part of subcall function 004E7924: _memmove.LIBCMT ref: 004E79AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00545330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00545346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00545357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00545369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0054537A

Strings

play PlayMe, xrefs: 00545375
alias PlayMe, xrefs: 00545309
play PlayMe wait, xrefs: 00545364
open , xrefs: 005452DF
status PlayMe mode, xrefs: 0054532B
close PlayMe, xrefs: 00545341, 0054536E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a1a9cdd3e73375396298d83d3451d46b5e6b142f7a9f12c6fadd8c7b35dae1b5
Instruction ID: 44923effdd1d11d0adc8ba0f2b242e67c8eb8b117e36fd7abb893144a20f3a51
Opcode Fuzzy Hash: a1a9cdd3e73375396298d83d3451d46b5e6b142f7a9f12c6fadd8c7b35dae1b5
Instruction Fuzzy Hash: 7111B6719501697ADB20BBB3DC49DFF7F7CFB92B58F00081AB401920D2EEA00D05C560

Function 005446B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005446D2
gethostname.WSOCK32(?,00000100), ref: 005446EC
gethostbyname.WSOCK32(?), ref: 005446F9
_wcscpy.LIBCMT ref: 00544721
_memmove.LIBCMT ref: 00544734
inet_ntoa.WSOCK32(?), ref: 0054473F
_strcat.LIBCMT ref: 0054474D
_wcscpy.LIBCMT ref: 00544764
WSACleanup.WSOCK32 ref: 00544772
_wcscpy.LIBCMT ref: 00544780

Strings

0.0.0.0, xrefs: 0054471B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 4f580741189454bf6edf119d1d2d7368fddd34710b9d5a88eba6cfeb122fe027
Instruction ID: 6bd44780bed39ba733058f189e89daa3c903274b9a5895685e07fa5a4aeb1af0
Opcode Fuzzy Hash: 4f580741189454bf6edf119d1d2d7368fddd34710b9d5a88eba6cfeb122fe027
Instruction Fuzzy Hash: C811F032904105ABCB24AB34AC4AFEE7FACFB92315F0001B6F54597091EBB09E878B50

Function 00544F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00544F7A

Part of subcall function 0050049F: timeGetTime.WINMM(?,75C0B400,004F0E7B), ref: 005004A3

Sleep.KERNEL32(0000000A), ref: 00544FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00544FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00544FEC
SetActiveWindow.USER32 ref: 0054500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00545019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00545038
Sleep.KERNEL32(000000FA), ref: 00545043
IsWindow.USER32 ref: 0054504F
EndDialog.USER32(00000000), ref: 00545060

Strings

BUTTON, xrefs: 00544FDE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f5b248cb39c302d2bb097a784f76fb1e9f2e5bcbc768991f077d5bddffd16515
Instruction ID: daf7e2e67f4d2872b04fd78f2b9b3b3d6984c8fcdd1060331fc517fcc7031744
Opcode Fuzzy Hash: f5b248cb39c302d2bb097a784f76fb1e9f2e5bcbc768991f077d5bddffd16515
Instruction Fuzzy Hash: 7E218074A44605BFE7106F24FC8DB663FA9FB6A749B481024F106832B1EBB14D1CEB61

Function 0054D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

CoInitialize.OLE32(00000000), ref: 0054D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0054D67D
SHGetDesktopFolder.SHELL32(?), ref: 0054D691
CoCreateInstance.OLE32(00572D7C,00000000,00000001,00598C1C,?), ref: 0054D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0054D74C
CoTaskMemFree.OLE32(?,?), ref: 0054D7A4
_memset.LIBCMT ref: 0054D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0054D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0054D840
CoTaskMemFree.OLE32(00000000), ref: 0054D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0054D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0054D880

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: bac1e44dfa41c25d725ce5acc48d787500886399d9d2f4b494e107eb258a11e6
Instruction ID: e717bf64669ddfc1298b8766e95e861729e91208e94ac97ee5e404f4b935e70d
Opcode Fuzzy Hash: bac1e44dfa41c25d725ce5acc48d787500886399d9d2f4b494e107eb258a11e6
Instruction Fuzzy Hash: A4B1FD75A00109AFDB04DFA5D888DAEBBB9FF48315F1484A9F909EB261DB30ED45CB50

Function 0053C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0053C283
GetWindowRect.USER32(00000000,?), ref: 0053C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0053C2F3
GetDlgItem.USER32(?,00000002), ref: 0053C2FE
GetWindowRect.USER32(00000000,?), ref: 0053C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0053C364
GetDlgItem.USER32(?,000003E9), ref: 0053C372
GetWindowRect.USER32(00000000,?), ref: 0053C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0053C3C6
GetDlgItem.USER32(?,000003EA), ref: 0053C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0053C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0053C3FE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e3f687c1b665e5d55afb381429fb65410ae2b20a2d4e40ac70747a1cc95ca704
Instruction ID: 14431f2eedc04604ce7d94531d6c511f110bb9af0eeb8869fdb322526dd4cba2
Opcode Fuzzy Hash: e3f687c1b665e5d55afb381429fb65410ae2b20a2d4e40ac70747a1cc95ca704
Instruction Fuzzy Hash: FE513F71B00205ABDB18CFADDD89AAEBBB6FB98711F14852DF515E7290D7B09D048B10

Function 004E201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,004E2036,?,00000000,?,?,?,?,004E16CB,00000000,?), ref: 004E1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004E20D3
KillTimer.USER32(-00000001,?,?,?,?,004E16CB,00000000,?,?,004E1AE2,?,?), ref: 004E216E
DestroyAcceleratorTable.USER32(00000000), ref: 0051BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004E16CB,00000000,?,?,004E1AE2,?,?), ref: 0051BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004E16CB,00000000,?,?,004E1AE2,?,?), ref: 0051BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004E16CB,00000000,?,?,004E1AE2,?,?), ref: 0051BD0A
DeleteObject.GDI32(00000000), ref: 0051BD1C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: da290212971699b9edbdb7cb1d683b571e93c1ed4a311069b748076d63790067
Instruction ID: 4c70820cec55af681f0932e93790257b90c51a6da23989fcdfd24a62015de6e3
Opcode Fuzzy Hash: da290212971699b9edbdb7cb1d683b571e93c1ed4a311069b748076d63790067
Instruction Fuzzy Hash: E661DF31500A51DFEB359F16EA48B2ABBF1FB51316F20442AE142476B0C7B8AC85EF95

Function 004E21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004E25DB: GetWindowLongW.USER32(?,000000EB), ref: 004E25EC

GetSysColor.USER32(0000000F), ref: 004E21D3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5c98b3cb46f46673c4ddcc6d119e0fdbd490872eceee5b716d29796e5707c352
Instruction ID: 318e3c0d3aadbe4330d0457c1d13257f79d4706b82ec9c8b55cea92b750e423b
Opcode Fuzzy Hash: 5c98b3cb46f46673c4ddcc6d119e0fdbd490872eceee5b716d29796e5707c352
Instruction Fuzzy Hash: 1C41AA31400180DBEB255F29ED48BB93B69FB16331F1443A6FE658B1E1C7B54C42D715

Function 0054A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0056F910), ref: 0054A90B
GetDriveTypeW.KERNEL32(00000061,005989A0,00000061), ref: 0054A9D5
_wcscpy.LIBCMT ref: 0054A9FF

Strings

removable, xrefs: 0054A93D
cdrom, xrefs: 0054A927
network, xrefs: 0054A969
unknown, xrefs: 0054A996
ramdisk, xrefs: 0054A97F
fixed, xrefs: 0054A953
all, xrefs: 0054A911

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: abb05510a52c5324877a6bba6bf8f047ff1e08a1268971fcb75d222eeca02ce6
Instruction ID: f6a34d474db2c0b372a81533c35a0cfded3b2364dc4c90c224e034fe0cab08e7
Opcode Fuzzy Hash: abb05510a52c5324877a6bba6bf8f047ff1e08a1268971fcb75d222eeca02ce6
Instruction Fuzzy Hash: 12519D31158341ABC700EF16C896AAFBBA5FF85308F14482EF595972E2DB319D09CA53

Function 004E9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 004E9862
__swprintf.LIBCMT ref: 004E98AC
__i64tow.LIBCMT ref: 0051F5E6

Strings

True, xrefs: 0051F5A7
0x%p, xrefs: 0051F5C8
%.15g, xrefs: 004E98A6
False, xrefs: 0051F5AE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 2bdaff84c8dd81202d7601c2f7d1ec3776dc525cd54c2fd0e670c4d94dcf9a21
Instruction ID: 9bb42d1cbc1d0c26c0e9e9b0c16ae07cfc1a87dad77e62056cc8c24ad7021c90
Opcode Fuzzy Hash: 2bdaff84c8dd81202d7601c2f7d1ec3776dc525cd54c2fd0e670c4d94dcf9a21
Instruction Fuzzy Hash: D641E571510205AAEB24EF35D846EBA7BE9FF46300F20486FE449D72D2EA359D428B11

Function 00567152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0056716A
CreateMenu.USER32 ref: 00567185
SetMenu.USER32(?,00000000), ref: 00567194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00567221
IsMenu.USER32(?), ref: 00567237
CreatePopupMenu.USER32 ref: 00567241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0056726E
DrawMenuBar.USER32 ref: 00567276

Strings

F, xrefs: 00567262
0, xrefs: 00567160

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 64ff27b04f6c7b57564ab7719a117e1844a6ca31a8c65e2e8b4737aec8cd78ba
Instruction ID: be06e034470bc3a2b9f1d0ebe7c091025b388c18041e485a94f56b0232aeaaf1
Opcode Fuzzy Hash: 64ff27b04f6c7b57564ab7719a117e1844a6ca31a8c65e2e8b4737aec8cd78ba
Instruction Fuzzy Hash: AE417778A01209EFDB20DF68E894E9A7BB5FF59314F140029F906A7361E771AD18DB90

Function 005674BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0056755E
CreateCompatibleDC.GDI32(00000000), ref: 00567565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00567578
SelectObject.GDI32(00000000,00000000), ref: 00567580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0056758B
DeleteDC.GDI32(00000000), ref: 00567594
GetWindowLongW.USER32(?,000000EC), ref: 0056759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005675B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005675BE

Strings

static, xrefs: 005674F6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: ba71d92f4694d7fa056443f957c6781717815b73dbaaf133711cdfbdff9be981
Instruction ID: debf6d0e341a7d6feb839bd30d276e0d927a683e0ee06f583e29f74e13e5b7b9
Opcode Fuzzy Hash: ba71d92f4694d7fa056443f957c6781717815b73dbaaf133711cdfbdff9be981
Instruction Fuzzy Hash: DE317A72504219ABDF119F68EC08FEA3F69FF2D364F110224FA16A30A0D771D815EBA4

Function 00506E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00506E3E

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

__gmtime64_s.LIBCMT ref: 00506ED7
__gmtime64_s.LIBCMT ref: 00506F0D
__gmtime64_s.LIBCMT ref: 00506F2A
__allrem.LIBCMT ref: 00506F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00506F9C
__allrem.LIBCMT ref: 00506FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00506FD1
__allrem.LIBCMT ref: 00506FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00507006
__invoke_watson.LIBCMT ref: 00507077

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: d8dcb5fb3753492b8a8b98f3b8b39b152c73a3c3b9b0089e168c7ce26940b4a2
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 2B71F5B6E00717ABE714AE68DC55BAFBBA8BF44360F144229F414E72C1E770ED508B90

Function 00542527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00542542
GetMenuItemInfoW.USER32(005A5890,000000FF,00000000,00000030), ref: 005425A3
SetMenuItemInfoW.USER32(005A5890,00000004,00000000,00000030), ref: 005425D9
Sleep.KERNEL32(000001F4), ref: 005425EB
GetMenuItemCount.USER32(?), ref: 0054262F
GetMenuItemID.USER32(?,00000000), ref: 0054264B
GetMenuItemID.USER32(?,-00000001), ref: 00542675
GetMenuItemID.USER32(?,?), ref: 005426BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00542700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00542714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00542735

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 2738e0b3fed74486a5e3e67782c29eef306456feb80c8a705c94f7f673aca6e1
Instruction ID: 7976c3a09bc0bf2b1cb70ab182e89c7e90cc10b4177523bd653f1bbbf704377f
Opcode Fuzzy Hash: 2738e0b3fed74486a5e3e67782c29eef306456feb80c8a705c94f7f673aca6e1
Instruction Fuzzy Hash: F0617D70900269AFDF11CF64D888EEE7FB8FB55348F940459F842A7251DB71AD09EB21

Function 00566F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00566FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00566FA8
GetWindowLongW.USER32(?,000000F0), ref: 00566FCC
_memset.LIBCMT ref: 00566FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00566FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00567067

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: fccdaa426a29f0f9778f073ff8bfef07f0eaef87baaa16762eb432f68a28fb77
Instruction ID: ec3cc59e9fa055a321a392506898650a8d428844d1f9df165a442a5177353fce
Opcode Fuzzy Hash: fccdaa426a29f0f9778f073ff8bfef07f0eaef87baaa16762eb432f68a28fb77
Instruction Fuzzy Hash: 1F617975900209AFDB10DFA4CC85EEE7BF8FB09714F10019AFA14AB2A1D775AD45DBA0

Function 00536B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00536BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00536C18
VariantInit.OLEAUT32(?), ref: 00536C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00536C4A
VariantCopy.OLEAUT32(?,?), ref: 00536C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00536CB1
VariantClear.OLEAUT32(?), ref: 00536CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00536CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00536CDC
VariantClear.OLEAUT32(?), ref: 00536CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00536CF9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6dafd8db0f2acd69db8c64b8d29027fba45f031e321f000486b4603301e38eb3
Instruction ID: d1d3d1f4ee0133d242a5029f4d94504d137a9fe3c05247d528fa36b17baa96fb
Opcode Fuzzy Hash: 6dafd8db0f2acd69db8c64b8d29027fba45f031e321f000486b4603301e38eb3
Instruction Fuzzy Hash: 24416E71E00119AFCF00DF69D8489AEBFB9FF58345F00C069E955A7261CB70AD49DBA0

Function 005583BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

CoInitialize.OLE32 ref: 00558403
CoUninitialize.OLE32 ref: 0055840E
CoCreateInstance.OLE32(?,00000000,00000017,00572BEC,?), ref: 0055846E
IIDFromString.OLE32(?,?), ref: 005584E1
VariantInit.OLEAUT32(?), ref: 0055857B
VariantClear.OLEAUT32(?), ref: 005585DC

Strings

Failed to create object, xrefs: 00558479, 0055852F
Invalid parameter, xrefs: 005584FA
NULL Pointer assignment, xrefs: 005584B3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9ef87b1575300bfcd1ec55a98b2980148abc7e159f6a6b76b6b1349cc3486a5d
Instruction ID: 2ab407e11e53f780c49da59bc7ac56018044fc0d92126cfb2c7f298b1efb2717
Opcode Fuzzy Hash: 9ef87b1575300bfcd1ec55a98b2980148abc7e159f6a6b76b6b1349cc3486a5d
Instruction Fuzzy Hash: 5B61AF70608312EFCB10DF15D858B6ABBE4BF45759F00485AFD85AB291DB70ED48CB92

Function 00555732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00555793
inet_addr.WSOCK32(?,?,?), ref: 005557D8
gethostbyname.WSOCK32(?), ref: 005557E4
IcmpCreateFile.IPHLPAPI ref: 005557F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00555862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00555878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005558ED
WSACleanup.WSOCK32 ref: 005558F3

Strings

Ping, xrefs: 00555816

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: dd51ed0300eb248eb5798e34bc7f7e0c59fbe0bc4546dc7425f3af4c712742d7
Instruction ID: 15cd87be901aefdb499d177c99da31846501dda4d2df7d52334bea5acc9933d0
Opcode Fuzzy Hash: dd51ed0300eb248eb5798e34bc7f7e0c59fbe0bc4546dc7425f3af4c712742d7
Instruction Fuzzy Hash: 4A51A0316046009FDB10EF25DC65B2A7BE4FF48725F14896AF956DB2A1EB70EC08DB41

Function 0054B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0054B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0054B546
GetLastError.KERNEL32 ref: 0054B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0054B5BD

Strings

READY, xrefs: 0054B596
INVALID, xrefs: 0054B58F
UNKNOWN, xrefs: 0054B575
READONLY, xrefs: 0054B588
NOTREADY, xrefs: 0054B57C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2234e1500d33e332258c1c8413bb91e4c01118788404649f1e73a3b5f44c6160
Instruction ID: 476c6ea6c2ba68ac3ebabd08fffc60be94d12a2b518b3c121dbac802aec1aebe
Opcode Fuzzy Hash: 2234e1500d33e332258c1c8413bb91e4c01118788404649f1e73a3b5f44c6160
Instruction Fuzzy Hash: E631AD75A00209AFEB00EB69D885AFEBFB4FF49319F14412AE505D7291EB71DA02CB50

Function 00538F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 0053AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0053AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00539014
GetDlgCtrlID.USER32 ref: 0053901F
GetParent.USER32 ref: 0053903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0053903E
GetDlgCtrlID.USER32(?), ref: 00539047
GetParent.USER32(?), ref: 00539063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00539066

Strings

ComboBox, xrefs: 00538F9C
ListBox, xrefs: 00538FD1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 51aa27367d464d7294a2b691fc7ba2ff7aa0dd408f86e24c4d9f88e8b4f12a15
Instruction ID: e191566da117d8084113d3f350848da2cbf8e06a7fa64ed87e20c2bcdef6b57e
Opcode Fuzzy Hash: 51aa27367d464d7294a2b691fc7ba2ff7aa0dd408f86e24c4d9f88e8b4f12a15
Instruction Fuzzy Hash: 2121A4B4E00108BBDF05ABA5DC89EFEBB75FF59310F10011AF961972A1DBB55819DB20

Function 0053907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 0053AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0053AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005390FD
GetDlgCtrlID.USER32 ref: 00539108
GetParent.USER32 ref: 00539124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00539127
GetDlgCtrlID.USER32(?), ref: 00539130
GetParent.USER32(?), ref: 0053914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0053914F

Strings

ComboBox, xrefs: 00539087
ListBox, xrefs: 005390BC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 15d96a72dabdd289b080fe4993472796c51096e2578a78f7edcee7b9b184ce5b
Instruction ID: d9c9ec877c2aabcb1c116e309fafacfd85139327ea76afc4654b73d694e2ac6d
Opcode Fuzzy Hash: 15d96a72dabdd289b080fe4993472796c51096e2578a78f7edcee7b9b184ce5b
Instruction Fuzzy Hash: 1321C8B5E00109BBDF05ABA5DC89EFEBB78FF58300F10401AF561972A2DBB55819DB20

Function 00539163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0053916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00539184
_wcscmp.LIBCMT ref: 00539196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00539211

Strings

smallicons, xrefs: 005391D9
largeicons, xrefs: 005391A5
details, xrefs: 005391BF
list, xrefs: 005391F3
SHELLDLL_DefView, xrefs: 00539190

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 28244c5c0dbe82b1246fe55f0b73027fab356c969e8dc908558d7a6cab839cf8
Instruction ID: fad1966237d92bf633f3f80feae39195c3d78fbd335ee273d52ac6816981c1e5
Opcode Fuzzy Hash: 28244c5c0dbe82b1246fe55f0b73027fab356c969e8dc908558d7a6cab839cf8
Instruction Fuzzy Hash: 0811CABA68C70BB9FE112628EC0FDBB3F9CFB55720F200426F911A54E1EEE158515694

Function 00547990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00547A6C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 97c9ebca82348414280ab84ba66cc5c4ff1b7efd73a813302962f8639e95bb8b
Instruction ID: 59652404fe74df9f83d1d889f52f6ae94cdefa490618dd568e2241ae32ea2d0a
Opcode Fuzzy Hash: 97c9ebca82348414280ab84ba66cc5c4ff1b7efd73a813302962f8639e95bb8b
Instruction Fuzzy Hash: E0B18D7190420E9FDB10DFA4D885BFEBBB4FF49329F204429EA01A7281D774AD45DBA0

Function 005411CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005411F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00540268,?,00000001), ref: 00541204
GetWindowThreadProcessId.USER32(00000000), ref: 0054120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00540268,?,00000001), ref: 0054121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0054122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00540268,?,00000001), ref: 00541245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00540268,?,00000001), ref: 00541257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00540268,?,00000001), ref: 0054129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00540268,?,00000001), ref: 005412B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00540268,?,00000001), ref: 005412BC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f908c85eea6135274e42cb0b8684a4c9308660e7033789de96c0bb623af86233
Instruction ID: 5bbb3ccdd6df6bced7c268ad85b15d26209d199e2a0727cdea49a56d96dcac3e
Opcode Fuzzy Hash: f908c85eea6135274e42cb0b8684a4c9308660e7033789de96c0bb623af86233
Instruction Fuzzy Hash: 5631E179A04604BFDB109F55FD48FA93BA9FB66315F154115F800CB1A0E7F09DC8AB54

Function 004EFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 004EFAA6
OleUninitialize.OLE32(?,00000000), ref: 004EFB45
UnregisterHotKey.USER32(?), ref: 004EFC9C
DestroyWindow.USER32(?), ref: 005245D6
FreeLibrary.KERNEL32(?), ref: 0052463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00524668

Strings

close all, xrefs: 004EFAA1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: df71b88930b551db5a0ba1c2a245ea1340f05e9fc3e025b0cf255296f8f93424
Instruction ID: 0abfa0fb6909a9209722c5e3202d9f38ee4bea9179b482de730c9fae9fa57aa3
Opcode Fuzzy Hash: df71b88930b551db5a0ba1c2a245ea1340f05e9fc3e025b0cf255296f8f93424
Instruction Fuzzy Hash: 29A1B430701122CFCB29EF15D595A69FB64FF16705F2442AEE80AAB291CB34EC1ACF54

Function 00559113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00559167
VariantInit.OLEAUT32(?), ref: 00559238
VariantInit.OLEAUT32(?), ref: 00559339
VariantClear.OLEAUT32(?), ref: 00559343
VariantClear.OLEAUT32(?), ref: 005593A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 005591C8, 005592F6, 005593AE
Incorrect Object type in FOR..IN loop, xrefs: 0055931C
,,W, xrefs: 005591E5

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,W$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1179491413
Opcode ID: 8eb7d3a589382df9d81425473041e2c68e5a8cd108b6a1704a872dfce8c50987
Instruction ID: 80245e84084a2c6dae2483e1d528e52d618af61d868260c82b569f1183e9b15e
Opcode Fuzzy Hash: 8eb7d3a589382df9d81425473041e2c68e5a8cd108b6a1704a872dfce8c50987
Instruction Fuzzy Hash: AB91A171A00215EBDF20CFA5C858FAEBBB8FF45711F10855AF905AB280D7749909CFA0

Function 0053A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0053A439), ref: 0053A377

Strings

CLASSNN, xrefs: 0053A119
TEXT, xrefs: 0053A2AE
CLASS, xrefs: 0053A0F6
INSTANCE, xrefs: 0053A285
NAME, xrefs: 0053A1A9
REGEXPCLASS, xrefs: 0053A13C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: cbb170c2121681add9a3786f7784bee2f4d5d7c05145f897866282ca75d31e70
Instruction ID: f776f95c28e6b3042b89e90467ed47822db4fc1fd25a2e82d0d223028100d79a
Opcode Fuzzy Hash: cbb170c2121681add9a3786f7784bee2f4d5d7c05145f897866282ca75d31e70
Instruction Fuzzy Hash: 3191D830A04606ABDF08DFA0C485BEEFFB4FF44314F54851AE899A7191DF316A99CB91

Function 004E2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 004E2EAE

Part of subcall function 004E1DB3: GetClientRect.USER32(?,?), ref: 004E1DDC
Part of subcall function 004E1DB3: GetWindowRect.USER32(?,?), ref: 004E1E1D
Part of subcall function 004E1DB3: ScreenToClient.USER32(?,?), ref: 004E1E45

GetDC.USER32 ref: 0051CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0051CD45
SelectObject.GDI32(00000000,00000000), ref: 0051CD53
SelectObject.GDI32(00000000,00000000), ref: 0051CD68
ReleaseDC.USER32(?,00000000), ref: 0051CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0051CDFB

Strings

U, xrefs: 0051CCD0

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b6c648ac36b928dbfe45b815541f07eaf7221e86b11ef07e904fc1481aab68e3
Instruction ID: 2fddf6f65521f0bb8d1a6faa164387c2704a25b25fc479d20878a984bf21908b
Opcode Fuzzy Hash: b6c648ac36b928dbfe45b815541f07eaf7221e86b11ef07e904fc1481aab68e3
Instruction Fuzzy Hash: F1711130400245DFDF218F68D884AFA3FB9FF49325F14466AED569A2A6D7368C81DB60

Function 00551A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00551A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00551A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00551ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00551AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00551AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00551B10
InternetCloseHandle.WININET(00000000), ref: 00551B57

Part of subcall function 00552483: GetLastError.KERNEL32(?,?,00551817,00000000,00000000,00000001), ref: 00552498
Part of subcall function 00552483: SetEvent.KERNEL32(?,?,00551817,00000000,00000000,00000001), ref: 005524AD

Strings

, xrefs: 00551B01

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 5b7bd4c21cd3d0e99bfe8bf32e137e6b7e22fb48b78c5786edffd504d19d4de1
Instruction ID: 878bd746d22fdb782bce6578955829f81dc586018d6634f3ef9e5044db8ed60e
Opcode Fuzzy Hash: 5b7bd4c21cd3d0e99bfe8bf32e137e6b7e22fb48b78c5786edffd504d19d4de1
Instruction Fuzzy Hash: 55418CB1901609BFEB128F50DC99FBA7FACFB08351F00412BFD059A141E7B09E489BA4

Function 00558C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0056F910), ref: 00558D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0056F910), ref: 00558D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00558ED6
SysFreeString.OLEAUT32(?), ref: 00558F00

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: dba17b8fe55465538ad1ba7ef179d03188334319ef60da482965ce88a9d4d4ab
Instruction ID: 9daad46008f4f80dfb73483ba478bd658927d1d936d2d6c1a3d64d32919d82cc
Opcode Fuzzy Hash: dba17b8fe55465538ad1ba7ef179d03188334319ef60da482965ce88a9d4d4ab
Instruction Fuzzy Hash: C0F12971A00109EFDF04DF94C898EAEBBB9BF49315F108499F915AB291DB31AE49CB50

Function 0055F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0055F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0055F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0055F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0055F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0055FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0055FA7C
CloseHandle.KERNEL32(?), ref: 0055FAAB
CloseHandle.KERNEL32(?), ref: 0055FB22

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: e12666a9fe64cd52e84fceb81db99f47244cdbbf95c6173e7341c78244541d85
Instruction ID: d9e109849ce70d2b42a480198e551672ded38cad2ceebe2398cbb649de2edd3d
Opcode Fuzzy Hash: e12666a9fe64cd52e84fceb81db99f47244cdbbf95c6173e7341c78244541d85
Instruction Fuzzy Hash: C3E19E316042419FC714EF25C895B6EBBE1BF89315F14896EF8859B2A2CB30EC49CB52

Function 00544CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0054466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00543697,?), ref: 0054468B

Part of subcall function 0054466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00543697,?), ref: 005446A4

Part of subcall function 00544A31: GetFileAttributesW.KERNEL32(?,0054370B), ref: 00544A32

lstrcmpiW.KERNEL32(?,?), ref: 00544D40
_wcscmp.LIBCMT ref: 00544D5A
MoveFileW.KERNEL32(?,?), ref: 00544D75

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: d6045682a76868f4f77b2d48d0dc37802be4bf9ad2a06b1b6c8b528c79c898e4
Instruction ID: 62ea9b88c1540e1532102eda63b6390db6f22a460e1ef527d273c526aa241022
Opcode Fuzzy Hash: d6045682a76868f4f77b2d48d0dc37802be4bf9ad2a06b1b6c8b528c79c898e4
Instruction Fuzzy Hash: B75173B24483859BC724DBA0D885ADFBBECBF84315F00092EF285D3191EF34A588CB56

Function 00568645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005686FF

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 289c864e5f03b0b30481dd8a98eaf04e90f9c915678d503bb7261f2618304f8a
Instruction ID: a071132a90b5d8dc26ce077298461840955bce41e25fa0383ba5ce4751c3b273
Opcode Fuzzy Hash: 289c864e5f03b0b30481dd8a98eaf04e90f9c915678d503bb7261f2618304f8a
Instruction Fuzzy Hash: BA518F30500245BEEB209B29DC89FBD7FA4FB15714F604B16FA51E72A1CFB2A980DB51

Function 004E2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0051C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0051C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0051C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0051C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0051C370
DestroyIcon.USER32(00000000), ref: 0051C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0051C39C
DestroyIcon.USER32(?), ref: 0051C3AB

Part of subcall function 0056A4AF: DeleteObject.GDI32(00000000), ref: 0056A4E8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: c710c05a9a2b81ed3342b95d961d139d7165540bd4f17aec7bc7672c9a2f7d1e
Instruction ID: c30cae34b5166d3fb34720659038082b968e6877cd9d3a891ad0336191a9b8ad
Opcode Fuzzy Hash: c710c05a9a2b81ed3342b95d961d139d7165540bd4f17aec7bc7672c9a2f7d1e
Instruction Fuzzy Hash: 6F51AC30A40249AFEB20DF25DD45FAA3BF9FB54311F104529F912A72A0DBB5EC80EB54

Function 0053966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0053A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0053A84C
Part of subcall function 0053A82C: GetCurrentThreadId.KERNEL32 ref: 0053A853
Part of subcall function 0053A82C: AttachThreadInput.USER32(00000000,?,00539683,?,00000001), ref: 0053A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0053968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005396AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005396AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 005396B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005396D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005396D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 005396E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005396F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005396FB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 2cef901ef5611f7b8bca3f8d386276510f5c140c27e1261f0cf9cf28a9dbd20b
Instruction ID: 6059c6bebebecae3083ccd726df02b7c73e23c1e37e44fc2047e4304bfd13d1a
Opcode Fuzzy Hash: 2cef901ef5611f7b8bca3f8d386276510f5c140c27e1261f0cf9cf28a9dbd20b
Instruction Fuzzy Hash: 2111CEB1910218BFF6106B64EC8EF6A7F2DEB4C790F100425F244AB0A0C9F25C10EBA4

Function 00538921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0053853C,00000B00,?,?), ref: 0053892A
HeapAlloc.KERNEL32(00000000,?,0053853C,00000B00,?,?), ref: 00538931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0053853C,00000B00,?,?), ref: 00538946
GetCurrentProcess.KERNEL32(?,00000000,?,0053853C,00000B00,?,?), ref: 0053894E
DuplicateHandle.KERNEL32(00000000,?,0053853C,00000B00,?,?), ref: 00538951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0053853C,00000B00,?,?), ref: 00538961
GetCurrentProcess.KERNEL32(0053853C,00000000,?,0053853C,00000B00,?,?), ref: 00538969
DuplicateHandle.KERNEL32(00000000,?,0053853C,00000B00,?,?), ref: 0053896C
CreateThread.KERNEL32(00000000,00000000,00538992,00000000,00000000,00000000), ref: 00538986

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 711f91b71436a3564f7653c0e3228f4d6b04b6223893328c796a077568e086f4
Instruction ID: 93b941ff3487b22b67ea88ddecf58d5d6f99fb265e3e0a7e2bb9ca6a66d9afcf
Opcode Fuzzy Hash: 711f91b71436a3564f7653c0e3228f4d6b04b6223893328c796a077568e086f4
Instruction Fuzzy Hash: A401BF75640304FFE710ABA9EC4DF673B6CFB99751F404421FA05DB191CAB19844DB20

Function 00559B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00559B7B
NULL Pointer assignment, xrefs: 00559BA4, 00559EC8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: a84ac652b9cd2ae621ab460e891e92fbb7e206345e0572c8b2d85c9fae0d1fb1
Instruction ID: ab5febe4363c35d50f0b74b5d2ca8178289f1774805cc6d442d50dbff436e88d
Opcode Fuzzy Hash: a84ac652b9cd2ae621ab460e891e92fbb7e206345e0572c8b2d85c9fae0d1fb1
Instruction Fuzzy Hash: 2CC1A671A0020ADBDF10DF58D895BAEBBF9FF48315F14846AED05AB280E7749D49CB90

Function 0055975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0053710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?,?,00537455), ref: 00537127
Part of subcall function 0053710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?), ref: 00537142
Part of subcall function 0053710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?), ref: 00537150
Part of subcall function 0053710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?), ref: 00537160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00559806
_memset.LIBCMT ref: 00559813
_memset.LIBCMT ref: 00559956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00559982
CoTaskMemFree.OLE32(?), ref: 0055998D

Strings

NULL Pointer assignment, xrefs: 005599DB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d8f07dc5082997a1be2957c6bfce23e13fb1b19dbb4c4fb7ca205e10be48a9c3
Instruction ID: 06c769d254b61c91b817ea03623e12d7c3b7daf10a18c7dd4c946d2a8b5c39c6
Opcode Fuzzy Hash: d8f07dc5082997a1be2957c6bfce23e13fb1b19dbb4c4fb7ca205e10be48a9c3
Instruction Fuzzy Hash: 27914A71D00219EBDB10DFA5DC95EDEBBB9BF08314F10415AF819A7281EB756A44CFA0

Function 00566D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00566E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00566E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00566E52
_wcscat.LIBCMT ref: 00566EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00566EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00566EF2

Strings

SysListView32, xrefs: 00566DF6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: d55033e441bf1b174785851594d317d95e3e00fa555b618e21b5fea2c35cd609
Instruction ID: abef6196b302a44d27066c95666d643ceaf70c7aced70a370af274ec38129df1
Opcode Fuzzy Hash: d55033e441bf1b174785851594d317d95e3e00fa555b618e21b5fea2c35cd609
Instruction Fuzzy Hash: 2A419175A00349ABEF219F64DC89BEEBBF8FF08350F10042AF555E7291D6729D848B60

Function 0055E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00543C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00543C7A
Part of subcall function 00543C55: Process32FirstW.KERNEL32(00000000,?), ref: 00543C88
Part of subcall function 00543C55: CloseHandle.KERNEL32(00000000), ref: 00543D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0055E9A4
GetLastError.KERNEL32 ref: 0055E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0055E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0055EA63
GetLastError.KERNEL32(00000000), ref: 0055EA6E
CloseHandle.KERNEL32(00000000), ref: 0055EAA3

Strings

SeDebugPrivilege, xrefs: 0055E9C2

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: baaf65704a25303973f7c867d39bcd09fb016e6dc98b6dd709c131a2105ed52b
Instruction ID: 1fd61ef03a331958f79f9bf3056f7c40eabe1a40f34d39778c5a35a2e8203005
Opcode Fuzzy Hash: baaf65704a25303973f7c867d39bcd09fb016e6dc98b6dd709c131a2105ed52b
Instruction Fuzzy Hash: 7C41C0706002019FDB14EF25CCAAF6DBBA5BF80315F04845EF9029B2D2CBB4AD08CB95

Function 00542F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00543033

Strings

info, xrefs: 00542FD4
blank, xrefs: 00542FB5
stop, xrefs: 00543004
warning, xrefs: 0054301C
question, xrefs: 00542FEC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 148147ffe4dbc8fe829830448d4329916e98116d0937a741072b52e288ff293a
Instruction ID: 6efff12b0108b6858d4d2f28101aa016db91d0277044e1d01a2d352a4cbf0153
Opcode Fuzzy Hash: 148147ffe4dbc8fe829830448d4329916e98116d0937a741072b52e288ff293a
Instruction Fuzzy Hash: F911083168C346BADB249A14DC4BCFF6F9CBF15324F20052AF904A61C1EAA15F4456A0

Function 005442F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00544312
LoadStringW.USER32(00000000), ref: 00544319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0054432F
LoadStringW.USER32(00000000), ref: 00544336
_wprintf.LIBCMT ref: 0054435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0054437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00544357

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 44509d45bbf2988cab5995bea63b1ed293389919114194f367307e0dcc21dfab
Instruction ID: 484e7c8699fc821926bafce898258c76c06bf9e5cd1c93cb3278696de1689849
Opcode Fuzzy Hash: 44509d45bbf2988cab5995bea63b1ed293389919114194f367307e0dcc21dfab
Instruction Fuzzy Hash: DD014FF6904208BFE7119BA4ED89FEA776CEB18700F0005A2F745E3051EAB45E899B70

Function 0056D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

GetSystemMetrics.USER32(0000000F), ref: 0056D47C
GetSystemMetrics.USER32(0000000F), ref: 0056D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0056D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0056D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0056D716
ShowWindow.USER32(00000003,00000000), ref: 0056D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0056D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0056D77D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: eeccce413900d96fc2fe7a5b68fb7ed7b5ecc6cadf972a100718f6b1125b7029
Instruction ID: 958a2072a6fcb514edd4b7addd17d6ce0eb447c1cb6ab41bd8e7b9d1a4d2a82a
Opcode Fuzzy Hash: eeccce413900d96fc2fe7a5b68fb7ed7b5ecc6cadf972a100718f6b1125b7029
Instruction Fuzzy Hash: 18B1AB31A0021AEBDF14CF68C985BAD7BB1FF44701F088569EC499B295DB74A950CBA0

Function 004E2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0051C1C7,00000004,00000000,00000000,00000000), ref: 004E2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0051C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 004E2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0051C1C7,00000004,00000000,00000000,00000000), ref: 0051C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0051C1C7,00000004,00000000,00000000,00000000), ref: 0051C286

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: dcf7a49edfd25a05b54e05ea80f988750260788f18a32b89740371324525e5d3
Instruction ID: 7eac7f39757d9d7dfdb604050ae3b3da4fb10f92225dff4d5ddbec9a6309a758
Opcode Fuzzy Hash: dcf7a49edfd25a05b54e05ea80f988750260788f18a32b89740371324525e5d3
Instruction Fuzzy Hash: 5C414D306046C09BDB758B2ADE88B7B3F99BB95302F14883FE05743660C6F9A8C6D715

Function 005470C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005470DD

Part of subcall function 00500DB6: std::exception::exception.LIBCMT ref: 00500DEC
Part of subcall function 00500DB6: __CxxThrowException@8.LIBCMT ref: 00500E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00547114
EnterCriticalSection.KERNEL32(?), ref: 00547130
_memmove.LIBCMT ref: 0054717E
_memmove.LIBCMT ref: 0054719B
LeaveCriticalSection.KERNEL32(?), ref: 005471AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005471BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 005471DE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 1890e9e4cdfa3af7dbc6ad3e3cc883668019850f97d576e8a349d2404ef44d6c
Instruction ID: 197bdb9c867b580f53817e10162d6327dedad3ef9e7b02bf867947ac3b64a08d
Opcode Fuzzy Hash: 1890e9e4cdfa3af7dbc6ad3e3cc883668019850f97d576e8a349d2404ef44d6c
Instruction Fuzzy Hash: F8317076900205EBDF00EFA4DD89AAEBB78FF85310F1441A5F904AB286DB70DE14DB60

Function 005661D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005661EB
GetDC.USER32(00000000), ref: 005661F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005661FE
ReleaseDC.USER32(00000000,00000000), ref: 0056620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00566246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00566257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0056902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00566291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005662B1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2733c1350cae3bdca2a1336c1657552274f4e5582187fd4c04fc36788ed8827f
Instruction ID: ad036264eed343e00e6ba02087f458eb6b38551ed11dd531d6c16bba6071257f
Opcode Fuzzy Hash: 2733c1350cae3bdca2a1336c1657552274f4e5582187fd4c04fc36788ed8827f
Instruction Fuzzy Hash: 0E318B76600210BFEB108F14DC8AFEA3FA9FF5A765F040065FE089B2A1C6B59841CB70

Function 0053BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0053BBC4
_memcmp.LIBCMT ref: 0053BBE6
_memcmp.LIBCMT ref: 0053BBFE
_memcmp.LIBCMT ref: 0053BC11
_memcmp.LIBCMT ref: 0053BC2B
_memcmp.LIBCMT ref: 0053BC3E
_memcmp.LIBCMT ref: 0053BC56
_memcmp.LIBCMT ref: 0053BC71

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8386536ed9c8d27f28bbd810c5f04c68f846538adfad280c3b7256c493d67c40
Instruction ID: ad258c56c7a2e2d2cb9923eb8435fdb084ef2c7f176f707114827dcfa81613d0
Opcode Fuzzy Hash: 8386536ed9c8d27f28bbd810c5f04c68f846538adfad280c3b7256c493d67c40
Instruction Fuzzy Hash: A121C26160160B7BFA246A11AD52FBFBF5CBE50348F088424FE0896683EF24DE1191B6

Function 0054EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

Part of subcall function 004FFC86: _wcscpy.LIBCMT ref: 004FFCA9

_wcstok.LIBCMT ref: 0054EC94
_wcscpy.LIBCMT ref: 0054ED23
_memset.LIBCMT ref: 0054ED56

Strings

X, xrefs: 0054ED93

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 1bde9226f97328f4dbf7d9f8c1d3d9487de927b01ef7eb6003d2ff377e6c4cef
Instruction ID: 726abec97fc344731051c1c8e08b509d07e6da37634a3906ae0ba7e3cbb40e56
Opcode Fuzzy Hash: 1bde9226f97328f4dbf7d9f8c1d3d9487de927b01ef7eb6003d2ff377e6c4cef
Instruction Fuzzy Hash: 2BC194715083419FC714EF25C886AAEBBE4FF85318F10492DF8999B2A2DB74EC45CB46

Function 004E1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb8dbca34d1f9cd2152a89bafe5ae61d26f0c42d28e49e5e0054ddc157b2d3b
Instruction ID: 5da41079b262f79f337a3ed0e36c5186fa4d4f6ae317c01b52fe2108fb653830
Opcode Fuzzy Hash: 2cb8dbca34d1f9cd2152a89bafe5ae61d26f0c42d28e49e5e0054ddc157b2d3b
Instruction Fuzzy Hash: DB718D30900149EFDB14CF9ACC48EBEBB79FF85315F14814AF915AB2A1D734AA51CBA4

Function 00556B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82f260f28382a919b895d4ece3ec6f0a6e2ddf440954478b349523d7b9214cf1
Instruction ID: 9a217974d2e78dfca09af7345072df5a3c957aca86681cde274e60198a01f6d5
Opcode Fuzzy Hash: 82f260f28382a919b895d4ece3ec6f0a6e2ddf440954478b349523d7b9214cf1
Instruction Fuzzy Hash: F361C071204380AFC710EB26DC95E6FBBA8BF94719F40492EF945972D2DB74AD08C752

Function 0056B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010461B0), ref: 0056B3EB
IsWindowEnabled.USER32(010461B0), ref: 0056B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0056B4DB
SendMessageW.USER32(010461B0,000000B0,?,?), ref: 0056B512
IsDlgButtonChecked.USER32(?,?), ref: 0056B54F
GetWindowLongW.USER32(010461B0,000000EC), ref: 0056B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0056B589

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 17847445b1cea83b3b3060bab788702aa9eb5f0c5a07a08620982b53d8c05f72
Instruction ID: 2891a59fd4eaf0e191f0a403a8c006654fb841dc6ae7f686603fcf712551b185
Opcode Fuzzy Hash: 17847445b1cea83b3b3060bab788702aa9eb5f0c5a07a08620982b53d8c05f72
Instruction Fuzzy Hash: 29719D34604205AFEF209F54C894FBA7FBAFF1A301F144469E956D73A2DB72A980DB50

Function 0055F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055F448
_memset.LIBCMT ref: 0055F511
ShellExecuteExW.SHELL32(?), ref: 0055F556

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

Part of subcall function 004FFC86: _wcscpy.LIBCMT ref: 004FFCA9

GetProcessId.KERNEL32(00000000), ref: 0055F5CD
CloseHandle.KERNEL32(00000000), ref: 0055F5FC

Strings

@, xrefs: 0055F525

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 70c39bdf9633c33c37d66d7891e569dbf7957c7fabe2721e83d7af9d39c04520
Instruction ID: 482c68ed13945566ae150cc3168048be71720a0b72db7c63a5533ac721e0ae41
Opcode Fuzzy Hash: 70c39bdf9633c33c37d66d7891e569dbf7957c7fabe2721e83d7af9d39c04520
Instruction Fuzzy Hash: 5161BC71A00619DFCF04EF65C4949AEBBB5FF48315F10806EE855AB3A1CB34AD45CB84

Function 00540F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00540F8C
GetKeyboardState.USER32(?), ref: 00540FA1
SetKeyboardState.USER32(?), ref: 00541002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00541030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0054104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00541095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005410B8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ba5d471c0ca73776857d82159ae2afe851b29926cd64ab8ef95a96a23106818b
Instruction ID: 0f89c990c494b22c0eb9f8a8498e85507531fbc5d86eee8b8d8edbbc20364881
Opcode Fuzzy Hash: ba5d471c0ca73776857d82159ae2afe851b29926cd64ab8ef95a96a23106818b
Instruction Fuzzy Hash: 5E51C370908BD53EFB3642348C09BF6BEA97B06308F084589E2D9868D2D2E59CD8D755

Function 00540D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00540DA5
GetKeyboardState.USER32(?), ref: 00540DBA
SetKeyboardState.USER32(?), ref: 00540E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00540E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00540E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00540EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00540EC9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ccf0811519859b9e127388d5593abd171cbf1a93f820c5b2f15fcd97f24247f9
Instruction ID: e9801f6d598c8ff02ba177c98395903886ba2edd43e8263debb143726e4f4d86
Opcode Fuzzy Hash: ccf0811519859b9e127388d5593abd171cbf1a93f820c5b2f15fcd97f24247f9
Instruction Fuzzy Hash: E551E7B09487D53DFB3643748C45BFA7FA97B06308F185889E2D5864C2D3A5ECA8E750

Function 005455FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0054560A
_wcsncpy.LIBCMT ref: 0054563F
_wcsncpy.LIBCMT ref: 00545671
_wcsncpy.LIBCMT ref: 005456A4
_wcsncpy.LIBCMT ref: 005456E6
_wcsncpy.LIBCMT ref: 00545720
_wcsncpy.LIBCMT ref: 0054574F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 5f221e5678cbbd4de968408a1dbe8aa9008a3f24731cdd70d5aecd85068a41a1
Instruction ID: 7054e7997028b548af49757cdbd14dad6e45c3495142ce3933e0dd2434156d8d
Opcode Fuzzy Hash: 5f221e5678cbbd4de968408a1dbe8aa9008a3f24731cdd70d5aecd85068a41a1
Instruction Fuzzy Hash: FF41A375C1061976CB11EBB48C4E9CFBBBCBF44310F508966E609E3262FA34A245C7E6

Function 0053D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0053D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0053D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0053D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0053D69D

Strings

DllGetClassObject, xrefs: 0053D610
,,W, xrefs: 0053D578

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,W$DllGetClassObject
API String ID: 753597075-3814756590
Opcode ID: d268da62f3d69a70fe0b34022fe68d72a26e8c269a0bd5c9980488b257c6d6ab
Instruction ID: ec0da52b117fc0d53ee92e708f9f6225c354ea082a25dadf5193125a9fe0d8c7
Opcode Fuzzy Hash: d268da62f3d69a70fe0b34022fe68d72a26e8c269a0bd5c9980488b257c6d6ab
Instruction Fuzzy Hash: BE4179B1600204EFDB05CF64E885A9ABFB9FF58310F1581A9E8099F205DBB1D944DBB0

Function 00543671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0054466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00543697,?), ref: 0054468B

Part of subcall function 0054466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00543697,?), ref: 005446A4

lstrcmpiW.KERNEL32(?,?), ref: 005436B7
_wcscmp.LIBCMT ref: 005436D3
MoveFileW.KERNEL32(?,?), ref: 005436EB
_wcscat.LIBCMT ref: 00543733
SHFileOperationW.SHELL32(?), ref: 0054379F

Strings

\*.*, xrefs: 0054372D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ce293d5d2be9d26ea850cbcefbbdbbd31a744e3187b9505ea66ae4b2addbe77d
Instruction ID: a0ac785e49098321bfb5b7dcc7ff21a674025704785f7998c5427379f09cda24
Opcode Fuzzy Hash: ce293d5d2be9d26ea850cbcefbbdbbd31a744e3187b9505ea66ae4b2addbe77d
Instruction Fuzzy Hash: 14417F71508345AAC751EF64D449ADF7BE8FF89388F00082EF499C3261EA34D689CB56

Function 00567291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005672AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00567351
IsMenu.USER32(?), ref: 00567369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005673B1
DrawMenuBar.USER32 ref: 005673C4

Strings

0, xrefs: 0056729E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 54ffe3cba991db7734d6d7e0b83ab58a9e97302dc4e29fab59455206ce9a3457
Instruction ID: 305b43b88fbb7e6ad90d3af7ae244ca47d38915ef65d82697a2a8f5890ccb2a0
Opcode Fuzzy Hash: 54ffe3cba991db7734d6d7e0b83ab58a9e97302dc4e29fab59455206ce9a3457
Instruction Fuzzy Hash: 74412575A04209AFDB20DF54D884EAABBF8FB09318F248829FD15A7350D770AD54EB50

Function 00560FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00560FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00560FFE
FreeLibrary.KERNEL32(00000000), ref: 005610B5

Part of subcall function 00560FA5: RegCloseKey.ADVAPI32(?), ref: 0056101B
Part of subcall function 00560FA5: FreeLibrary.KERNEL32(?), ref: 0056106D
Part of subcall function 00560FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00561090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00561058

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e880036fe29ee51c74e87b8af0b22de2aecba86045619d4297ce426c4d7d5200
Instruction ID: 925d6598de592862324c505adc119e68bdd831558bee8cff0072f99f6f931f5b
Opcode Fuzzy Hash: e880036fe29ee51c74e87b8af0b22de2aecba86045619d4297ce426c4d7d5200
Instruction Fuzzy Hash: FA31F971D01109BFDF15DB94EC89AFFBBBCEF08350F04016AE502A3151EA759E899BA4

Function 005662CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005662EC
GetWindowLongW.USER32(010461B0,000000F0), ref: 0056631F
GetWindowLongW.USER32(010461B0,000000F0), ref: 00566354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00566386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005663B0
GetWindowLongW.USER32(00000000,000000F0), ref: 005663C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005663DB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a29de6a999e9353a054f65e236db224170bcd9a70d50adb273679302aed1151c
Instruction ID: 212ef9c0e23ee74eb61e2d530c28f34ed8524d335fadf8019e716fc3b9925b91
Opcode Fuzzy Hash: a29de6a999e9353a054f65e236db224170bcd9a70d50adb273679302aed1151c
Instruction Fuzzy Hash: 4431EF30744251AFDB20CF18EC84F593BE1FB6A714F2905A8F5119F2B2CB71A844EB51

Function 0053DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0053DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0053DB54
SysAllocString.OLEAUT32(00000000), ref: 0053DB57
SysAllocString.OLEAUT32(?), ref: 0053DB75
SysFreeString.OLEAUT32(?), ref: 0053DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0053DBA3
SysAllocString.OLEAUT32(?), ref: 0053DBB1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b13d2e19d3cb6fca711edb615171493fb5e756be772968ab6ac88182c719095d
Instruction ID: 89882dba1bd17790b7a35a7eebac92ba234c25492ddf6a8449aacfced2ac943b
Opcode Fuzzy Hash: b13d2e19d3cb6fca711edb615171493fb5e756be772968ab6ac88182c719095d
Instruction Fuzzy Hash: CC217F76604219AFDF10DFA8EC88CBBBBBCFB09360B018565F954DB290DA709C459B70

Function 00556173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00557D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00557DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005561C6
WSAGetLastError.WSOCK32(00000000), ref: 005561D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0055620E
connect.WSOCK32(00000000,?,00000010), ref: 00556217
WSAGetLastError.WSOCK32 ref: 00556221
closesocket.WSOCK32(00000000), ref: 0055624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00556263

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: aa32d42ae66a44c39176a4921d7fe17a4fbe4a81961dd811edbf502d6c604169
Instruction ID: 4b6871dd541218a4a0e4c6e9ebbf94fd5edeb1803df4a882bcb1d7e9fbf013a4
Opcode Fuzzy Hash: aa32d42ae66a44c39176a4921d7fe17a4fbe4a81961dd811edbf502d6c604169
Instruction Fuzzy Hash: 9531C135600208AFDF10AF24DC95BBE7BADFB54716F44406AFD05A7291CB74AC08DBA1

Function 0053F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0053F671
__wcsnicmp.LIBCMT ref: 0053F692
__wcsnicmp.LIBCMT ref: 0053F6AC

Strings

#requireadmin, xrefs: 0053F68C
#notrayicon, xrefs: 0053F669
#OnAutoItStartRegister, xrefs: 0053F6A6

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 64decdd3530614cf84d3079280cb195e73e89999b1fd2b81e6139f4fca0ba7b6
Instruction ID: 78bfe6bd4745449694e8733e382df705a9c81c103184504b42df4de72023d8c7
Opcode Fuzzy Hash: 64decdd3530614cf84d3079280cb195e73e89999b1fd2b81e6139f4fca0ba7b6
Instruction Fuzzy Hash: 0F214672A046126AD331AA34FC07FBF7B9CFF95354F10443AF886860A1EB519E42D395

Function 0053DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0053DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0053DC2F
SysAllocString.OLEAUT32(00000000), ref: 0053DC32
SysAllocString.OLEAUT32 ref: 0053DC53
SysFreeString.OLEAUT32 ref: 0053DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0053DC76
SysAllocString.OLEAUT32(?), ref: 0053DC84

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f1c075992d0e652a165c78a355766835dcabb447a1b27879b8cdeeaab1a21f97
Instruction ID: 1d12f1df9c1a484a80c4fd28464da17e492019ecc02b77d1ec7ce8108aaf2e01
Opcode Fuzzy Hash: f1c075992d0e652a165c78a355766835dcabb447a1b27879b8cdeeaab1a21f97
Instruction Fuzzy Hash: 51213135604209AFDB109BB8EC88DAA7BFCFB19360B108125F914CB2A1DAB0DC45DB74

Function 005675CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004E1D73
Part of subcall function 004E1D35: GetStockObject.GDI32(00000011), ref: 004E1D87
Part of subcall function 004E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004E1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00567632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0056763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0056764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00567659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00567665

Strings

Msctls_Progress32, xrefs: 00567603

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e78628d7f89a3be95e0c96ecd790262f2c14096e1d4dcf2a44cc2a03f0dc87c8
Instruction ID: 9891aed17e395c6434959a1a70c1f389438576ae01da1522f7abb9bc3866bd01
Opcode Fuzzy Hash: e78628d7f89a3be95e0c96ecd790262f2c14096e1d4dcf2a44cc2a03f0dc87c8
Instruction Fuzzy Hash: 5A118EB2150219BEEF118F65CC85EE77F6DFF08798F014115BA04A20A0CA72AC21DBA4

Function 00509AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00509AE6

Part of subcall function 00503187: EncodePointer.KERNEL32(00000000), ref: 0050318A
Part of subcall function 00503187: __initp_misc_winsig.LIBCMT ref: 005031A5
Part of subcall function 00503187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00509EA0
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00509EB4
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00509EC7
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00509EDA
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00509EED
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00509F00
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00509F13
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00509F26
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00509F39
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00509F4C
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00509F5F
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00509F72
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00509F85
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00509F98
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00509FAB
Part of subcall function 00503187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00509FBE

__mtinitlocks.LIBCMT ref: 00509AEB
__mtterm.LIBCMT ref: 00509AF4

Part of subcall function 00509B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00509AF9,00507CD0,0059A0B8,00000014), ref: 00509C56
Part of subcall function 00509B5C: _free.LIBCMT ref: 00509C5D
Part of subcall function 00509B5C: DeleteCriticalSection.KERNEL32(02Z,?,?,00509AF9,00507CD0,0059A0B8,00000014), ref: 00509C7F

__calloc_crt.LIBCMT ref: 00509B19
__initptd.LIBCMT ref: 00509B3B
GetCurrentThreadId.KERNEL32 ref: 00509B42

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 775fc0b1900815b6210c2a4d99a53dde6b3db80f26a13d04ad1e6245922c82cf
Instruction ID: 31dc8057ebf4f438635f569d3145a57b680e1d3e317eae5938374c0f609fb372
Opcode Fuzzy Hash: 775fc0b1900815b6210c2a4d99a53dde6b3db80f26a13d04ad1e6245922c82cf
Instruction Fuzzy Hash: A7F06D3265D7125AE734BB74BC0BA8E3E94BF82770B204A1AF4A4961DBEE60844141A0

Function 0056B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0056B644
_memset.LIBCMT ref: 0056B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005A6F20,005A6F64), ref: 0056B682
CloseHandle.KERNEL32 ref: 0056B694

Strings

doZ, xrefs: 0056B64D
oZ, xrefs: 0056B63E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oZ$doZ
API String ID: 3277943733-3498383376
Opcode ID: f5f096d198577353f0acaea274d16e49e2c76c40f269976f1b93f3b4078f2a40
Instruction ID: a4c5c36bd1c9b2290258337c7c91b0ad0746519b5092c6937066644cdcde850c
Opcode Fuzzy Hash: f5f096d198577353f0acaea274d16e49e2c76c40f269976f1b93f3b4078f2a40
Instruction Fuzzy Hash: 3BF05EB26403007EE7102B65BC0AFBB3E9CFB1A395F044420FA08E6196E7B14C04D7A8

Function 0050406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00503F85), ref: 00504085
GetProcAddress.KERNEL32(00000000), ref: 0050408C
EncodePointer.KERNEL32(00000000), ref: 00504097
DecodePointer.KERNEL32(00503F85), ref: 005040B2

Strings

RoUninitialize, xrefs: 00504074
combase.dll, xrefs: 00504080

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 580260a4597250e8a00ad09f8b2d34e17032c6f4200699082f7ceb6adcd82fe7
Instruction ID: 1ce2ebfe0b51dfb7359693b18ed40156b189a910357cf0c47c86abbe04eaa46f
Opcode Fuzzy Hash: 580260a4597250e8a00ad09f8b2d34e17032c6f4200699082f7ceb6adcd82fe7
Instruction Fuzzy Hash: 10E0B6B0A85300EFEB20AF65FC1DB157EA4B725746F204424F211E61A0CBB6460CFF14

Function 005464B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0054660B
_memmove.LIBCMT ref: 00546546

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

_memmove.LIBCMT ref: 005465B9
_memmove.LIBCMT ref: 005466A0
_memmove.LIBCMT ref: 005466B9
_memmove.LIBCMT ref: 005466D5

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
Instruction ID: ed496eb87acee26ac6f34dee66e79729d5934737e8c71f2d7444b732cfc4fadb
Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
Instruction Fuzzy Hash: E7618A3050028A9BCF05EF62C886BFE3BA9BF45308F054929F9556B1D2DA38AC05CB55

Function 005601E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 00560E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055FDAD,?,?), ref: 00560E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005602BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005602FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00560320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00560349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0056038C
RegCloseKey.ADVAPI32(00000000), ref: 00560399

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: c5d2ad5f07216d6de768480dd1a43dd0d9293ca20ba4e3593719509a84ab3281
Instruction ID: 62ec5e49a288dc1d470a7e700dc14ec2a7c2a43c8cacac1043d3c8ac5f91f499
Opcode Fuzzy Hash: c5d2ad5f07216d6de768480dd1a43dd0d9293ca20ba4e3593719509a84ab3281
Instruction Fuzzy Hash: 5F516C71208241AFC710EF65D889E6FBBE8FF84318F04492DF5458B2A2DB31E905CB52

Function 00565799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005657FB
GetMenuItemCount.USER32(00000000), ref: 00565832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0056585A
GetMenuItemID.USER32(?,?), ref: 005658C9
GetSubMenu.USER32(?,?), ref: 005658D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00565928

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: c292be864d7bf16bc4733f0c72a3eef45fe17eb795d8b6d2fa01c10dd57c602e
Instruction ID: ce3ada85947a8bb8b1862539ee6ea023e1ac6e527f66a17e248f36cbd88cc722
Opcode Fuzzy Hash: c292be864d7bf16bc4733f0c72a3eef45fe17eb795d8b6d2fa01c10dd57c602e
Instruction Fuzzy Hash: 60516B31E00616AFCF11EF65C845AAEBBB4FF48320F104469E842BB391DB74AE41DB94

Function 0053EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0053EF06
VariantClear.OLEAUT32(00000013), ref: 0053EF78
VariantClear.OLEAUT32(00000000), ref: 0053EFD3
_memmove.LIBCMT ref: 0053EFFD
VariantClear.OLEAUT32(?), ref: 0053F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0053F078

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ff39b7daaff85594fcc03283f32a95ef187da1ae67e53abf030f84f676355a55
Instruction ID: 03adac1b821deced7fd5916f81549c2e5100894aac0d3cd22c61816eaae157ed
Opcode Fuzzy Hash: ff39b7daaff85594fcc03283f32a95ef187da1ae67e53abf030f84f676355a55
Instruction Fuzzy Hash: D35158B5A00209EFCB14CF58D884AAABBB8FF4C314F158569E959DB341E774E911CFA0

Function 0054220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00542258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005422A3
IsMenu.USER32(00000000), ref: 005422C3
CreatePopupMenu.USER32 ref: 005422F7
GetMenuItemCount.USER32(000000FF), ref: 00542355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00542386

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b0e7eb965eed7ba1135ec9f928d2cadc9a2843130985fcf8a58ee93253a0f01f
Instruction ID: 706c084ef35d9cfad2ae9ca19113611203ce31f3f21112a85fd8ae9006dc9684
Opcode Fuzzy Hash: b0e7eb965eed7ba1135ec9f928d2cadc9a2843130985fcf8a58ee93253a0f01f
Instruction Fuzzy Hash: 3B519E70A0022ADBDF21CF68D888BEEBFF5BF55318F548929F811A7290D3B49944CB51

Function 004E1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 004E179A
GetWindowRect.USER32(?,?), ref: 004E17FE
ScreenToClient.USER32(?,?), ref: 004E181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004E182C
EndPaint.USER32(?,?), ref: 004E1876

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: e5bb2a14500aa8749a5bb679c5cba297eb3fd0903f366236d3a598197e44b786
Instruction ID: c38811301806b3f47bc7cef57c22529221caac9598745680195900720d33fea8
Opcode Fuzzy Hash: e5bb2a14500aa8749a5bb679c5cba297eb3fd0903f366236d3a598197e44b786
Instruction Fuzzy Hash: 8B41E330500341AFD710EF26CC84FBA3BE8FB56725F14062AF594872B1D7749849EB62

Function 0056B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(005A57B0,00000000,010461B0,?,?,005A57B0,?,0056B5A8,?,?), ref: 0056B712
EnableWindow.USER32(00000000,00000000), ref: 0056B736
ShowWindow.USER32(005A57B0,00000000,010461B0,?,?,005A57B0,?,0056B5A8,?,?), ref: 0056B796
ShowWindow.USER32(00000000,00000004,?,0056B5A8,?,?), ref: 0056B7A8
EnableWindow.USER32(00000000,00000001), ref: 0056B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0056B7EF

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: beb195ef6ab76734114cf5e8ad81fc6abf18e788eb295c36665c07c713e15e45
Instruction ID: 97a045c72944316d8f486c98f3537cdb16947dbbc7d1d6b1c92504228787407d
Opcode Fuzzy Hash: beb195ef6ab76734114cf5e8ad81fc6abf18e788eb295c36665c07c713e15e45
Instruction Fuzzy Hash: 6441AF34600240AFEB22CF28D499B947FE0FF85311F1841B9F948CF6A2C771A896CB50

Function 0055709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00554E41,?,?,00000000,00000001), ref: 005570AC

Part of subcall function 005539A0: GetWindowRect.USER32(?,?), ref: 005539B3

GetDesktopWindow.USER32 ref: 005570D6
GetWindowRect.USER32(00000000), ref: 005570DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0055710F

Part of subcall function 00545244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005452BC

GetCursorPos.USER32(?), ref: 0055713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00557199

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c8a69c56a08f0c435b9847a263a4705d23a6e0c4e7580fa2aebf9bd499b381a6
Instruction ID: f4b67d64802def96ca6c0b96a5c61c8ffdcdf68208d49a0977ec2a12c4e1b95b
Opcode Fuzzy Hash: c8a69c56a08f0c435b9847a263a4705d23a6e0c4e7580fa2aebf9bd499b381a6
Instruction Fuzzy Hash: EB31067250830AABC720DF14D849F9BBBE9FFD8304F00091AF88597191C770EA08CB92

Function 00538879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005380A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005380C0
Part of subcall function 005380A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005380CA
Part of subcall function 005380A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005380D9
Part of subcall function 005380A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005380E0
Part of subcall function 005380A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005380F6

GetLengthSid.ADVAPI32(?,00000000,0053842F), ref: 005388CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005388D6
HeapAlloc.KERNEL32(00000000), ref: 005388DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 005388F6
GetProcessHeap.KERNEL32(00000000,00000000,0053842F), ref: 0053890A
HeapFree.KERNEL32(00000000), ref: 00538911

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7dc3e9f84d01a1612cc268037fb2bd6fdd27531314b4ddf338e1284cef0dfcd4
Instruction ID: 0c475b529218655d77294497c7a0a0f31d9a68871ae15adc8cb43f1e4078af69
Opcode Fuzzy Hash: 7dc3e9f84d01a1612cc268037fb2bd6fdd27531314b4ddf338e1284cef0dfcd4
Instruction Fuzzy Hash: 7611B172901309FFDB189FA8DC09BBE7B68FB45355F104428F88597110CB729D04DB60

Function 005385B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005385E2
OpenProcessToken.ADVAPI32(00000000), ref: 005385E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005385F8
CloseHandle.KERNEL32(00000004), ref: 00538603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00538632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00538646

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 993dd10ca0b206492e1730ca3d64ee69159084e299ab4bafaa58ea9b966c6fd3
Instruction ID: 6929751c1ec65bff674b7469a4622100e80c03fe08133b61b00f304ac9ef673b
Opcode Fuzzy Hash: 993dd10ca0b206492e1730ca3d64ee69159084e299ab4bafaa58ea9b966c6fd3
Instruction Fuzzy Hash: A7115972501209ABDF018FA8ED49BEE7BA9FF08314F044064FE05A2160C7B29D64EB60

Function 0053B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0053B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0053B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0053B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0053B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0053B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0053B7FE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ad3304308963f1d84592fbcb84d48c4eb081c4a447550126f7080949f885ad82
Instruction ID: 735ddff77846efbeb2f72a92a30598c37da0f7c71997665575fa9c3526e6c231
Opcode Fuzzy Hash: ad3304308963f1d84592fbcb84d48c4eb081c4a447550126f7080949f885ad82
Instruction Fuzzy Hash: BC0184B5E00209BBEB109BAAEC49A5EBFB8FB58361F004075FA04A7291D6709C10CF90

Function 00500162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00500193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0050019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005001A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005001B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 005001B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 005001C1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fa112d9f738702083ffa4000f9d4f6c4d430b72440afb92eaa22fbb7688b6f3b
Instruction ID: 898af6560f846b185da28acb69efa4ae1de3677967ff407f667e251ced6748a4
Opcode Fuzzy Hash: fa112d9f738702083ffa4000f9d4f6c4d430b72440afb92eaa22fbb7688b6f3b
Instruction Fuzzy Hash: 2C016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5

Function 005453E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005453F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0054540F
GetWindowThreadProcessId.USER32(?,?), ref: 0054541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0054542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00545437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0054543E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: a4077ef317f4171f60054470b3a89eee07ec0d24008e70f94fbbc8320e853902
Instruction ID: a38e99388f819c8f08a8cbf2fe28330cdb2f8e2bafc2330736db429934704a35
Opcode Fuzzy Hash: a4077ef317f4171f60054470b3a89eee07ec0d24008e70f94fbbc8320e853902
Instruction Fuzzy Hash: 2FF06D32A40158BBE7215BA6EC0DEEB7E7CEBD7B15F000169FA04D2051A7E01A05E7B5

Function 00547230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00547243
EnterCriticalSection.KERNEL32(?,?,004F0EE4,?,?), ref: 00547254
TerminateThread.KERNEL32(00000000,000001F6,?,004F0EE4,?,?), ref: 00547261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,004F0EE4,?,?), ref: 0054726E

Part of subcall function 00546C35: CloseHandle.KERNEL32(00000000,?,0054727B,?,004F0EE4,?,?), ref: 00546C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00547281
LeaveCriticalSection.KERNEL32(?,?,004F0EE4,?,?), ref: 00547288

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 79501fb51c699a9e2365e905b26c6b5ccd23fa2f9f6c23338b6a1f763a50412d
Instruction ID: e985d3b0dad92ad8fb2b28f63be1604686da8a7987ad24df95ffcde66193dd53
Opcode Fuzzy Hash: 79501fb51c699a9e2365e905b26c6b5ccd23fa2f9f6c23338b6a1f763a50412d
Instruction Fuzzy Hash: 7FF05E3E944612EBD7511B68FD9CADA7B29FF59702B110631F503920A0CBF65845DF50

Function 00538992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0053899D
UnloadUserProfile.USERENV(?,?), ref: 005389A9
CloseHandle.KERNEL32(?), ref: 005389B2
CloseHandle.KERNEL32(?), ref: 005389BA
GetProcessHeap.KERNEL32(00000000,?), ref: 005389C3
HeapFree.KERNEL32(00000000), ref: 005389CA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c9f4d9c13632205cc106cfbdf1818612e28db46fee5287cd4c92fae7fdec00ab
Instruction ID: 8ba7da4df43f38054c0087b0ce1e02472942d5eff7f48a4d4085c8aaca18b07c
Opcode Fuzzy Hash: c9f4d9c13632205cc106cfbdf1818612e28db46fee5287cd4c92fae7fdec00ab
Instruction Fuzzy Hash: 8BE0C236504001FBDA011FE9FC0C90ABB69FBAA362B108630F21982170CBB29468EB90

Function 00537530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00572C7C,?), ref: 005376EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00572C7C,?), ref: 00537702
CLSIDFromProgID.OLE32(?,?,00000000,0056FB80,000000FF,?,00000000,00000800,00000000,?,00572C7C,?), ref: 00537727
_memcmp.LIBCMT ref: 00537748

Strings

,,W, xrefs: 0053753D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,W
API String ID: 314563124-36227439
Opcode ID: 1229464f71c26e8484dbffed8d8028f5920d95c7bbfa540bdb155c1f17936681
Instruction ID: e284d8ab655c260235eb823edd53031b034262db82b60c7c6cfb2cc6f486ad30
Opcode Fuzzy Hash: 1229464f71c26e8484dbffed8d8028f5920d95c7bbfa540bdb155c1f17936681
Instruction Fuzzy Hash: 2081FCB5E00109EFCB15DFA4C984EEEBBB9FF89315F204558E505AB250DB71AE05CB60

Function 005585ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00558613
CharUpperBuffW.USER32(?,?), ref: 00558722
VariantClear.OLEAUT32(?), ref: 0055889A

Part of subcall function 00547562: VariantInit.OLEAUT32(00000000), ref: 005475A2
Part of subcall function 00547562: VariantCopy.OLEAUT32(00000000,?), ref: 005475AB
Part of subcall function 00547562: VariantClear.OLEAUT32(00000000), ref: 005475B7

Strings

AUTOIT.ERROR, xrefs: 00558728
Incorrect Parameter format, xrefs: 0055864B, 0055880D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 2b6c2aed106621bfb3efdeca061e3be4b1aa9af5fe123cbe73b9c6a7ae5466a9
Instruction ID: 7f4475c0fc603911c664ae8c1080f4f51aab32190cf433c8ad9aff27618df488
Opcode Fuzzy Hash: 2b6c2aed106621bfb3efdeca061e3be4b1aa9af5fe123cbe73b9c6a7ae5466a9
Instruction Fuzzy Hash: 4D917A716043419FCB00DF25C49496ABBE4FF89315F14492EF89A9B361DB30ED09CB91

Function 00542A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004FFC86: _wcscpy.LIBCMT ref: 004FFCA9

_memset.LIBCMT ref: 00542B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00542BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00542C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00542C97

Strings

0, xrefs: 00542B73

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 3cb0e313352b637460ec16f96fad43badf61d730baa4e604a95602e0729d8251
Instruction ID: b1d01c8a8a30c4d3342a7e5859b8bc390d5cd4a0c2e5277c9e99f375b2fa094d
Opcode Fuzzy Hash: 3cb0e313352b637460ec16f96fad43badf61d730baa4e604a95602e0729d8251
Instruction Fuzzy Hash: 2351ED31608321AAD7249E28D885AAFBFE8FF95318F540A2DF885D31D1DB70CC049B52

Function 004F3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004F3277
_memmove.LIBCMT ref: 004F3310
_free.LIBCMT ref: 004F3336
_memmove.LIBCMT ref: 004F33E9

Strings

_O, xrefs: 004F3322
3cO, xrefs: 004F3225

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cO$_O
API String ID: 2620147621-2029810506
Opcode ID: d471b34a516c8d5205f1a2ee4e692668c52939b88cc260de65707b59bddde404
Instruction ID: 72eb623a6317dfacfcaa0afa5b3d92826c0b0e723f81d628fb516ac2c8d47d02
Opcode Fuzzy Hash: d471b34a516c8d5205f1a2ee4e692668c52939b88cc260de65707b59bddde404
Instruction Fuzzy Hash: A55138716043458FDB25CF28C840B6BBBE5BF85314F08492EEA8997391EB35E901CB56

Function 004F6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004F6248
_memmove.LIBCMT ref: 004F62E4
_memset.LIBCMT ref: 004F6308

Strings

ERCP, xrefs: 004F61B3
3cO, xrefs: 004F62AF

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cO$ERCP
API String ID: 2532777613-1841099537
Opcode ID: e6aa4aa859d87ca5891b36ee21e2821eae934c2b13a195df2323d913487d33e7
Instruction ID: b62141ce069750810f0b3e3aa4d2c2e95eef9576c00a1275005c92c833cd3b6f
Opcode Fuzzy Hash: e6aa4aa859d87ca5891b36ee21e2821eae934c2b13a195df2323d913487d33e7
Instruction Fuzzy Hash: B951A071900309DBDB24DF55C8857ABBBF4FF44304F21496EE94AC7281E774AA44CB45

Function 00542753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005427C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005427DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00542822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005A5890,00000000), ref: 0054286B

Strings

0, xrefs: 005427B5

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: ee41d47a24bb122f5cfe74e67388bf2dd957c19e65fb8fdd8a0496a1cb808eb6
Instruction ID: a8799020b020063c7ada876028b5fe222fb021975746830e2a0ced0cbcf134c0
Opcode Fuzzy Hash: ee41d47a24bb122f5cfe74e67388bf2dd957c19e65fb8fdd8a0496a1cb808eb6
Instruction Fuzzy Hash: 1D41A0706043529FD720DF25C844B9ABFE4FF85318F44496EF96697291DB70A805CB52

Function 0055D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0055D7C5

Part of subcall function 004E784B: _memmove.LIBCMT ref: 004E7899

Strings

cdecl, xrefs: 0055D81C
stdcall, xrefs: 0055D847
winapi, xrefs: 0055D836
none, xrefs: 0055D8A0

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 537b484f10926a8c88adc0e3fb3f923ed7deb657e7d901d08006d31abba7f7ba
Instruction ID: b88272ff887d42560ec61b2b909889d16c4c37b470055131ceb25fa1dabdf52e
Opcode Fuzzy Hash: 537b484f10926a8c88adc0e3fb3f923ed7deb657e7d901d08006d31abba7f7ba
Instruction Fuzzy Hash: C231D472904209ABDF10EF59CC519EEBBB4FF54325F008A2AE825972D1DB31AD09CB90

Function 00538E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 0053AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0053AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00538F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00538F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00538F57

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

Strings

ComboBox, xrefs: 00538E9E
ListBox, xrefs: 00538ED3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 3b4233fc20a0bc3d4f0340b0881c04d83366258d494ccea3be794523ead14ada
Instruction ID: 4102ecce0d09874ac408ffd19b3eb02a5fb69855a742950aba6791383b887c04
Opcode Fuzzy Hash: 3b4233fc20a0bc3d4f0340b0881c04d83366258d494ccea3be794523ead14ada
Instruction Fuzzy Hash: A6213171A04208BEDB18ABB1DC89DFFBF69EF45324F04452AF421A72E1CF3809099620

Function 0055182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0055184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00551872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005518A2
InternetCloseHandle.WININET(00000000), ref: 005518E9

Part of subcall function 00552483: GetLastError.KERNEL32(?,?,00551817,00000000,00000000,00000001), ref: 00552498
Part of subcall function 00552483: SetEvent.KERNEL32(?,?,00551817,00000000,00000000,00000001), ref: 005524AD

Strings

, xrefs: 00551893

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 07bbf875e796b504f1d8f858faeece1aefb739ae70070d738720e52b3cb1ea51
Instruction ID: dc52b8f07ad8de82e3b05fcfea9f23537612d0fefb2ba2ea4e5e4d4a538514e9
Opcode Fuzzy Hash: 07bbf875e796b504f1d8f858faeece1aefb739ae70070d738720e52b3cb1ea51
Instruction Fuzzy Hash: 5B21B0B5500608BFEB219B64DC95FBF7FEDFB89746F10412BF80597240EA609D0867A4

Function 005663E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004E1D73
Part of subcall function 004E1D35: GetStockObject.GDI32(00000011), ref: 004E1D87
Part of subcall function 004E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004E1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00566461
LoadLibraryW.KERNEL32(?), ref: 00566468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0056647D
DestroyWindow.USER32(?), ref: 00566485

Strings

SysAnimate32, xrefs: 0056643C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 0f7bd9e94ea709e44af05b3169d702c4e2e4560311c99e1b977c3844d7d77b15
Instruction ID: 2b77b2a335f3f227d9f7e76fe8ca353a6d15e0c3e52818a5c5e7b54d9e632e6e
Opcode Fuzzy Hash: 0f7bd9e94ea709e44af05b3169d702c4e2e4560311c99e1b977c3844d7d77b15
Instruction Fuzzy Hash: 51216D71600205BFEF104F64EC84EBB7BADFB59369F104A29FA10931A0DB75DC51A760

Function 00546D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00546DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00546DEF
GetStdHandle.KERNEL32(0000000C), ref: 00546E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00546E3B

Strings

nul, xrefs: 00546E36

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9f72cde519148ea9ec2ac3b77648ac05b01e3673b3ae0fe55cae3d2dfb780783
Instruction ID: 89c9c8ba79c0e509638b7a729e6b0f5b3b6867a55e0b9873ba0c10e29def8cda
Opcode Fuzzy Hash: 9f72cde519148ea9ec2ac3b77648ac05b01e3673b3ae0fe55cae3d2dfb780783
Instruction Fuzzy Hash: F32183B4A0020AABDB209F29DC44BDA7FF8FF56724F204A19FCA0D72D0D77099549B52

Function 00546E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00546E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00546EBB
GetStdHandle.KERNEL32(000000F6), ref: 00546ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00546F06

Strings

nul, xrefs: 00546F01

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7859816516403069689e22f39432f523d951eb91574e36664860a1c7dd4a1041
Instruction ID: 834dde6c7928a0e79aecab98b794b2aa2391ebf60e0abefb31eb55abd1d73dcd
Opcode Fuzzy Hash: 7859816516403069689e22f39432f523d951eb91574e36664860a1c7dd4a1041
Instruction Fuzzy Hash: 632181796003059BDF209F69DC44BDB7BE8FF56728F200A19F9A0D72D0D77098658B52

Function 0054AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0054AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0054ACA8
__swprintf.LIBCMT ref: 0054ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0056F910), ref: 0054ACFF

Strings

%lu, xrefs: 0054ACBB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: eacf7b8485a8590b7e886fe5c65dd01ed5fa0a14f10b1c2f5b1507033f026918
Instruction ID: 72a6e3ba18e32e8bc57de8e1ecb83854047f3e38b2c85a54c5bf0f9aa3c1b447
Opcode Fuzzy Hash: eacf7b8485a8590b7e886fe5c65dd01ed5fa0a14f10b1c2f5b1507033f026918
Instruction Fuzzy Hash: 88217170A00149AFCB10DF69D985DEE7BB8FF89319B004069F9099B251DB71EE45DB21

Function 00541142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0053FCED,?,00540D40,?,00008000), ref: 0054115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0053FCED,?,00540D40,?,00008000), ref: 00541184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0053FCED,?,00540D40,?,00008000), ref: 0054118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0053FCED,?,00540D40,?,00008000), ref: 005411C1

Strings

@T, xrefs: 0054119D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @T
API String ID: 2875609808-1450426226
Opcode ID: 715d8c21fb6101bed5d9e6886f682a7495cd892290d865eb46c84aee286c9a70
Instruction ID: 20f7a603afa7bfeca0633c781539ca47827883cd9d623ae6a806be40c972972e
Opcode Fuzzy Hash: 715d8c21fb6101bed5d9e6886f682a7495cd892290d865eb46c84aee286c9a70
Instruction Fuzzy Hash: 68115E31D0091DD7CF00DFA9E848AEEBF78FF1A751F015455EA41B2240DB709594DB99

Function 00541AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00541B19

Strings

EXISTS, xrefs: 00541B41
APPEND, xrefs: 00541B52
KEYS, xrefs: 00541B30
REMOVE, xrefs: 00541B1F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d38d2df4dd4c8fee25c0fe89cac32ca244f8922c627eacbdd6f9a373ccfb4ee2
Instruction ID: 1187873da8a1c39f1604a0f2fb5d74a7becdfe58b139f23f39da0fb854928df9
Opcode Fuzzy Hash: d38d2df4dd4c8fee25c0fe89cac32ca244f8922c627eacbdd6f9a373ccfb4ee2
Instruction Fuzzy Hash: 671184309001499FCF00EF64D855AFEBBB4FF66308F104469D855A72D2EB325D0ACB54

Function 0055EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0055EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0055EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0055ED6A
CloseHandle.KERNEL32(?), ref: 0055EDEB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 144a2e8c86df64833b63400ee993471029fa1ac529eaac484723517b68b87753
Instruction ID: 058a98385cb08529c16d2b1e076a5a9a9d30f86c8fe86f2a64ad98f2012aa1bb
Opcode Fuzzy Hash: 144a2e8c86df64833b63400ee993471029fa1ac529eaac484723517b68b87753
Instruction Fuzzy Hash: FB8193B16003009FDB24EF2AC856F2AB7E5BF44715F04881EF999DB2D2D6B4AD44CB45

Function 0050541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0050547B
_memcpy_s.LIBCMT ref: 005054ED
__read_nolock.LIBCMT ref: 0050554B
__filbuf.LIBCMT ref: 0050556E
_memset.LIBCMT ref: 005055B2

Part of subcall function 00508B28: __getptd_noexit.LIBCMT ref: 00508B28

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 79a544a0cff5d4a6959061953322d08432adaa356cf9aac707316c84c0328fe2
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: CD51A271A00B05DBDF249EA9DC846AF7FA6BF41321F248B29F825962D1E7719D908F40

Function 00560037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 00560E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0055FDAD,?,?), ref: 00560E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005600FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0056013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00560183
RegCloseKey.ADVAPI32(?,?), ref: 005601AF
RegCloseKey.ADVAPI32(00000000), ref: 005601BC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: fe991708ae94c21e8d5044015c7a2b3738b7c660e317f0fa569ae0c02a1ecce8
Instruction ID: ab4a4790c870ccdf23c4824d0fb58ef321cda4256138fca6c902b5b3b4ec8754
Opcode Fuzzy Hash: fe991708ae94c21e8d5044015c7a2b3738b7c660e317f0fa569ae0c02a1ecce8
Instruction Fuzzy Hash: C1514A71208244AFC714EF69DC85E6BBBE9FF84318F40492DF596872A2DB35E904CB52

Function 0055D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0055D927
GetProcAddress.KERNEL32(00000000,?), ref: 0055D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0055D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0055DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0055DA21

Part of subcall function 004E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00547896,?,?,00000000), ref: 004E5A2C
Part of subcall function 004E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00547896,?,?,00000000,?,?), ref: 004E5A50

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 36a00d4112c63206f3fe2066973818fa41a0877a2f99e80796fa601911c8eb64
Instruction ID: ac7aeb214467e387427925608553272fd83f9bd277fc9ed221ee99714da4518f
Opcode Fuzzy Hash: 36a00d4112c63206f3fe2066973818fa41a0877a2f99e80796fa601911c8eb64
Instruction Fuzzy Hash: 83514976A00245DFCB10EFA9C4949ADBBB4FF09315B04806AEC55AB312D735AD49CF50

Function 0054E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0054E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0054E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0054E687

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0054E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0054E6B4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 79bcc05fab2dc0d1b006ee01a4947a150f1e6d9fafb6869f36f8214a4d93d091
Instruction ID: 5d474339e9c4d642c929310d43aeda88daec82373eca8d7d34a3b2d278d5d091
Opcode Fuzzy Hash: 79bcc05fab2dc0d1b006ee01a4947a150f1e6d9fafb6869f36f8214a4d93d091
Instruction Fuzzy Hash: B8511735A001059FCB00EF66D981AADBBF5FF09318F1480A9E849AB3A2CB35ED10DB54

Function 0056A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf6c4095ac65b7a24a625cad93ab14771a3e5328edae8da48084ef3e8ae8090
Instruction ID: 49cc095648abb166a33397afc801b382b6a3fed37183f80c732b2a07dd377b02
Opcode Fuzzy Hash: caf6c4095ac65b7a24a625cad93ab14771a3e5328edae8da48084ef3e8ae8090
Instruction Fuzzy Hash: A6419E35904104ABD720DF28DC48FA9BFA8FB1A320F150565E916B72E1DB70AD45EF51

Function 004E2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004E2357
ScreenToClient.USER32(005A57B0,?), ref: 004E2374
GetAsyncKeyState.USER32(00000001), ref: 004E2399
GetAsyncKeyState.USER32(00000002), ref: 004E23A7

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 13e17e12c6a048a05203730be6e98a50037796107b1eb87fc45e029e0af8371f
Instruction ID: 322f0a133129b5c4068f15f2e44014a7f47a40f4ebc72bf9d19edd9ae1743ddb
Opcode Fuzzy Hash: 13e17e12c6a048a05203730be6e98a50037796107b1eb87fc45e029e0af8371f
Instruction Fuzzy Hash: 31418E35A04115FBDF258F69C848AEEBF78BB09361F20431AF829922A0C7759D94DF91

Function 005363AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005363E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00536433
TranslateMessage.USER32(?), ref: 0053645C
DispatchMessageW.USER32(?), ref: 00536466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00536475

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ed404aae4ac88cf3cf59563b9f53915f5b0f828643b5ca1fcbdac99cd2dfcdb7
Instruction ID: b80fc2351c22d6778de137cd4f963f654b5d5ab8cded6bd1be1e167daf46cbbd
Opcode Fuzzy Hash: ed404aae4ac88cf3cf59563b9f53915f5b0f828643b5ca1fcbdac99cd2dfcdb7
Instruction Fuzzy Hash: FD31A231D00646BFDF248FB4DC84FB67FA8BB22340F24856DE421C31A1E7659899EB60

Function 00538A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00538A30
PostMessageW.USER32(?,00000201,00000001), ref: 00538ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00538AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00538AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00538AF8

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f8266c8dc644d089539ce2b0cbaee969613250270f285669ba7fad3b7c7a4d4f
Instruction ID: 6866f09759e2266c3b246c5354da042a2bf81d8c512de3ddbf40488b85ecdcf7
Opcode Fuzzy Hash: f8266c8dc644d089539ce2b0cbaee969613250270f285669ba7fad3b7c7a4d4f
Instruction Fuzzy Hash: 3B31C271900219EBDF18CF68D94CAAE7FB5FB15325F104229F925EB2D0C7B09914DB90

Function 0053B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0053B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0053B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0053B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0053B27F
_wcsstr.LIBCMT ref: 0053B289

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2ee5060b4e7fcb4fdaa85da84f9604252a1061cd2d40eec73ad4040cd31fea42
Instruction ID: 1df218e3684028bbe9f8327783c36bf2afd282409cbcf99af1c274e4adb9a1f9
Opcode Fuzzy Hash: 2ee5060b4e7fcb4fdaa85da84f9604252a1061cd2d40eec73ad4040cd31fea42
Instruction Fuzzy Hash: 6B21F5766042017AFB159B79EC09E7F7F9CEF89710F104229F905DA1A1EFA1DC4093A0

Function 0056B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

GetWindowLongW.USER32(?,000000F0), ref: 0056B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0056B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0056B1CF
GetSystemMetrics.USER32(00000004), ref: 0056B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00550E90,00000000), ref: 0056B216

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 5b575012cb7225c3a36dd4d3129b2cd0ec2c048b5555b589c093c83f8f31b281
Instruction ID: 05067daf7cd15304ff7aea5308254de0360727b379b29587c2ba5c5e837f87bc
Opcode Fuzzy Hash: 5b575012cb7225c3a36dd4d3129b2cd0ec2c048b5555b589c093c83f8f31b281
Instruction Fuzzy Hash: 5121A171A10661AFDB109F38DC14A6A3FA4FB16361F214B39F932D71E0E73098A0DB90

Function 00539307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00539320

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00539352
__itow.LIBCMT ref: 0053936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00539392
__itow.LIBCMT ref: 005393A3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: c98099c2f9c8f49fdd7a07ebad886ee0b53b2d3823af9976e1eec2f20f19ff88
Instruction ID: 2ef91b16764e7051829cf03799d9f46c95addbab3c7f4a9af10f27c0f52e022c
Opcode Fuzzy Hash: c98099c2f9c8f49fdd7a07ebad886ee0b53b2d3823af9976e1eec2f20f19ff88
Instruction Fuzzy Hash: 5F2104B1B04208ABDB10AA659C89EEE3FACFF88724F144429FA45DB1D0D6F08D4597A1

Function 00555A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00555A6E
GetForegroundWindow.USER32 ref: 00555A85
GetDC.USER32(00000000), ref: 00555AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00555ACD
ReleaseDC.USER32(00000000,00000003), ref: 00555B08

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 134de6decccadfe73f514d7f97ee0f0f6b97cdbf8d85a12aa1b20e98761446bc
Instruction ID: 12b5badb76bd7c29144e1beff43ced446f3f3fa5978242ffd61fe02e98bac8d7
Opcode Fuzzy Hash: 134de6decccadfe73f514d7f97ee0f0f6b97cdbf8d85a12aa1b20e98761446bc
Instruction Fuzzy Hash: 2A21A175A00104AFD710EF69DC98AAEBBE5FF58351F148479F80997362DA70AC04DB90

Function 004E12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 004E134D
SelectObject.GDI32(?,00000000), ref: 004E135C
BeginPath.GDI32(?), ref: 004E1373
SelectObject.GDI32(?,00000000), ref: 004E139C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 69d188946fa0da77d5fc1ca778a963db6b069011543ae802408a3d1e95877d90
Instruction ID: a2b710fbee48cf302b878d05392d9dc7e4c0ace227dbf7d207f7e0528c0e37d7
Opcode Fuzzy Hash: 69d188946fa0da77d5fc1ca778a963db6b069011543ae802408a3d1e95877d90
Instruction Fuzzy Hash: 42219B30800745EFEB108F26EC04B5D7BE8F721722F244217F811965B0E3789899EF55

Function 00544A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00544ABA
__beginthreadex.LIBCMT ref: 00544AD8
MessageBoxW.USER32(?,?,?,?), ref: 00544AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00544B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00544B0A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: e4eefdb7b4f4976eb3ad5af1aff900d8707f657c04894bc4502e8f27fa746f8e
Instruction ID: a7fa5a58a0dcc7d8bac405647013aaef9a2c2837f953668cf9b6fef4a1df8b70
Opcode Fuzzy Hash: e4eefdb7b4f4976eb3ad5af1aff900d8707f657c04894bc4502e8f27fa746f8e
Instruction Fuzzy Hash: A911E576905614BBCB008BA8EC08BDB7FACFB56324F144265F814D3250D6B189089BA0

Function 00538202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0053821E
GetLastError.KERNEL32(?,00537CE2,?,?,?), ref: 00538228
GetProcessHeap.KERNEL32(00000008,?,?,00537CE2,?,?,?), ref: 00538237
HeapAlloc.KERNEL32(00000000,?,00537CE2,?,?,?), ref: 0053823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00538255

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: f06aa49921d5d59148571b4a9273c3241feabcf2b6e66893dca7bef4237e60ee
Instruction ID: 9f6e4ec516ee3f1ec0366cd7b98b78d35ede6002025f76c24516bd3f6fd0d236
Opcode Fuzzy Hash: f06aa49921d5d59148571b4a9273c3241feabcf2b6e66893dca7bef4237e60ee
Instruction Fuzzy Hash: A8016D75600204BFDB244FA9EC48D6B7FADFF9A754B500529F809C3220DAB18C14DB60

Function 0053710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?,?,00537455), ref: 00537127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?), ref: 00537142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?), ref: 00537150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?), ref: 00537160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00537044,80070057,?,?), ref: 0053716C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 27c0791b591f15e758684b534485b86122b3fcd3d27dc42108b1cda8f868514a
Instruction ID: 98d83ed90098430ea0840c69fb5cb0ca0130c676379fd5cbb7e5dd320bddb2c9
Opcode Fuzzy Hash: 27c0791b591f15e758684b534485b86122b3fcd3d27dc42108b1cda8f868514a
Instruction Fuzzy Hash: 3C0171B3A05208ABDB214F68EC44AAA7FADFB48751F1400A4FD44D3210D771DD40E7A0

Function 00545244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00545260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0054526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00545276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00545280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005452BC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0dbd976db80259ac9102b2fbcfe63c3487261094c16fb28f6b00a534705f97a0
Instruction ID: 411dda0a79e451093a4d7d92dd869e3ab2a57793f6f74f8917de17e7b73cf0b6
Opcode Fuzzy Hash: 0dbd976db80259ac9102b2fbcfe63c3487261094c16fb28f6b00a534705f97a0
Instruction Fuzzy Hash: DF015735D05A1DDBCF00EFE8E848AEDBB78BB19315F400456E941B2142EBB05554DBA1

Function 0053810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00538121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0053812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0053813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00538141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00538157

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e38555e21ce5031993d369e7d2add9c085495af50acfbed7778e246c4452e22f
Instruction ID: 2af559ec58ad789f54d40b6c96185e1d779759e1e0f42b03ffc17cddae5d5fa4
Opcode Fuzzy Hash: e38555e21ce5031993d369e7d2add9c085495af50acfbed7778e246c4452e22f
Instruction Fuzzy Hash: ADF03C71600304AFEB110FA9EC88E7B3BACFF5A654F000025F98587150CAA19945EB60

Function 0053C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0053C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0053C20E
MessageBeep.USER32(00000000), ref: 0053C226
KillTimer.USER32(?,0000040A), ref: 0053C242
EndDialog.USER32(?,00000001), ref: 0053C25C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: fbcb0e0f4cef452a3ca8763b27f8e58bb69e91d41c0c897e43ba3c5dd7519043
Instruction ID: d837b671fce59ff685295abb523f6b9a536bd696ec4f105f47579fc7ea75ad8c
Opcode Fuzzy Hash: fbcb0e0f4cef452a3ca8763b27f8e58bb69e91d41c0c897e43ba3c5dd7519043
Instruction Fuzzy Hash: E70167349047049BEB205B58ED4EB977F78FB14706F040669F582A14E1D7E469589B50

Function 004E13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004E13BF
StrokeAndFillPath.GDI32(?,?,0051B888,00000000,?), ref: 004E13DB
SelectObject.GDI32(?,00000000), ref: 004E13EE
DeleteObject.GDI32 ref: 004E1401
StrokePath.GDI32(?), ref: 004E141C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e133b9f6a45741d9b541c2385d3919762356aca8d82449105646ee84f597aa0f
Instruction ID: bdbe35c5f926f28c86ae961aaef81e2b1902af87ad14aa2f5919519ddb312fe3
Opcode Fuzzy Hash: e133b9f6a45741d9b541c2385d3919762356aca8d82449105646ee84f597aa0f
Instruction Fuzzy Hash: 1BF03130004749EBDB115F2AEC4CB593FE4A722326F188225E42A495F1D778459DEF15

Function 004F2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00500DB6: std::exception::exception.LIBCMT ref: 00500DEC
Part of subcall function 00500DB6: __CxxThrowException@8.LIBCMT ref: 00500E01

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 004E7A51: _memmove.LIBCMT ref: 004E7AAB

__swprintf.LIBCMT ref: 004F2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 004F2D66

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: b9e44762edf55ad2e09800f930ed797cd64145f46adf04fc7545b54e3d7b4292
Instruction ID: 2ed5c4460b76ddd865a0d78df36dcd5e392f10903e84378d2861f6f0943ed383
Opcode Fuzzy Hash: b9e44762edf55ad2e09800f930ed797cd64145f46adf04fc7545b54e3d7b4292
Instruction Fuzzy Hash: ED91AA711082059FC714EF25D885C7FBBA8FF85314F10481EF9869B2A2EA78ED44CB5A

Function 0054B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 004E4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,004E4743,?,?,004E37AE,?), ref: 004E4770

CoInitialize.OLE32(00000000), ref: 0054B9BB
CoCreateInstance.OLE32(00572D6C,00000000,00000001,00572BDC,?), ref: 0054B9D4
CoUninitialize.OLE32 ref: 0054B9F1

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

Strings

.lnk, xrefs: 0054B99D, 0054B9AB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: f5db4bd475ba1b71ec0f084e44dee1ddc69f50a26ca5ea4a5059241bd2fa6a8f
Instruction ID: 495e02a2150b2acd4a800cb12d16b4a38e883e63921f3b9c20044a24bacd7fb3
Opcode Fuzzy Hash: f5db4bd475ba1b71ec0f084e44dee1ddc69f50a26ca5ea4a5059241bd2fa6a8f
Instruction Fuzzy Hash: ABA145756043419FDB00EF16C484D6ABBE5FF89318F048999F8999B3A1CB31ED45CB91

Function 0053B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0053B4BE

Strings

AutoIt3GUI, xrefs: 0053B436
Container, xrefs: 0053B43B
%W, xrefs: 0053B561

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%W
API String ID: 3565006973-124652545
Opcode ID: 7199552fea9232858ccfd1ff2a78628b25b01d1ce0fddd21be57de52850006b0
Instruction ID: 235d4faa4a653cf17acdeae79613786d18ccd54496263c9e3aabac25f2aa05e4
Opcode Fuzzy Hash: 7199552fea9232858ccfd1ff2a78628b25b01d1ce0fddd21be57de52850006b0
Instruction Fuzzy Hash: 01912B71600601AFEB14DF64C884B6ABBE5FF49710F14896EEA4ACB291EB71E841CB50

Function 0050501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005050AD

Part of subcall function 005100F0: __87except.LIBCMT ref: 0051012B

Strings

pow, xrefs: 00505085, 005050A2

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 43b5ca5d8ddaff01d9c18a8033a4f8fa83e945ca05c347ada65c26df227c98a2
Instruction ID: db61530dece8e7bc10865e2344e6bd54f0f92df0bce1ad9c842996e7cbe6b538
Opcode Fuzzy Hash: 43b5ca5d8ddaff01d9c18a8033a4f8fa83e945ca05c347ada65c26df227c98a2
Instruction Fuzzy Hash: DD515C3190860296EB127714DD193BF3FD4BB51700F209D59E4D5862D9FE788DC8EE86

Function 00528584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0052862B
_memmove.LIBCMT ref: 00528685

Strings

_O, xrefs: 005286FF, 0052DFDC, 0052DFF8
3cO, xrefs: 0052860C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _memmove
String ID: 3cO$_O
API String ID: 4104443479-2029810506
Opcode ID: 8a8bcc366eae391b762e45b8a25117511c36da7422465aee8349d62ad0ef51b9
Instruction ID: ee5a2fc33bfa2c5c63e3641f13135cb58d33b49b79cf86975e43ab8dd71ab7bc
Opcode Fuzzy Hash: 8a8bcc366eae391b762e45b8a25117511c36da7422465aee8349d62ad0ef51b9
Instruction Fuzzy Hash: E2517F70E016199FCF24CFA8D884ABEBBF1FF45304F14852AE85AD7290EB30A955CB51

Function 005397F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005414BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00539296,?,?,00000034,00000800,?,00000034), ref: 005414E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0053983F

Part of subcall function 00541487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005392C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005414B1

Part of subcall function 005413DE: GetWindowThreadProcessId.USER32(?,?), ref: 00541409
Part of subcall function 005413DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0053925A,00000034,?,?,00001004,00000000,00000000), ref: 00541419
Part of subcall function 005413DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0053925A,00000034,?,?,00001004,00000000,00000000), ref: 0054142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005398AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005398F9

Strings

@, xrefs: 00539911

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c2e5bb0a949f17906b6eb57c9b87dceffff6a41a618e189cc2443b2da58cd456
Instruction ID: 7c52d8c40256881334d4328915652e76759dcb02ebf979f94860e9d200b3a266
Opcode Fuzzy Hash: c2e5bb0a949f17906b6eb57c9b87dceffff6a41a618e189cc2443b2da58cd456
Instruction Fuzzy Hash: 27415C7690021DAFCF10DFA4CD85ADEBBB8FB49700F004099FA55B7191DA716E89CBA0

Function 00567946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0056F910,00000000,?,?,?,?), ref: 005679DF
GetWindowLongW.USER32 ref: 005679FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00567A0C

Strings

SysTreeView32, xrefs: 005679B1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e7baf8ee7661476ec748a551adc088c43b5c9e516bae5945843eb21e799bd8bd
Instruction ID: 0fd6b9e534658d5005c8fb54d000f93ab6a57d3c10b145609d5b062f5d89511b
Opcode Fuzzy Hash: e7baf8ee7661476ec748a551adc088c43b5c9e516bae5945843eb21e799bd8bd
Instruction Fuzzy Hash: 1431CF3160420AABDB118F78DC45BEA7BA9FF09328F244729F875A32E0D735ED519B50

Function 005673D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00567461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00567475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00567499

Strings

SysMonthCal32, xrefs: 0056742C

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d7e1066d8db54ade2669cdb925cf835aaace0c94ec6ee641440ffa170d41fb41
Instruction ID: ad2181bf20b64776d1b9903ff30da3359b089b94bb1b56db06fa595471531a7e
Opcode Fuzzy Hash: d7e1066d8db54ade2669cdb925cf835aaace0c94ec6ee641440ffa170d41fb41
Instruction Fuzzy Hash: 2E21BF32504219BBDF118F64CC46FEA3F69FB4C728F110214FE156B190DAB5AC94DBA0

Function 00567B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00567C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00567C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00567C5F

Strings

msctls_updown32, xrefs: 00567BC4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f205ed94b431b1a84176376b9e755ebf3ecfb7d24d8c92ce2cfa66c51df02157
Instruction ID: 78522381ee10f93f24455c0d44ddf6d02fc97945c56c7cacf91d266587964df6
Opcode Fuzzy Hash: f205ed94b431b1a84176376b9e755ebf3ecfb7d24d8c92ce2cfa66c51df02157
Instruction Fuzzy Hash: 46218EB1604209AFEB10DF28DCC5CAA3BECFF5A398B140459F9119B3A1DB71EC519B60

Function 00566CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00566D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00566D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00566D70

Strings

Listbox, xrefs: 00566D08

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 95cd0b7847ea998794c09f9911137641c92c8229a9f9472598681506149bff2f
Instruction ID: a51c2bbf0f316f46400f8735ee56bb28676be510fc2d172521607bd4ab7394bf
Opcode Fuzzy Hash: 95cd0b7847ea998794c09f9911137641c92c8229a9f9472598681506149bff2f
Instruction Fuzzy Hash: 40219232600118BFEF118F54DC45EBB3BBAFF89754F018128F9459B1A0C6719C51DBA0

Function 005539E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00553A66

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00553A58
, $, xrefs: 00553AA6
%W, xrefs: 005539F4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%W
API String ID: 3506404897-630733055
Opcode ID: 3aba4f122cc70848a58645d02a9a88a0af433c55cd901fd8abb87eb06234f56d
Instruction ID: 4ded88287384c66d277a0c37f59c133b8808d2e748a3bdbf82882c09c8902255
Opcode Fuzzy Hash: 3aba4f122cc70848a58645d02a9a88a0af433c55cd901fd8abb87eb06234f56d
Instruction Fuzzy Hash: 0621D230A00219AFCF10EF65CC92EAE7BB8FF44341F10045AF949AB182DB34EA45CB65

Function 0056770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00567772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00567787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00567794

Strings

msctls_trackbar32, xrefs: 00567749

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 41c116bea11454fd1b5dd8af72f502ea336ead5d159ea3eda181b4e7a4dde581
Instruction ID: 096fa7dae8b74d2f451bc618cfdc080a80273d3f5fc2aba4dd63c697b8e7eb98
Opcode Fuzzy Hash: 41c116bea11454fd1b5dd8af72f502ea336ead5d159ea3eda181b4e7a4dde581
Instruction Fuzzy Hash: 6D112772244208BAEF105F65CC05FE73B69FF88B58F010118F641A30A0D672E851DB20

Function 00506B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00506B93
__calloc_crt.LIBCMT ref: 00506BAC

Strings

@BZ, xrefs: 00506BC3
Y, xrefs: 00506BD1

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __calloc_crt
String ID: Y$@BZ
API String ID: 3494438863-1834554204
Opcode ID: 0f2c17436c7feb25a155c338322b6613d614e5fdc3de33ec890cdeaf7e46de46
Instruction ID: 967ab7628fb28be9d2bcf234780547e2c24f55eeed51fd87bd98eaada10a6b5f
Opcode Fuzzy Hash: 0f2c17436c7feb25a155c338322b6613d614e5fdc3de33ec890cdeaf7e46de46
Instruction Fuzzy Hash: B8F0AFB9208A128BEB259F28BC56FAA3FA4FB51330B10041AE200CE1C0FB7088949680

Function 00509B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00509B94

Part of subcall function 00509C0B: __mtinitlocknum.LIBCMT ref: 00509C1D
Part of subcall function 00509C0B: EnterCriticalSection.KERNEL32(00000000,?,00509A7C,0000000D), ref: 00509C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00509BA4

Part of subcall function 00509100: ___addlocaleref.LIBCMT ref: 0050911C
Part of subcall function 00509100: ___removelocaleref.LIBCMT ref: 00509127
Part of subcall function 00509100: ___freetlocinfo.LIBCMT ref: 0050913B

Strings

8Y, xrefs: 00509B85
8Y, xrefs: 00509B8A, 00509B9F, 00509BAB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8Y$8Y
API String ID: 547918592-1560955030
Opcode ID: 214b40c622f546c01bf9b6913d65f3d7393cf0a3bd451b722460725876e8912a
Instruction ID: c32dbdd38606fbe3691b09690cd6cf626dc072881843f9330c739bb411b0c8db
Opcode Fuzzy Hash: 214b40c622f546c01bf9b6913d65f3d7393cf0a3bd451b722460725876e8912a
Instruction Fuzzy Hash: FAE08C71947302AAEE10FBA4690BB1C3E90FB80B31F20215AF095550CACEB40C00DA67

Function 004E4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004E4BD0,?,004E4DEF,?,005A52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 004E4C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 004E4C23

Strings

kernel32.dll, xrefs: 004E4C0C
Wow64DisableWow64FsRedirection, xrefs: 004E4C1D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 504099124ce243645258bc8c6e5b39807fac5de6ad98a6cc5198895bd55bb354
Instruction ID: 7949d43012b41a0b25865b1b886e3704dc160aa240e079a6fbb5b0173436ff0b
Opcode Fuzzy Hash: 504099124ce243645258bc8c6e5b39807fac5de6ad98a6cc5198895bd55bb354
Instruction Fuzzy Hash: 1FD01230911B13CFD7209F75E908607BBD5FF19392B128C3AE485D7660E6B4D480C754

Function 004E4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,004E4B83,?), ref: 004E4C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 004E4C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 004E4C50
kernel32.dll, xrefs: 004E4C3F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: c60f2d4bbe82d18a8ec44c96c45c5f4b9790719f49c38ff22e622fcf39fb27c4
Instruction ID: 5f91cb1f69c44ead36cad67a0dfbe80cd48e11c05ae46812045adeca3ca35844
Opcode Fuzzy Hash: c60f2d4bbe82d18a8ec44c96c45c5f4b9790719f49c38ff22e622fcf39fb27c4
Instruction Fuzzy Hash: 37D01230D10713CFD7209F36E90861677D4BF15391B22883AD495D7260E6B8D480C750

Function 00560DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00561039), ref: 00560DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00560E07

Strings

RegDeleteKeyExW, xrefs: 00560E01
advapi32.dll, xrefs: 00560DF0

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 252348947ed68aceb370c72df4ae0c756b26d9473df5da0cdaa44552aee6762f
Instruction ID: 516788a12d5ed3741c943d4594aea6a73b50f3cf5ec4b8607ffdd1d88b0093fb
Opcode Fuzzy Hash: 252348947ed68aceb370c72df4ae0c756b26d9473df5da0cdaa44552aee6762f
Instruction Fuzzy Hash: 88D01270910722CFD7205F79D8086477AD9BF15391F119C7DD485D7190D6B1D8A0C750

Function 005590E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00558CF4,?,0056F910), ref: 005590EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00559100

Strings

kernel32.dll, xrefs: 005590E9
GetModuleHandleExW, xrefs: 005590FA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 110811d336051f9c74cf627b896bf374ab4d7a14619e66344a04c66979bfd6b3
Instruction ID: ee818b3d22c4c94d07362940659446563ffc1aa9f38fac0be8579ca66b77b8b0
Opcode Fuzzy Hash: 110811d336051f9c74cf627b896bf374ab4d7a14619e66344a04c66979bfd6b3
Instruction Fuzzy Hash: BED01234910723CFDB209F35E8185067AD4BF16392B11883AD886D7550EBB4D484C750

Function 00521714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00521718
__swprintf.LIBCMT ref: 00521749

Strings

WIN_XPe, xrefs: 00521788
%.3d, xrefs: 00521723

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 03ec6a4a8710a34953a3f674e66c92de2f104818a2cd619c2a89a48201d31d3a
Instruction ID: 0175cda5c81cf70d76e2e9d09332035bdae988ce641170ef6cd96af7959abc18
Opcode Fuzzy Hash: 03ec6a4a8710a34953a3f674e66c92de2f104818a2cd619c2a89a48201d31d3a
Instruction Fuzzy Hash: 09D01271804529EACB109790AC888BF7B7CFFAA301F180862F402920C0E2259756EA29

Function 0053717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56484e0737d60911a050266b6b458787752de62006347cff968c756d65424af1
Instruction ID: 81138c16d97a63d5ab2fe3239ff2040c9474cd6eff7c97eee9221a4a93a38587
Opcode Fuzzy Hash: 56484e0737d60911a050266b6b458787752de62006347cff968c756d65424af1
Instruction Fuzzy Hash: 77C11DB5E0421AEFDB24CF94C884AAEBBB5FF48714F158998E805EB251D730ED41DB90

Function 0055E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0055E0BE
CharLowerBuffW.USER32(?,?), ref: 0055E101

Part of subcall function 0055D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0055D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0055E301
_memmove.LIBCMT ref: 0055E314

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 08e7ed24b291a9eb0648562969701b772717d504940b1637a3dbb5fc14621d31
Instruction ID: 16cf94aec57472bfc791e8e046834d6902e5fef8b40fd5d096941bdc3831487d
Opcode Fuzzy Hash: 08e7ed24b291a9eb0648562969701b772717d504940b1637a3dbb5fc14621d31
Instruction Fuzzy Hash: 60C16B716083419FC714DF29C491A6ABBE4FF89318F04896EF8999B391D730EE49CB81

Function 00558093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005580C3
CoUninitialize.OLE32 ref: 005580CE

Part of subcall function 0053D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0053D5D4

VariantInit.OLEAUT32(?), ref: 005580D9
VariantClear.OLEAUT32(?), ref: 005583AA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 8abc6f4936d78b5b3447c4ca340be56ab647762500b413f13e42ccf266cd75b3
Instruction ID: fef68c9f353f1061c3463713444899af7696c7a0b585889ce0db10f597c60291
Opcode Fuzzy Hash: 8abc6f4936d78b5b3447c4ca340be56ab647762500b413f13e42ccf266cd75b3
Instruction Fuzzy Hash: 10A17D756047419FCB00EF56C895B2ABBE4BF89315F04485EF996AB3A1CB34ED08CB46

Function 0053687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0053688E
SysAllocString.OLEAUT32(00000000), ref: 00536937
VariantCopy.OLEAUT32 ref: 00536966
VariantClear.OLEAUT32(?), ref: 0053698D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1b2677e70de57d342c8279bd059f6d9bdd1e3a5c43d2cd3c05af50d06edd6698
Instruction ID: c66514b5769f91d181dcb27764ec401b2783fb071bc654c20112524b4d351d2c
Opcode Fuzzy Hash: 1b2677e70de57d342c8279bd059f6d9bdd1e3a5c43d2cd3c05af50d06edd6698
Instruction Fuzzy Hash: 2C51B075600302EADB24AF65D899A6EFBE5BF44311F20D81FE586DB291DB74D8408705

Function 005697F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0104F128,?), ref: 00569863
ScreenToClient.USER32(00000002,00000002), ref: 00569896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00569903

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e4dea697af5ed1dc37f4ed8014bfde41514e99f394296d650696ce9211da5a3c
Instruction ID: 861b59f4a0e777f0cf90c54db6073965b4d7de1a8a8e3b8131b415b5083f666f
Opcode Fuzzy Hash: e4dea697af5ed1dc37f4ed8014bfde41514e99f394296d650696ce9211da5a3c
Instruction Fuzzy Hash: 0D515F34A00209EFDF10CF28D884AAE7BB9FF56360F10815DF8659B2A0D730AD81DB90

Function 00539A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00539AD2
__itow.LIBCMT ref: 00539B03

Part of subcall function 00539D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00539DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00539B6C
__itow.LIBCMT ref: 00539BC3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 0f8a4fe2e66d611f58ba730dcedf2dd6d13162d544a804cc7e48d48818ee0716
Instruction ID: 259aa7a2f7c2f99cdfc7a3d9825e176ed4c2ea5b5ae743fb5ca22a072f1e524a
Opcode Fuzzy Hash: 0f8a4fe2e66d611f58ba730dcedf2dd6d13162d544a804cc7e48d48818ee0716
Instruction Fuzzy Hash: 7341C3B0A04249ABDF11DF55D845BEEBFB9EF44725F00001AF905A7291DBB49D44CB61

Function 005569AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005569D1
WSAGetLastError.WSOCK32(00000000), ref: 005569E1

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00556A45
WSAGetLastError.WSOCK32(00000000), ref: 00556A51

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b91d9978df10d97c4a631a0d0292fd4ccefd2accd88180608d4154c91faa741c
Instruction ID: 46d1e09626a25c750834046f658ae9740d7611c2c81a0d69561eb9d99f1ce6f4
Opcode Fuzzy Hash: b91d9978df10d97c4a631a0d0292fd4ccefd2accd88180608d4154c91faa741c
Instruction Fuzzy Hash: 5A41E474700200AFEB20BF26CC86F3977A4EF14B19F44846DFA199F2D2CAB49D008755

Function 0055641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0056F910), ref: 005564A7
_strlen.LIBCMT ref: 005564D9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4343f8df94eddd10322541edc7ae4c43aba8b6186d4c70e00f9eac1457824769
Instruction ID: 87c384ae7d7c1ad52b2a3a0e154084a762931eb2f356092ccf9ddbb079730314
Opcode Fuzzy Hash: 4343f8df94eddd10322541edc7ae4c43aba8b6186d4c70e00f9eac1457824769
Instruction Fuzzy Hash: 1B41F631900145AFCB04EBA9EC95FBEBBA8BF54315F90816AFD15972D2EB30AD04C750

Function 0054B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0054B89E
GetLastError.KERNEL32(?,00000000), ref: 0054B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0054B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0054B915

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: cfab2d6dca0dacfef44b676a132f6d8ec5708c751897136a5f7d65d3b6d95548
Instruction ID: a29e56fb13613c06b51b8c5a08f766ff648f9d6b9b7889f555cd9a9c155c9a66
Opcode Fuzzy Hash: cfab2d6dca0dacfef44b676a132f6d8ec5708c751897136a5f7d65d3b6d95548
Instruction Fuzzy Hash: B1411A39600550DFCB10EF16C484A69BBE1BF89718F098099ED4A9B3A2CB34FD05DB95

Function 00568851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005688DE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 820b606b9fcd3e5f5c0de47769bb9ca47dca21e771c1a46c70c371f08f65fbf9
Instruction ID: ea04cccff70de12561bc55fcf9fe852310002ff19ee485b6bea3e56494ccf0ac
Opcode Fuzzy Hash: 820b606b9fcd3e5f5c0de47769bb9ca47dca21e771c1a46c70c371f08f65fbf9
Instruction Fuzzy Hash: 2631C434600109AFEB309A68DC45FBC7FA5FB06350F944A16FA51E71A1CE70ED80DB52

Function 0056AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0056AB60
GetWindowRect.USER32(?,?), ref: 0056ABD6
PtInRect.USER32(?,?,0056C014), ref: 0056ABE6
MessageBeep.USER32(00000000), ref: 0056AC57

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 0f4527dd00d2a6e2217cf4abda1c87a84cd0ea116536d28d7a96a2843ca339c1
Instruction ID: ddfd7cfbd2d6b48d2c568469a8d2e9e4a896468569b15e66ee80ff3becb4fbb2
Opcode Fuzzy Hash: 0f4527dd00d2a6e2217cf4abda1c87a84cd0ea116536d28d7a96a2843ca339c1
Instruction Fuzzy Hash: 1D419C30A0010ADFDB21DF58D884A697BF5FF99310F2880A9F815AB260E730AC45DF92

Function 00540AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00540B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00540B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00540BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00540BFB

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6548161d4d90a428a5edda6ca6503d7b0808fd895935a8baef4fdce6afff0ca7
Instruction ID: 1fbdfc21902c1d9c72f6e792b8906b5d7d768329da4d43905869329150f40bde
Opcode Fuzzy Hash: 6548161d4d90a428a5edda6ca6503d7b0808fd895935a8baef4fdce6afff0ca7
Instruction Fuzzy Hash: 32315A30D44218AEFF308B298C09BFEBFB5FB9531CF24525AE681521D1C3B88D459759

Function 00540C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00540C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00540C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00540CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00540D33

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 88ae90955cfda43cdfd1df23cc7b67d1fa275f51ad01bc34969ee44906b2065f
Instruction ID: 837a9b42308c1ce69225b09bd92eba2521e388dfa909e7eb4803eb4336d922be
Opcode Fuzzy Hash: 88ae90955cfda43cdfd1df23cc7b67d1fa275f51ad01bc34969ee44906b2065f
Instruction Fuzzy Hash: 65314630D40218AEFF308B6998097FEFF66BB85318F24672AE681521D1C3799D499791

Function 005161C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005161FB
__isleadbyte_l.LIBCMT ref: 00516229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00516257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0051628D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 1f44299e2c026e02d18e543b6ab0c6dabbdf012e026c37a523d313a2841af6ba
Instruction ID: 4c2f59a47abb995e2b047452be4aeae48ca3e64ce90cabc65cfb74a570151b5a
Opcode Fuzzy Hash: 1f44299e2c026e02d18e543b6ab0c6dabbdf012e026c37a523d313a2841af6ba
Instruction Fuzzy Hash: F731AD35604246AFEF228F65CC48BFA7FA9FF82310F154429E864971A1E731E9D0DB90

Function 00564EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00564F02

Part of subcall function 00543641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054365B
Part of subcall function 00543641: GetCurrentThreadId.KERNEL32 ref: 00543662
Part of subcall function 00543641: AttachThreadInput.USER32(00000000,?,00545005), ref: 00543669

GetCaretPos.USER32(?), ref: 00564F13
ClientToScreen.USER32(00000000,?), ref: 00564F4E
GetForegroundWindow.USER32 ref: 00564F54

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 20ff62b02ee1f8a02f6001c4e021ba821505643730351ad628fe4ccf78c9d0ea
Instruction ID: 78ab973bb9383f230610ef6de82beecd718402e4916b5d0b16d82fd09032310c
Opcode Fuzzy Hash: 20ff62b02ee1f8a02f6001c4e021ba821505643730351ad628fe4ccf78c9d0ea
Instruction Fuzzy Hash: C8311EB1D00109AFDB00EFAAC8859EFBBF9FF98304F10446AE415E7251DA759E05CBA5

Function 00543C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00543C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00543C88
Process32NextW.KERNEL32(00000000,?), ref: 00543CA8
CloseHandle.KERNEL32(00000000), ref: 00543D52

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0aa7ce54ab03138b5143080f3e9bb6c77acd72ed76c27af02aac42c532c1531d
Instruction ID: 2bf5ff7bb4a776c48c6e5b68660a9e7b1293a4600c182773100de3968569b73b
Opcode Fuzzy Hash: 0aa7ce54ab03138b5143080f3e9bb6c77acd72ed76c27af02aac42c532c1531d
Instruction Fuzzy Hash: 9B31D4715083459FD300EF66D881AEFBBE8FF95358F40082DF582861A1EB719E49CB52

Function 0056C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

GetCursorPos.USER32(?), ref: 0056C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0051B9AB,?,?,?,?,?), ref: 0056C4E7
GetCursorPos.USER32(?), ref: 0056C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0051B9AB,?,?,?), ref: 0056C56E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d3deb97eaf993370e6f18e01ee6c5312ae07309d44f88e88ef5a5d57c6cbf167
Instruction ID: b04f804fbde56ed7ca489e223172bc35905149f074582cf56392a3207443a3d2
Opcode Fuzzy Hash: d3deb97eaf993370e6f18e01ee6c5312ae07309d44f88e88ef5a5d57c6cbf167
Instruction Fuzzy Hash: AE31CE35600158AFCB25CF58CC98EBA7FB9FB1A310F444169F9468B261CB35AD50EBA4

Function 00538656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0053810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00538121
Part of subcall function 0053810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0053812B
Part of subcall function 0053810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0053813A
Part of subcall function 0053810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00538141
Part of subcall function 0053810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00538157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005386A3
_memcmp.LIBCMT ref: 005386C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005386FC
HeapFree.KERNEL32(00000000), ref: 00538703

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ed4f612bef665f0128709beb26591a1df405b77d14a469b32b00d4810411194c
Instruction ID: 5c55b28f3e981e8ba86a620c8c4c97f1e106a0f0e009577f247cabe3414f5c2d
Opcode Fuzzy Hash: ed4f612bef665f0128709beb26591a1df405b77d14a469b32b00d4810411194c
Instruction Fuzzy Hash: DD218B71E00209EBDB04DFA8C949BFEBBB8FF50344F144059E404AB241DB30AE09CB60

Function 0050098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005009AE

Part of subcall function 004E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00547896,?,?,00000000), ref: 004E5A2C
Part of subcall function 004E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00547896,?,?,00000000,?,?), ref: 004E5A50

_fprintf.LIBCMT ref: 005009E5
OutputDebugStringW.KERNEL32(?), ref: 00535DBB

Part of subcall function 00504AAA: _flsall.LIBCMT ref: 00504AC3

__setmode.LIBCMT ref: 00500A1A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: c06bf81c30bb9b412ed0fb2a85b98a3dc72ac9cd871c1c1efdef045c31bd0702
Instruction ID: 282dc431937f68e757486ab38229bf5850ad81a6515d2abd5ae201b92801bfc3
Opcode Fuzzy Hash: c06bf81c30bb9b412ed0fb2a85b98a3dc72ac9cd871c1c1efdef045c31bd0702
Instruction Fuzzy Hash: 381157B1A042456FC704B6B5AC4B9FE7F68BF81324F14451AF204571D2FF254C469BA5

Function 00551767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005517A3

Part of subcall function 0055182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0055184C
Part of subcall function 0055182D: InternetCloseHandle.WININET(00000000), ref: 005518E9

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a4361a1ee8ff92a5af40e19f180b550cba556c6c15709af1f6eb497f5aaa9a8b
Instruction ID: b4c0209518f5bb937f1ca66fa5f41f37b93a3c2d6db59f71e4bd065c1dae3955
Opcode Fuzzy Hash: a4361a1ee8ff92a5af40e19f180b550cba556c6c15709af1f6eb497f5aaa9a8b
Instruction Fuzzy Hash: 5E21D435600A01BFEB269F64DC10FBABFA9FF88712F10442BFD1196650DB719818A7A4

Function 00543A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0056FAC0), ref: 00543A64
GetLastError.KERNEL32 ref: 00543A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00543A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0056FAC0), ref: 00543ADF

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f8fdb1be75ce537fd3a0648ccf510a013faeaab300ec70c91a0be73844112331
Instruction ID: ef1f4ef19cbfc7542d7141dc2c7c7500f6638bce1c70c5985f80402d386559f0
Opcode Fuzzy Hash: f8fdb1be75ce537fd3a0648ccf510a013faeaab300ec70c91a0be73844112331
Instruction Fuzzy Hash: 9D2171745482019F8310DF2AD8858AA7BE8FF5536CF144A2EF499C72A1D7319E49CB42

Function 005150E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00515101

Part of subcall function 0050571C: __FF_MSGBANNER.LIBCMT ref: 00505733
Part of subcall function 0050571C: __NMSG_WRITE.LIBCMT ref: 0050573A
Part of subcall function 0050571C: RtlAllocateHeap.NTDLL(01030000,00000000,00000001,00000000,?,?,?,00500DD3,?), ref: 0050575F

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2dec5cbbd325aeba0d6ca0a8975f99a158ac7442a54a145ed92d2305a877d5ee
Instruction ID: 47b2b74f6da42af71e4922f6ea1e2a71bc5389d59c00323889cff9a4f92f4b4f
Opcode Fuzzy Hash: 2dec5cbbd325aeba0d6ca0a8975f99a158ac7442a54a145ed92d2305a877d5ee
Instruction Fuzzy Hash: 2A11AB71940A12FEDB322F74BC49BAD3F987FD5361F100929F98596190EF348980D750

Function 00556369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00547896,?,?,00000000), ref: 004E5A2C
Part of subcall function 004E5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00547896,?,?,00000000,?,?), ref: 004E5A50

gethostbyname.WSOCK32(?,?,?), ref: 00556399
WSAGetLastError.WSOCK32(00000000), ref: 005563A4
_memmove.LIBCMT ref: 005563D1
inet_ntoa.WSOCK32(?), ref: 005563DC

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 54e8fd8f01f57a89405b6a5f8526e992696ef7484e51b38480ad4dbccea16a21
Instruction ID: 522be313da3f0d7dc1e3009d37e76af378b7db8aa96133e5edf60e330f8e084f
Opcode Fuzzy Hash: 54e8fd8f01f57a89405b6a5f8526e992696ef7484e51b38480ad4dbccea16a21
Instruction Fuzzy Hash: 3A11B671900149AFCB00FFA5ED56CEE7BB8BF58315B50407AF905A71A1DB30AE08DB61

Function 00538B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00538B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00538B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00538B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00538BA4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4b9de0527e1d3b4de9d540a6d9c3ba6535fe4737c768b5bab6164827e7b6633b
Instruction ID: 2ece7b1b4e3abefccb351a7438ec3a4326da013a5d084c1d8af92c98429fd7eb
Opcode Fuzzy Hash: 4b9de0527e1d3b4de9d540a6d9c3ba6535fe4737c768b5bab6164827e7b6633b
Instruction Fuzzy Hash: 66110679901219BFEB11DBA5C885EADFBB8FB48710F2040A5EA10B7290DA716E11DB94

Function 004E1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 004E2612: GetWindowLongW.USER32(?,000000EB), ref: 004E2623

DefDlgProcW.USER32(?,00000020,?), ref: 004E12D8
GetClientRect.USER32(?,?), ref: 0051B5FB
GetCursorPos.USER32(?), ref: 0051B605
ScreenToClient.USER32(?,?), ref: 0051B610

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 3888775d0024bf61f6b1022f0427162d34cb6dcfeaccaede84f2d07498a6226f
Instruction ID: c8d69393ab11313a86a39d4788c580445c1349e213b1443bb5223cc6302599af
Opcode Fuzzy Hash: 3888775d0024bf61f6b1022f0427162d34cb6dcfeaccaede84f2d07498a6226f
Instruction Fuzzy Hash: AB116D35900099EFCB00DFA9DC859FE77B8FB15301F000496FA11E7150D774BA559BA9

Function 0053D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0053D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0053D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0053D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0053D897

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7767d8f6ba79b88e83dd4564021376347f6e46521f4b47f615af69003988ab1a
Instruction ID: ea4b15f9281becc5220e460fdfb7f19f2268431b876c1aa866a1bf6072c57fee
Opcode Fuzzy Hash: 7767d8f6ba79b88e83dd4564021376347f6e46521f4b47f615af69003988ab1a
Instruction Fuzzy Hash: 6C113C75A05304DBE7208F55FC48F92FBB8FB00B00F108969A516D7450D7B0F549ABB1

Function 00516FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00516FDB

Part of subcall function 005176C2: __fltout2.LIBCMT ref: 005176EB

__cftog_l.LIBCMT ref: 00517001
__cftoe_l.LIBCMT ref: 00517033

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0b170485b83e9bb1de0f36e5d140daca3f447a3a0518f479228147aa1ae36211
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: A401397644824EBBDF165E88CC09CEE3F72BB1C390B598415FA1858031D236DAB1AF81

Function 0056B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0056B2E4
ScreenToClient.USER32(?,?), ref: 0056B2FC
ScreenToClient.USER32(?,?), ref: 0056B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0056B33B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 03b90f92680624c3e8e1f8d144845d1540d3af680050fbe29f1157cee282785d
Instruction ID: 995476b31a3d1360c2c9a5bb323535997a2738b6ed4861b2b456fc3b320acd12
Opcode Fuzzy Hash: 03b90f92680624c3e8e1f8d144845d1540d3af680050fbe29f1157cee282785d
Instruction Fuzzy Hash: 2F1144B9D00209EFDB41CFA9D8849EEBBF9FF18310F108166E914E3220D775AA659F51

Function 00546BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00546BE6

Part of subcall function 005476C4: _memset.LIBCMT ref: 005476F9

_memmove.LIBCMT ref: 00546C09
_memset.LIBCMT ref: 00546C16
LeaveCriticalSection.KERNEL32(?), ref: 00546C26

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8ff1c9bac62ba39c0fe6872d178a419dcb23da5406b5e44a7bf8f99d68635866
Instruction ID: a650fee3b8eb65ef618247101ad8db080b888b5cc682fb129f6b3231857ba90c
Opcode Fuzzy Hash: 8ff1c9bac62ba39c0fe6872d178a419dcb23da5406b5e44a7bf8f99d68635866
Instruction Fuzzy Hash: 78F0543A100100ABCF016F55EC89A8ABF29FF85324F048061FE085F267C771E851DBB4

Function 004E2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004E2231
SetTextColor.GDI32(?,000000FF), ref: 004E223B
SetBkMode.GDI32(?,00000001), ref: 004E2250
GetStockObject.GDI32(00000005), ref: 004E2258
GetWindowDC.USER32(?,00000000), ref: 0051BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0051BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0051BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0051BEC2
GetPixel.GDI32(00000000,?,?), ref: 0051BEE2
ReleaseDC.USER32(?,00000000), ref: 0051BEED

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 20e36e15fd432f082a8c4b1806ede6ee4a2464439f8b3b6c2f8b04c2e2df1c25
Instruction ID: af7e7daf4eb90039abafd91ceabce1ac3291dc7d8d8cad3334467acab4973179
Opcode Fuzzy Hash: 20e36e15fd432f082a8c4b1806ede6ee4a2464439f8b3b6c2f8b04c2e2df1c25
Instruction Fuzzy Hash: 44E06D32904244EBEF215F68FC0D7D83F15EB26336F008366FA69880E187B14984EB12

Function 00538712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0053871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,005382E6), ref: 00538722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005382E6), ref: 0053872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,005382E6), ref: 00538736

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 94dab8de4df124c1a20458990362d4e606d98a6804e055493ea1fa397d46518f
Instruction ID: c99db8a083afdaf9f05a1cade40b376423e8b2cc4445ea3e6f8b9c7eea22bcb6
Opcode Fuzzy Hash: 94dab8de4df124c1a20458990362d4e606d98a6804e055493ea1fa397d46518f
Instruction Fuzzy Hash: 54E08637A15312ABDB205FB4BD0CB563BACFF607A2F144828F246CB040DA758459DB50

Function 004E6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%W, xrefs: 004E624E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID:
String ID: %W
API String ID: 0-4190994476
Opcode ID: 168dd8c60ae6fdbbaa3a8a5aae79fe208ed7f12bb8f593407bd58cc32acc464a
Instruction ID: a726e6186ace40117fdeb0620f3ec7e31838aad5c116748681e81ce22f3f6cb8
Opcode Fuzzy Hash: 168dd8c60ae6fdbbaa3a8a5aae79fe208ed7f12bb8f593407bd58cc32acc464a
Instruction Fuzzy Hash: B8B1C4718001899BCF14EF96C8859FEBBB5FF64356F11402BE901A7291DB389E82CB5D

Function 0055AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0055AFAE

Strings

xbZ, xrefs: 0055B010
xbZ, xrefs: 0055AFE4

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __itow_s
String ID: xbZ$xbZ
API String ID: 3653519197-3702753351
Opcode ID: dd84358f38e427d07cb872c53771220dbecc3b53a374c0883bf7d90e6b4971ec
Instruction ID: ecf7b670708416dd8c770f5ef5cdc4484ad2ac9bc1a9bc639982e2dea8f4997d
Opcode Fuzzy Hash: dd84358f38e427d07cb872c53771220dbecc3b53a374c0883bf7d90e6b4971ec
Instruction Fuzzy Hash: 46B1BC74A00209EFDB10DF55C8A5EBABBB9FF48305F14855AFD059B292EB30E945CB60

Function 0054AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 004FFC86: _wcscpy.LIBCMT ref: 004FFCA9

Part of subcall function 004E9837: __itow.LIBCMT ref: 004E9862
Part of subcall function 004E9837: __swprintf.LIBCMT ref: 004E98AC

__wcsnicmp.LIBCMT ref: 0054B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0054B0F6

Strings

LPT, xrefs: 0054B027

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 4acf6f719e32f411a04c08e099052b09bf13e7446ce94f7c6cd7e5c24384d461
Instruction ID: ed1927a451e6369960c42b4cd099996fe7750d6502f18f72010983e1ceecbb6e
Opcode Fuzzy Hash: 4acf6f719e32f411a04c08e099052b09bf13e7446ce94f7c6cd7e5c24384d461
Instruction Fuzzy Hash: 71618E71A00219AFDB18DF95C895EEEBBB4FF08314F10406AF956AB2A1D770EE44CB54

Function 004F2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 004F2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 004F2981

Strings

@, xrefs: 004F2975

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 17b91efe14b930124a3bd5cff1ebd95dc69080890674c58bee6ffac6f995ea0f
Instruction ID: 1e9fdcccb8f5a3bd1690f97a1834671d469dbc6a05298a1f1795a5602803b501
Opcode Fuzzy Hash: 17b91efe14b930124a3bd5cff1ebd95dc69080890674c58bee6ffac6f995ea0f
Instruction Fuzzy Hash: BF5179714187849BD720EF16D885BAFB7E8FB85345F42484EF6D8410A1DB34892CCB5A

Function 00549734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004E4F0B: __fread_nolock.LIBCMT ref: 004E4F29

_wcscmp.LIBCMT ref: 00549824
_wcscmp.LIBCMT ref: 00549837

Strings

FILE, xrefs: 00549770

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 6bf4dc2bb80a6fc078ed8f47392240c95ed9866c161615f4bd5860cd8a5e2f08
Instruction ID: 096ed17e2b267b18a10cd97d70157b5cb772b840a97793ea6d0cbbd40aec5763
Opcode Fuzzy Hash: 6bf4dc2bb80a6fc078ed8f47392240c95ed9866c161615f4bd5860cd8a5e2f08
Instruction Fuzzy Hash: 3041DB71A0020ABADF209BA5CC46FEFBBBDEF85714F00046AFA04E7181D6759A04CB65

Function 00520574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0052057F

Strings

DdZ, xrefs: 004EA317
DdZ, xrefs: 004EA151

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClearVariant
String ID: DdZ$DdZ
API String ID: 1473721057-503455502
Opcode ID: 619ef0ae75f16ea5a271750cbf6b35c1bd5ce51919d5a486ec00679453c6684d
Instruction ID: 6d4fbc0f512a8d2a7a87c857dc8663368b05e6379144469098e1735d784f44be
Opcode Fuzzy Hash: 619ef0ae75f16ea5a271750cbf6b35c1bd5ce51919d5a486ec00679453c6684d
Instruction Fuzzy Hash: 73511478A043818FDB54CF1AC484A1ABBF1BF9A341F54485EE9858B3A1D335EC95CF46

Function 0055258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005525D4

Strings

|, xrefs: 005525A5

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 6c83619aed51a1d58cf2574ca22750eb7ecf87726657ebd12b821f9d72e40663
Instruction ID: 47513a343b4b333c2a7ba90e9fae9be28ac31506692975148fbf48bbbc399131
Opcode Fuzzy Hash: 6c83619aed51a1d58cf2574ca22750eb7ecf87726657ebd12b821f9d72e40663
Instruction Fuzzy Hash: DA312A71800159ABCF11EFA2CC89EEEBFB8FF08314F10005AFD14A6162EB355956DB60

Function 00567A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00567B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00567B76

Strings

', xrefs: 00567ACA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bcbca3c696da51dd035c9cb0e10040fb221315155c404ec68ad5575c68487bf4
Instruction ID: b8a6e1374feffb9f1415e550b2a3c43394fc6f35fd785451870453aa8e10cc7f
Opcode Fuzzy Hash: bcbca3c696da51dd035c9cb0e10040fb221315155c404ec68ad5575c68487bf4
Instruction Fuzzy Hash: C9410874A0520E9FDB14CFA5C981BEEBBB5FB09304F10016AE904AB391E770AA55DF90

Function 00566A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00566B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00566B53

Strings

static, xrefs: 00566AB3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d12c65dc1635c10682ac465a456d93ea24dde753b1fdd8e19d6233a8141c8ca6
Instruction ID: 15d2209440e03223b96e7b23a6405052aef5b299c330ca11bd0ca2cc967ca8a6
Opcode Fuzzy Hash: d12c65dc1635c10682ac465a456d93ea24dde753b1fdd8e19d6233a8141c8ca6
Instruction Fuzzy Hash: C9319071110604EEDB109F69DC40BFB7BA9FF48764F10961DF9A5D71A0DA34AC81D760

Function 005428A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00542911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0054294C

Strings

0, xrefs: 0054290A

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 060cdd7e148414c543dbc8ee14c8f8650208650b10a3812287c11b8b5e6d733c
Instruction ID: aebe0e2c77a301fd2bcfc17564413163d03e82c4956fd04504340c9ce8702333
Opcode Fuzzy Hash: 060cdd7e148414c543dbc8ee14c8f8650208650b10a3812287c11b8b5e6d733c
Instruction Fuzzy Hash: 7E31C131A0031A9BEB24CF58C885BEEBFB8FF45358F540029F985A61A0E7709984CB51

Function 005666D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00566761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0056676C

Strings

Combobox, xrefs: 0056672E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e4574af2ec560e7335ea1fb0dccfdc1bb4fe55e1d5e3cc27a2f3644e8ed0e919
Instruction ID: d75a72dc283c137564623e74d946fa568e195bc73fd6009dbc69418f555ceab1
Opcode Fuzzy Hash: e4574af2ec560e7335ea1fb0dccfdc1bb4fe55e1d5e3cc27a2f3644e8ed0e919
Instruction Fuzzy Hash: 1C11B271200208AFEF118F54DC80EBB3B6EFB983A8F100129F91597290D675EC5197A0

Function 00566C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 004E1D73
Part of subcall function 004E1D35: GetStockObject.GDI32(00000011), ref: 004E1D87
Part of subcall function 004E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 004E1D91

GetWindowRect.USER32(00000000,?), ref: 00566C71
GetSysColor.USER32(00000012), ref: 00566C8B

Strings

static, xrefs: 00566C4E

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9492cfc254ef67637efcfaa3d8074871036d4efe932a657981ab688243f5f7d0
Instruction ID: 747debdc98a7c025e7d18fdb8b6b3a5d64efda11bdec411760f46819eef4990a
Opcode Fuzzy Hash: 9492cfc254ef67637efcfaa3d8074871036d4efe932a657981ab688243f5f7d0
Instruction Fuzzy Hash: 7121297691020AAFDF04DFA8DC45EFA7BA8FB18314F004629F995D3250E675E850EB60

Function 00566920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005669A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005669B1

Strings

edit, xrefs: 00566986

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2551f944eba332e28d92bcf11b05fa2b974ca546ac461d9b79f6ceb44af59615
Instruction ID: e213c6e567b0fbc984a8aebd8b09a33e9647de04037808a06e85832112eee7f2
Opcode Fuzzy Hash: 2551f944eba332e28d92bcf11b05fa2b974ca546ac461d9b79f6ceb44af59615
Instruction Fuzzy Hash: F3118C71500208ABEB108E74DC44EEB3BA9FB153B8F504724FDA5A71E0CB75DC94AB60

Function 005429AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00542A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00542A41

Strings

0, xrefs: 00542A18

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: aa484e352716f3760649dc6d2dea683b71b3f1f612a2ac7b8f3a0c0170431baf
Instruction ID: 26d7396042d8a1b49c00fa437199d2a3a075f82f2680f33bd5427ffc8516b84e
Opcode Fuzzy Hash: aa484e352716f3760649dc6d2dea683b71b3f1f612a2ac7b8f3a0c0170431baf
Instruction Fuzzy Hash: 8C11D032901124ABCB31DF99D844BEABBB8BB46308F944025FD55E7290E7B0AD4AC791

Function 005521D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0055222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00552255

Strings

<local>, xrefs: 0055221D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3aa241e849ce806e4c7f2e9c57febad76ecda0a51ebd0c209d2559f8091640de
Instruction ID: 65abe87fe25181f66733ffef5fcebe6a5717db74ab9ea8d5a57c2f766d4e7f8d
Opcode Fuzzy Hash: 3aa241e849ce806e4c7f2e9c57febad76ecda0a51ebd0c209d2559f8091640de
Instruction Fuzzy Hash: 2611E078601225BADB248F519CA4EBBFFA8FF17352F10862BFD1586000D2706888DBF0

Function 004F092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,004E3C14,005A52F8,?,?,?), ref: 004F096E

Part of subcall function 004E7BCC: _memmove.LIBCMT ref: 004E7C06

_wcscat.LIBCMT ref: 00524CB7

Strings

SZ, xrefs: 004F09AE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SZ
API String ID: 257928180-4263060193
Opcode ID: b39d712fa098b932983d4ac80f65038ef7147aa4bc671672449739aa69391ecd
Instruction ID: 404805054237b386cc703a2f059de608b08c29cdb2e4bb016f8964fc9a1fa24d
Opcode Fuzzy Hash: b39d712fa098b932983d4ac80f65038ef7147aa4bc671672449739aa69391ecd
Instruction Fuzzy Hash: C711A97190520DAA8B40EF65DD05EDD7BE8FF48355B0044A7FA54D3282FAF4AA844719

Function 00538E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 0053AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0053AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00538E73

Strings

ComboBox, xrefs: 00538E12
ListBox, xrefs: 00538E3D

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 83ec99f0369c893748359ebd3ea1f463ea6e2397ac09e59825d9eb01ace68562
Instruction ID: 54b21a60fdb38b38980ae908bb2cbd7cc7c7fe78783815e426f0796f0a9975b4
Opcode Fuzzy Hash: 83ec99f0369c893748359ebd3ea1f463ea6e2397ac09e59825d9eb01ace68562
Instruction Fuzzy Hash: 0101F1B1A05219AB8F19EBA5CC45CFE7B68FF05320F000A1EF871572E2DE355808D660

Function 00548D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00548DAC
__fread_nolock.LIBCMT ref: 00548DC1

Strings

EA06, xrefs: 00548DF3

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 57a862cbe0fd03bba37a5a39d11e7c79c457f5124ab3afdc8b9c2e49a550f495
Instruction ID: 19b9ddc602d98bf7b9e94b209676b99d45c4fd27dd46eb0db49fe0690ac4bbb4
Opcode Fuzzy Hash: 57a862cbe0fd03bba37a5a39d11e7c79c457f5124ab3afdc8b9c2e49a550f495
Instruction Fuzzy Hash: E601B971D042187EDB28CAA8CC5AEFE7FFCEB15311F00459AF552D61C1E975A6048B60

Function 00538CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 0053AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0053AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00538D6B

Strings

ComboBox, xrefs: 00538D0A
ListBox, xrefs: 00538D35

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cc665d7dda9cbe7f9c7f3d0954e98a9e15ed46fa491d128a4cf49198f273675b
Instruction ID: c982a7fcac3d3f1c7cb0e49d12ab58b051d1bcf6578db2132336e08bd7001135
Opcode Fuzzy Hash: cc665d7dda9cbe7f9c7f3d0954e98a9e15ed46fa491d128a4cf49198f273675b
Instruction Fuzzy Hash: 4301F7B1A4520DABCF19EBE1CD56EFE7BA8EF15310F10041EB805632E2DE155E08D2B5

Function 00538D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7DE1: _memmove.LIBCMT ref: 004E7E22

Part of subcall function 0053AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0053AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00538DEE

Strings

ComboBox, xrefs: 00538D8F
ListBox, xrefs: 00538DBA

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 02bc00b6438d0bb34b3275a035a579d0618824806b1db4d7c8fbd87cfde7beaf
Instruction ID: e9e8584634d802160a49e69ac2f7d31677a869b68f03f99eb84e9b6a31944806
Opcode Fuzzy Hash: 02bc00b6438d0bb34b3275a035a579d0618824806b1db4d7c8fbd87cfde7beaf
Instruction Fuzzy Hash: 010126B1A45209B7CF15EBA5CD46EFE7BACEF15310F10041AB805632D2DE254E08D276

Function 0053C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0053C534

Part of subcall function 0053C816: _memmove.LIBCMT ref: 0053C860
Part of subcall function 0053C816: VariantInit.OLEAUT32(00000000), ref: 0053C882
Part of subcall function 0053C816: VariantCopy.OLEAUT32(00000000,?), ref: 0053C88C

VariantClear.OLEAUT32(?), ref: 0053C556

Strings

d}Y, xrefs: 0053C517

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}Y
API String ID: 2932060187-951669765
Opcode ID: 9ee519b036b5c796a787c9f4d62a7f565bc6e504ee2bbcfd9ad0d160ca522b40
Instruction ID: 1c469e4f4701a7ee6d8d14b3c8e86a15532ef1fed51dd167947a9ca3b29587d4
Opcode Fuzzy Hash: 9ee519b036b5c796a787c9f4d62a7f565bc6e504ee2bbcfd9ad0d160ca522b40
Instruction Fuzzy Hash: C31152B18007089FCB10DF9AD88489AFBF8FF18314B50856FE58AD7611D770AA48CF90

Function 00544F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00544F46
_wcscmp.LIBCMT ref: 00544F58

Strings

#32770, xrefs: 00544F52

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 051569fdc1f475d1b11d52b23512a95f37e28138f136a431633c843b2ed1a4b8
Instruction ID: 0918ccad4830a093de4a482f167c7ba749136932316e001aa7e42c8ecc2e3849
Opcode Fuzzy Hash: 051569fdc1f475d1b11d52b23512a95f37e28138f136a431633c843b2ed1a4b8
Instruction Fuzzy Hash: 13E0D13290422937D7109759AC49FA7FBECFB55B70F010157FD04D3151D5609A4987D0

Function 0051B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0051B314: _memset.LIBCMT ref: 0051B321

Part of subcall function 00500940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0051B2F0,?,?,?,004E100A), ref: 00500945

IsDebuggerPresent.KERNEL32(?,?,?,004E100A), ref: 0051B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,004E100A), ref: 0051B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0051B2FE

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 85d8a7b2507c5e3193d6191a64f687ed95b02308d20f0f821c33888adf51af20
Instruction ID: 2f0a1e7a71a399d6fb4efedffff01b60c4afae19c2f6931cc8cc97207ddb2941
Opcode Fuzzy Hash: 85d8a7b2507c5e3193d6191a64f687ed95b02308d20f0f821c33888adf51af20
Instruction Fuzzy Hash: 49E06D746007418BE720AF29E8087867EE8FF14304F008E2DE866C7640E7B4D488CBA1

Function 00537C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00537C82

Part of subcall function 00503358: _doexit.LIBCMT ref: 00503362

Strings

AutoIt, xrefs: 00537C76
Error allocating memory., xrefs: 00537C7B

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 0f9017a9d06bfe29137bf9d1ce2f80e13bd2ef5ed3b8a4d2d461135f0207144d
Instruction ID: 66307f1617845bae72b1dc99f8b587146be5c470932af9d6df00014b865c6d7f
Opcode Fuzzy Hash: 0f9017a9d06bfe29137bf9d1ce2f80e13bd2ef5ed3b8a4d2d461135f0207144d
Instruction Fuzzy Hash: 24D0C23238831C32D21132AAAC0BBCE2F4CAB04B52F000426FB08591D349D1488052E8

Function 00521935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00521775

Part of subcall function 0055BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0052195E,?), ref: 0055BFFE
Part of subcall function 0055BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0055C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0052196D

Strings

WIN_XPe, xrefs: 00521788

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 9153bda978fa048cff0b7d0e06a6e6724def93c48501c02d7b824e528bf880fd
Instruction ID: 887a5750d083e790e9d29560b53507a4c87c69c02918d11bbc34083e2f187650
Opcode Fuzzy Hash: 9153bda978fa048cff0b7d0e06a6e6724def93c48501c02d7b824e528bf880fd
Instruction Fuzzy Hash: D0F03070800019DFDB15DB65D988AED7BF8FF69301F180495E001A3090C7704F4ADF64

Function 00565964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0056596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00565981

Part of subcall function 00545244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005452BC

Strings

Shell_TrayWnd, xrefs: 00565967

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3392a97f9b6c0f8f2820418052494ca667c1977d1480c663d1b31dab426fddcf
Instruction ID: 02700ac701fbe2661ff6f2ae28d7ded2cedcbde5988b572e44839f728eaedfde
Opcode Fuzzy Hash: 3392a97f9b6c0f8f2820418052494ca667c1977d1480c663d1b31dab426fddcf
Instruction Fuzzy Hash: DAD0A931784302B7E664AB30AC0FFE22A10BB21B00F000826B20AAB0D0D8E0A804C750

Function 00565998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005659AE
PostMessageW.USER32(00000000), ref: 005659B5

Part of subcall function 00545244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005452BC

Strings

Shell_TrayWnd, xrefs: 005659A7

Memory Dump Source

Source File: 00000000.00000002.1730322383.00000000004E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000000.00000002.1730299027.00000000004E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.000000000056F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730370078.0000000000594000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730451758.000000000059E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1730473408.00000000005A7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e0000_EpH9QFlrm2.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 26d222a8030b373d48aff4fe729a71493752e2280f13d434301ee08255c87df2
Instruction ID: 9cb26d2974db6916217b16fc2d45937fcbf1506bae29ef3bfd731abfc869e92f
Opcode Fuzzy Hash: 26d222a8030b373d48aff4fe729a71493752e2280f13d434301ee08255c87df2
Instruction Fuzzy Hash: 64D0A9317803027BE664AB30AC0FFD22A10BB22B00F000826B206AB0D0D8E0A804C754

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EpH9QFlrm2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut75A6.tmp

C:\Users\user\AppData\Local\Temp\camellin

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
EpH9QFlrm2.exe

Function 004E3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 004E49A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 004E4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00549155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 004E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 004E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 004E708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 004E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 004E3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 004E3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 004EF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 010D59D0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 004E39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 010D5790 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Function 004E407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre