Edit tour

Windows Analysis Report
8BzIVoQT3w.exe

Overview

General Information

Sample name:	8BzIVoQT3w.exe renamed because original name is a hash value
Original sample name:	97faf0ceacec7da5ae52ec7f892137b2337b9375c089668a0e601fd6e2ef9cf7.exe
Analysis ID:	1588125
MD5:	be5d768419369e33fdb2c5dc667e0b25
SHA1:	df725aae847c2c03325416dce56deacd2d01c4b8
SHA256:	97faf0ceacec7da5ae52ec7f892137b2337b9375c089668a0e601fd6e2ef9cf7
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected PureLog Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

8BzIVoQT3w.exe (PID: 3040 cmdline: "C:\Users\user\Desktop\8BzIVoQT3w.exe" MD5: BE5D768419369E33FDB2C5DC667E0B25)

RegSvcs.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\8BzIVoQT3w.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

8BzIVoQT3w.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\8BzIVoQT3w.exe" MD5: BE5D768419369E33FDB2C5DC667E0B25)

RegSvcs.exe (PID: 2544 cmdline: "C:\Users\user\Desktop\8BzIVoQT3w.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.3423496604.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2188832245.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2227100024.0000000003A60000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.3421919411.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2544	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2544	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.28fe91e.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.28fe91e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.8BzIVoQT3w.exe.3a60000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.2b80000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.2b80000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.8BzIVoQT3w.exe.38b0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.2b80ee8.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.2b80ee8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2d00000.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.2d00000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.28fe91e.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.28fe91e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2d00000.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.2d00000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3e44790.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3e44790.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3e44790.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3e44790.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.28ff806.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.28ff806.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2b80000.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.2b80000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 0F 88 44 24 2B 88 44 24 2F B0 17 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
4.2.RegSvcs.exe.28ff806.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.28ff806.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.2b80ee8.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.2b80ee8.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3e06458.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3e06458.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
4.2.RegSvcs.exe.3e06458.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.3e06458.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2544, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49721

Suricata Signatures

ET MALWARE AgentTesla Exfil Via SMTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:38:20.989096+0100	2030171	1	A Network Trojan was detected	192.168.2.6	49721	199.79.62.115	587	TCP

ETPRO MALWARE Win32/Agent Tesla SMTP Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:38:20.989096+0100	2839723	1	Malware Command and Control Activity Detected	192.168.2.6	49721	199.79.62.115	587	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.RegSvcs.exe.28fe91e.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}

Multi AV Scanner detection for submitted file

Source: 8BzIVoQT3w.exe	Virustotal: Detection: 30%			Perma Link
Source: 8BzIVoQT3w.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 8BzIVoQT3w.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: /log.tmp
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>[
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ]<br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Time:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>User Name:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>Computer Name:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>OSFullName:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>CPU:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>RAM:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IP Address:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <hr>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: New
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IP Address:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: mail.mbarieservicesltd.com
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: saless@mbarieservicesltd.com
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: *o9H+18Q4%;M
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: iinfo@mbarieservicesltd.com
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: false
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: appdata
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: KTvkzEc
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: KTvkzEc.exe
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: KTvkzEc
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Type
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <hr>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <b>[
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ]</b> (
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: )<br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {BACK}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {ALT+TAB}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {ALT+F4}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {TAB}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {ESC}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {Win}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {CAPSLOCK}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {KEYUP}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {KEYDOWN}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {KEYLEFT}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {KEYRIGHT}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {DEL}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {END}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {HOME}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {Insert}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {NumLock}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {PageDown}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {PageUp}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {ENTER}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F1}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F2}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F3}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F4}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F5}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F6}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F7}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F8}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F9}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F10}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F11}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {F12}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: control
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {CTRL}
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: &
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: >
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: "
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <hr>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: logins
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IE/Edge
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Secure Note
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Web Password Credential
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Credential Picker Protector
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Web Credentials
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Credentials
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Domain Certificate Credential
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Domain Password Credential
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Extended Credential
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SchemaId
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pResourceElement
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pIdentityElement
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pPackageSid
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pAuthenticatorElement
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IE/Edge
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UC Browser
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UCBrowser\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Login Data
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: journal
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: wow_logins
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Safari for Windows
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <array>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <dict>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <string>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </string>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <string>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </string>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <data>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </data>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: -convert xml1 -s -o "
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \fixed_keychain.xml"
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Microsoft\Protect\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: credential
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: QQ Browser
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Default\EncryptedStorage
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Profile
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \EncryptedStorage
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: entries
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: category
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: str3
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: str2
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: blob0
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: password_value
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IncrediMail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PopPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SmtpPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Accounts_New
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PopPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SmtpPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SmtpServer
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: EmailAddress
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Eudora
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: current
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Settings
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SavePasswordText
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Settings
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ReturnAddress
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Falkon Browser
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \falkon\profiles\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: profiles.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: profiles.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \browsedata.db
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: autofill
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ClawsMail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Claws-mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \clawsrc
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \clawsrc
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passkey0
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \accountrc
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: smtp_server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: address
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: account
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \passwordstorerc
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: {(.),(.)}(.*)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Flock Browser
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: APPDATA
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Flock\Browser\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: signons3.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: DynDns
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: username=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: password=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: https://account.dyn.com/
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: t6KzXhCh
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ALLUSERSPROFILE
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: global
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: accounts
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: account.
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: username
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: account.
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Psi/Psi+
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: name
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Psi/Psi+
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: APPDATA
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Psi\profiles
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: APPDATA
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Psi+\profiles
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \accounts.xml
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \accounts.xml
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: OpenVPN
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: username
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: auth-data
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: entropy
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: USERPROFILE
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \OpenVPN\config\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: remote
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: remote
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: NordVPN
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: NordVPN
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: NordVpn.exe*
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: user.config
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: //setting[@name='Username']/value
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: //setting[@name='Password']/value
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: NordVPN
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Private Internet Access
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: %ProgramW6432%
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Private Internet Access\data
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Private Internet Access\data
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \account.json
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ."username":"(.?)"
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ."password":"(.?)"
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Private Internet Access
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: privateinternetaccess.com
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FileZilla
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: APPDATA
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: APPDATA
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Server>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Host>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Host>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </Host>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Port>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </Port>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <User>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <User>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </User>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Pass encoding="base64">
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Pass encoding="base64">
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </Pass>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Pass>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <Pass encoding="base64">
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </Pass>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: CoreFTP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: User
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Host
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Port
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: hdfzpysvpzimorhk
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: WinSCP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HostName
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UserName
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PublicKeyFile
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PortNumber
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: WinSCP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ABCDEF
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Flash FXP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: port
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: user
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pass
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: quick.dat
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Sites.dat
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \FlashFXP\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \FlashFXP\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FTP Navigator
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SystemDrive
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: No Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: User
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SmartFTP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: APPDATA
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: WS_FTP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: appdata
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HOST
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PWD=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PWD=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FtpCommander
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SystemDrive
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SystemDrive
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SystemDrive
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \cftp\Ftplist.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;Password=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;User=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;Server=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;Port=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;Port=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;Password=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;User=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ;Anonymous=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FTPGetter
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \FTPGetter\servers.xml
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_ip>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_ip>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </server_ip>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_port>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </server_port>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_user_name>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_user_name>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </server_user_name>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_user_password>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: <server_user_password>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: </server_user_password>
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FTPGetter
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: The Bat!
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: appdata
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \The Bat!
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Account.CFN
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Account.CFN
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Becky!
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: DataDir
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Folder.lst
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Mailbox.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Account
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PassWd
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Account
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SMTPServer
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Account
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: MailAddress
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Becky!
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Outlook
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IMAP Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: POP3 Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HTTP Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SMTP Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IMAP Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: POP3 Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HTTP Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SMTP Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Windows Mail App
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SchemaId
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pResourceElement
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pIdentityElement
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pPackageSid
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: pAuthenticatorElement
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: syncpassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: mailoutgoing
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FoxMail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Executable
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: FoxmailPath
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Storage\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Storage\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Accounts\Account.rec0
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Accounts\Account.rec0
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Account.stg
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Account.stg
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: POP3Host
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SMTPHost
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: IncomingServer
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Account
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: MailAddress
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: POP3Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Opera Mail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: opera:
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PocoMail
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: appdata
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Pocomail\accounts.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: POPPass
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SMTPPass
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SMTP
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: eM Client
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: eM Client\accounts.dat
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: eM Client
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Accounts
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: "Username":"
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: "Secret":"
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: "ProviderName":"
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: o6806642kbM7c5
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Mailbird
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SenderIdentities
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Accounts
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Server_Host
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Accounts
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Email
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Username
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: EncryptedPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Mailbird
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: RealVNC 4.x
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: RealVNC 3.x
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: RealVNC 4.x
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: RealVNC 3.x
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\ORL\WinVNC3
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: TightVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\TightVNC\Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: TightVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\TightVNC\Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: PasswordViewOnly
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: TightVNC ControlPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\TightVNC\Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ControlPassword
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: TigerVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\TigerVNC\Server
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Password
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd2
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd2
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd2
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: UltraVNC
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: passwd2
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: JDownloader 2.0
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: JDownloader 2.0\cfg
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: JDownloader 2.0\cfg
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Paltalk
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
Source: 4.2.RegSvcs.exe.28fe91e.2.unpack	String decryptor: nickname

Source: 8BzIVoQT3w.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8BzIVoQT3w.exe, 00000000.00000003.2186740754.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000000.00000003.2186573824.0000000003900000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2214564147.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2212763687.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8BzIVoQT3w.exe, 00000000.00000003.2186740754.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000000.00000003.2186573824.0000000003900000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2214564147.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2212763687.0000000003C50000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EC445A
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECC6D1 FindFirstFileW,FindClose,	0_2_00ECC6D1
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00ECC75C
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ECEF95
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ECF0F2
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ECF3F3
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EC37EF
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EC3B12
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ECBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.6:49721 -> 199.79.62.115:587
Source: Network traffic	Suricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.6:49721 -> 199.79.62.115:587

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 199.79.62.115:587

Source: Joe Sandbox View

IP Address: 199.79.62.115 199.79.62.115

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: global traffic

TCP traffic: 192.168.2.6:49721 -> 199.79.62.115:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ED22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00ED22EE

Source: global traffic

DNS traffic detected: DNS query: mail.mbarieservicesltd.com

Source: RegSvcs.exe, 00000004.00000002.3423496604.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://mail.mbarieservicesltd.com

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ED4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00ED4164

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ED4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00ED4164

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ED3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00ED3F66

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EC001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00EC001C

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EECABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.8BzIVoQT3w.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.8BzIVoQT3w.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2188832245.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2227100024.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.3421919411.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00E63B3A
Source: 8BzIVoQT3w.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 8BzIVoQT3w.exe, 00000000.00000000.2148912567.0000000000F14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ef98415d-d
Source: 8BzIVoQT3w.exe, 00000000.00000000.2148912567.0000000000F14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_01e50664-5
Source: 8BzIVoQT3w.exe, 00000003.00000002.2226291167.0000000000F14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fcb2c8be-b
Source: 8BzIVoQT3w.exe, 00000003.00000002.2226291167.0000000000F14000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a97bcf1e-c
Source: 8BzIVoQT3w.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a4a2158d-b
Source: 8BzIVoQT3w.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e63cccca-3

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ECA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00ECA1EF

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EB8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EB8310

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EC51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EC51BD

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E6E6A0	0_2_00E6E6A0
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E8D975	0_2_00E8D975
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E6FCE0	0_2_00E6FCE0
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E821C5	0_2_00E821C5
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E962D2	0_2_00E962D2
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EE03DA	0_2_00EE03DA
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E9242E	0_2_00E9242E
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E825FA	0_2_00E825FA
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E766E1	0_2_00E766E1
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EBE616	0_2_00EBE616
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E9878F	0_2_00E9878F
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC8889	0_2_00EC8889
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E96844	0_2_00E96844
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EE0857	0_2_00EE0857
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E78808	0_2_00E78808
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E8CB21	0_2_00E8CB21
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E96DB6	0_2_00E96DB6
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E76F9E	0_2_00E76F9E
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E73030	0_2_00E73030
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E8F1D9	0_2_00E8F1D9
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E83187	0_2_00E83187
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E61287	0_2_00E61287
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E81484	0_2_00E81484
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E75520	0_2_00E75520
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E87696	0_2_00E87696
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E75760	0_2_00E75760
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E81978	0_2_00E81978
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E99AB5	0_2_00E99AB5
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EE7DDB	0_2_00EE7DDB
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E8BDA6	0_2_00E8BDA6
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E81D90	0_2_00E81D90
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E73FE0	0_2_00E73FE0
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E6DF00	0_2_00E6DF00
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_010BDCC8	0_2_010BDCC8
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 3_2_0125F258	3_2_0125F258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040DC11	4_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00407C3F	4_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418CCC	4_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00406CA0	4_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004028B0	4_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041A4BE	4_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418244	4_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00401650	4_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F20	4_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004193C4	4_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00418788	4_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402F89	4_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00402B90	4_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004073A0	4_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0269D0F8	4_2_0269D0F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0269DD10	4_2_0269DD10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0269D440	4_2_0269D440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02691021	4_2_02691021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02691030	4_2_02691030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02DDE3A0	4_2_02DDE3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02DD0270	4_2_02DD0270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02DD0261	4_2_02DD0261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02DDC6B0	4_2_02DDC6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06478610	4_2_06478610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_06478E38	4_2_06478E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0647C8A0	4_2_0647C8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064B2B20	4_2_064B2B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064B0040	4_2_064B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064BCC08	4_2_064BCC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064BA5D8	4_2_064BA5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064B95D0	4_2_064B95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064BE990	4_2_064BE990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064B32A8	4_2_064B32A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: String function: 00E80AE3 appears 70 times
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: String function: 00E67DE1 appears 35 times
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: String function: 00E88900 appears 42 times

Source: 8BzIVoQT3w.exe, 00000000.00000002.2188832245.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 8BzIVoQT3w.exe
Source: 8BzIVoQT3w.exe, 00000000.00000003.2187241231.0000000003BCD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8BzIVoQT3w.exe
Source: 8BzIVoQT3w.exe, 00000000.00000003.2187094448.0000000003A23000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8BzIVoQT3w.exe
Source: 8BzIVoQT3w.exe, 00000003.00000003.2212279848.0000000003D7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8BzIVoQT3w.exe
Source: 8BzIVoQT3w.exe, 00000003.00000003.2213649365.0000000003C23000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 8BzIVoQT3w.exe
Source: 8BzIVoQT3w.exe, 00000003.00000002.2227100024.0000000003A60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs 8BzIVoQT3w.exe

Source: 8BzIVoQT3w.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.8BzIVoQT3w.exe.3a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.8BzIVoQT3w.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 4.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2188832245.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2227100024.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.3421919411.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@1/1

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ECA06A GetLastError,FormatMessageW,

0_2_00ECA06A

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EB81CB AdjustTokenPrivileges,CloseHandle,		0_2_00EB81CB
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EB87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EB87E1

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ECB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00ECB3FB

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EDEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00EDEE0D

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ED83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00ED83BB

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E64E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E64E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

File created: C:\Users\user\AppData\Local\Temp\aut3BC1.tmp

Jump to behavior

Source: 8BzIVoQT3w.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8BzIVoQT3w.exe	Virustotal: Detection: 30%
Source: 8BzIVoQT3w.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\8BzIVoQT3w.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Users\user\Desktop\8BzIVoQT3w.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Users\user\Desktop\8BzIVoQT3w.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"	Jump to behavior

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 8BzIVoQT3w.exe

Static file information: File size 1180160 > 1048576

Source: 8BzIVoQT3w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8BzIVoQT3w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8BzIVoQT3w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8BzIVoQT3w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8BzIVoQT3w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8BzIVoQT3w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8BzIVoQT3w.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 8BzIVoQT3w.exe, 00000000.00000003.2186740754.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000000.00000003.2186573824.0000000003900000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2214564147.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2212763687.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 8BzIVoQT3w.exe, 00000000.00000003.2186740754.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000000.00000003.2186573824.0000000003900000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2214564147.0000000003B00000.00000004.00001000.00020000.00000000.sdmp, 8BzIVoQT3w.exe, 00000003.00000003.2212763687.0000000003C50000.00000004.00001000.00020000.00000000.sdmp

Source: 8BzIVoQT3w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8BzIVoQT3w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8BzIVoQT3w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8BzIVoQT3w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8BzIVoQT3w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E64B37 LoadLibraryA,GetProcAddress,

0_2_00E64B37

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E88945 push ecx; ret	0_2_00E88958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C40C push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00423149 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C50E push cs; iretd	4_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004231C8 push eax; ret	4_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E21D push ecx; ret	4_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0041C6BE push ebx; ret	4_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02694F62 push eax; ret	4_2_02694F65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02694F8B push ss; ret	4_2_02694F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02DDF4D7 push esp; retf 059Dh	4_2_02DDF79D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064730F8 push eax; iretd	4_2_064730F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_064B3C73 push 5DFC1E4Fh; ret	4_2_064B3C89

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E648D7
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EE5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EE5376

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E83187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E83187

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	API/Special instruction interceptor: Address: 10BD8EC
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	API/Special instruction interceptor: Address: 125EE7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

4_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1303			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2806			Jump to behavior

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105858

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EC445A
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECC6D1 FindFirstFileW,FindClose,	0_2_00ECC6D1
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00ECC75C
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ECEF95
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00ECF0F2
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ECF3F3
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EC37EF
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00EC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EC3B12
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ECBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00ECBCBC

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99008	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98767	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.3422293298.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	API call chain: ExitProcess graph end node	graph_0-104301
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	API call chain: ExitProcess graph end node	graph_0-104375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00ED3F09 BlockInput,

0_2_00ED3F09

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E63B3A

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E95A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00E95A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

4_2_004019F0

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E64B37 LoadLibraryA,GetProcAddress,

0_2_00E64B37

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_010BC4D8 mov eax, dword ptr fs:[00000030h]	0_2_010BC4D8
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_010BDB58 mov eax, dword ptr fs:[00000030h]	0_2_010BDB58
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_010BDBB8 mov eax, dword ptr fs:[00000030h]	0_2_010BDBB8
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 3_2_0125F0E8 mov eax, dword ptr fs:[00000030h]	3_2_0125F0E8
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 3_2_0125DA68 mov eax, dword ptr fs:[00000030h]	3_2_0125DA68
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 3_2_0125F148 mov eax, dword ptr fs:[00000030h]	3_2_0125F148

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EB80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00EB80A9

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E8A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00E8A155
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00E8A124 SetUnhandledExceptionFilter,	0_2_00E8A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_004123F1 SetUnhandledExceptionFilter,	4_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 930008

Jump to behavior

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EB87B1 LogonUserW,

0_2_00EB87B1

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E63B3A

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E648D7

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EC4C7F mouse_event,

0_2_00EC4C7F

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"			Jump to behavior
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\8BzIVoQT3w.exe"			Jump to behavior

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EB7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00EB7CAF

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EB874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EB874B

Source: 8BzIVoQT3w.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 8BzIVoQT3w.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E8862B cpuid

0_2_00E8862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

4_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E94E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E94E87

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00EA1E06 GetUserNameW,

0_2_00EA1E06

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E93F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E93F3A

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe

Code function: 0_2_00E649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.3423496604.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2544, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 8BzIVoQT3w.exe	Binary or memory string: WIN_81
Source: 8BzIVoQT3w.exe	Binary or memory string: WIN_XP
Source: 8BzIVoQT3w.exe	Binary or memory string: WIN_XPe
Source: 8BzIVoQT3w.exe	Binary or memory string: WIN_VISTA
Source: 8BzIVoQT3w.exe	Binary or memory string: WIN_7
Source: 8BzIVoQT3w.exe	Binary or memory string: WIN_8
Source: 8BzIVoQT3w.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2544, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.3423496604.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2544, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28fe91e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2d00000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e44790.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.28ff806.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.2b80ee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3e06458.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ED6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00ED6283
Source: C:\Users\user\Desktop\8BzIVoQT3w.exe	Code function: 0_2_00ED6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00ED6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	148 System Information Discovery	Distributed Component Object Model	21 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8BzIVoQT3w.exe	31%	Virustotal		Browse
8BzIVoQT3w.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
8BzIVoQT3w.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.mbarieservicesltd.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.mbarieservicesltd.com	199.79.62.115	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.mbarieservicesltd.com	RegSvcs.exe, 00000004.00000002.3423496604.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
199.79.62.115	mail.mbarieservicesltd.com	United States		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588125
Start date and time:	2025-01-10 21:37:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8BzIVoQT3w.exe renamed because original name is a hash value
Original Sample Name:	97faf0ceacec7da5ae52ec7f892137b2337b9375c089668a0e601fd6e2ef9cf7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 52 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:38:34	API Interceptor	19x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
199.79.62.115	EpH9QFlrm2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mail.mbarieservicesltd.com	EpH9QFlrm2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	Quote_8714.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	PO82200487.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	ORDER#023_2024.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	QFEWElNtpn.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	SoA_14000048_002.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	Quote 000002320.exe	Get hash	malicious	AgentTesla	Browse	199.79.62.115
	LPO-2024-357.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	Quote5000AFC.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PUBLIC-DOMAIN-REGISTRYUS	EpH9QFlrm2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	199.79.62.115
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	Copy shipping docs PO EV1786 LY ECO PAK EV1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.199.223
	PO23100076.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	199.79.62.115
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.225
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	208.91.198.176
	http://www.technoafriwave.rw	Get hash	malicious	Unknown	Browse	207.174.214.183
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	208.91.199.115

Process:	C:\Users\user\Desktop\8BzIVoQT3w.exe
File Type:	data
Category:	dropped
Size (bytes):	266240
Entropy (8bit):	7.913974220444872
Encrypted:	false
SSDEEP:	3072:3feE+2FIfxs8zhQM3NLbhtwUgymUB/Y1U0Lcg6vD7fkMc7pVmuxjQw2TudDQArh6:3WE+2/ofNbw/319C8BDjJvFQTlaLgaaP
MD5:	033620F08D0836C8E6A0FC594EF048E5
SHA1:	B91121FE40A7C88E92BBCFBB1760E4CC60F7FB5C
SHA-256:	A57293D52D30C5612C469BA3B536A6D915DB30EFC8CB9B7FF743D23A7F8FBEC3
SHA-512:	B336D26D4ABDDB66F75CF00B98AF2FCE6143CB05D0C25491875846012F0B1E618562439BCA97C5BBB79704E2C66D242192E2BFB8A98785994C7D5F8A5C63EBCC
Malicious:	false
Reputation:	low
Preview:	}..ST1OLWID8..F5.BT1EL5Z.9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ.KJSY..BS.M.s.Gy.c.Y,?.9V73'.(+=9^;l1,dJ'8f\6b.~.lX5/\~LF@.KJSW1OL;Y..~'.Kt3.Oi=.$y./?t;.5A..Od=.7hI.(.D.<f.+2)+.Gbb"4.:.-e.42~8.F.?%]t3.OEL5ZK9PAKJ0KJSW1&v.*D8RV.pXB.0ALA.KiPAKJ0KJS.1lMXHM8R.G5X6V1EL5Zd.PAKZ0KJ.V1OL.ID(RVF7XBQ1EL5ZK9UAKJ0KJSWaKLSMD8.mD5ZBT.EL%ZK)PAKJ KJCW1OLSIT8RVF5XBT1EL.OI9.AKJ0+HS+.NLSID8RVF5XBT1EL5ZK9PAKJ0K..V1SLSID8RVF5XBT1EL5ZK9PAKJ0KJS.<ML.ID8RVF5XBT1E.4Z.8PAKJ0KJSW1OLSID8RVF5XBT1EL...A$AKJ(.KSW!OLS.E8RRF5XBT1EL5ZK9PAkJ0+d!3P;-SI.URVF.YBT_EL5.J9PAKJ0KJSW1OL.IDx\|2'A9BT1.\|5ZK.RAK\0KJYU1OLSID8RVF5XB.1E..(8K3AKJL.KSWQMLS.E8RvD5XBT1EL5ZK9PA.J0.JSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSI

C:\Users\user\AppData\Local\Temp\aut4AB5.tmp

Download File

Process:	C:\Users\user\Desktop\8BzIVoQT3w.exe
File Type:	data
Category:	dropped
Size (bytes):	266240
Entropy (8bit):	7.913974220444872
Encrypted:	false
SSDEEP:	3072:3feE+2FIfxs8zhQM3NLbhtwUgymUB/Y1U0Lcg6vD7fkMc7pVmuxjQw2TudDQArh6:3WE+2/ofNbw/319C8BDjJvFQTlaLgaaP
MD5:	033620F08D0836C8E6A0FC594EF048E5
SHA1:	B91121FE40A7C88E92BBCFBB1760E4CC60F7FB5C
SHA-256:	A57293D52D30C5612C469BA3B536A6D915DB30EFC8CB9B7FF743D23A7F8FBEC3
SHA-512:	B336D26D4ABDDB66F75CF00B98AF2FCE6143CB05D0C25491875846012F0B1E618562439BCA97C5BBB79704E2C66D242192E2BFB8A98785994C7D5F8A5C63EBCC
Malicious:	false
Reputation:	low
Preview:	}..ST1OLWID8..F5.BT1EL5Z.9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ.KJSY..BS.M.s.Gy.c.Y,?.9V73'.(+=9^;l1,dJ'8f\6b.~.lX5/\~LF@.KJSW1OL;Y..~'.Kt3.Oi=.$y./?t;.5A..Od=.7hI.(.D.<f.+2)+.Gbb"4.:.-e.42~8.F.?%]t3.OEL5ZK9PAKJ0KJSW1&v.*D8RV.pXB.0ALA.KiPAKJ0KJS.1lMXHM8R.G5X6V1EL5Zd.PAKZ0KJ.V1OL.ID(RVF7XBQ1EL5ZK9UAKJ0KJSWaKLSMD8.mD5ZBT.EL%ZK)PAKJ KJCW1OLSIT8RVF5XBT1EL.OI9.AKJ0+HS+.NLSID8RVF5XBT1EL5ZK9PAKJ0K..V1SLSID8RVF5XBT1EL5ZK9PAKJ0KJS.<ML.ID8RVF5XBT1E.4Z.8PAKJ0KJSW1OLSID8RVF5XBT1EL...A$AKJ(.KSW!OLS.E8RRF5XBT1EL5ZK9PAkJ0+d!3P;-SI.URVF.YBT_EL5.J9PAKJ0KJSW1OL.IDx\|2'A9BT1.\|5ZK.RAK\0KJYU1OLSID8RVF5XB.1E..(8K3AKJL.KSWQMLS.E8RvD5XBT1EL5ZK9PA.J0.JSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSI

C:\Users\user\AppData\Local\Temp\bothsidedness

Download File

Process:	C:\Users\user\Desktop\8BzIVoQT3w.exe
File Type:	data
Category:	dropped
Size (bytes):	266240
Entropy (8bit):	7.913974220444872
Encrypted:	false
SSDEEP:	3072:3feE+2FIfxs8zhQM3NLbhtwUgymUB/Y1U0Lcg6vD7fkMc7pVmuxjQw2TudDQArh6:3WE+2/ofNbw/319C8BDjJvFQTlaLgaaP
MD5:	033620F08D0836C8E6A0FC594EF048E5
SHA1:	B91121FE40A7C88E92BBCFBB1760E4CC60F7FB5C
SHA-256:	A57293D52D30C5612C469BA3B536A6D915DB30EFC8CB9B7FF743D23A7F8FBEC3
SHA-512:	B336D26D4ABDDB66F75CF00B98AF2FCE6143CB05D0C25491875846012F0B1E618562439BCA97C5BBB79704E2C66D242192E2BFB8A98785994C7D5F8A5C63EBCC
Malicious:	false
Reputation:	low
Preview:	}..ST1OLWID8..F5.BT1EL5Z.9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ.KJSY..BS.M.s.Gy.c.Y,?.9V73'.(+=9^;l1,dJ'8f\6b.~.lX5/\~LF@.KJSW1OL;Y..~'.Kt3.Oi=.$y./?t;.5A..Od=.7hI.(.D.<f.+2)+.Gbb"4.:.-e.42~8.F.?%]t3.OEL5ZK9PAKJ0KJSW1&v.*D8RV.pXB.0ALA.KiPAKJ0KJS.1lMXHM8R.G5X6V1EL5Zd.PAKZ0KJ.V1OL.ID(RVF7XBQ1EL5ZK9UAKJ0KJSWaKLSMD8.mD5ZBT.EL%ZK)PAKJ KJCW1OLSIT8RVF5XBT1EL.OI9.AKJ0+HS+.NLSID8RVF5XBT1EL5ZK9PAKJ0K..V1SLSID8RVF5XBT1EL5ZK9PAKJ0KJS.<ML.ID8RVF5XBT1E.4Z.8PAKJ0KJSW1OLSID8RVF5XBT1EL...A$AKJ(.KSW!OLS.E8RRF5XBT1EL5ZK9PAkJ0+d!3P;-SI.URVF.YBT_EL5.J9PAKJ0KJSW1OL.IDx\|2'A9BT1.\|5ZK.RAK\0KJYU1OLSID8RVF5XB.1E..(8K3AKJL.KSWQMLS.E8RvD5XBT1EL5ZK9PA.J0.JSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ0KJSW1OLSI

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.16007140483729
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8BzIVoQT3w.exe
File size:	1'180'160 bytes
MD5:	be5d768419369e33fdb2c5dc667e0b25
SHA1:	df725aae847c2c03325416dce56deacd2d01c4b8
SHA256:	97faf0ceacec7da5ae52ec7f892137b2337b9375c089668a0e601fd6e2ef9cf7
SHA512:	32b05a07aeb0895d9e0a962e7608f080ce4152195d970ffaa802b0c44d919f7eb49f7b9d25fcf6dcd181e2315e66886f788978035e5b7611bfc69f061e760aa2
SSDEEP:	24576:Ru6J33O0c+JY5UZ+XC0kGso6FayELDfsjykau55WY:Du0c++OCvkGs9FayE/kuwiY
TLSH:	5545CF2263DDC360CB769133BF69B7056EBF3C614630B85B2F980D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675AE0B0 [Thu Dec 12 13:10:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F83B0E4B05Ah
jmp 00007F83B0E3DE24h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F83B0E3DFAAh
cmp edi, eax
jc 00007F83B0E3E30Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F83B0E3DFA9h
rep movsb
jmp 00007F83B0E3E2BCh
cmp ecx, 00000080h
jc 00007F83B0E3E174h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F83B0E3DFB0h
bt dword ptr [004BE324h], 01h
jc 00007F83B0E3E480h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F83B0E3E14Dh
test edi, 00000003h
jne 00007F83B0E3E15Eh
test esi, 00000003h
jne 00007F83B0E3E13Dh
bt edi, 02h
jnc 00007F83B0E3DFAFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F83B0E3DFB3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F83B0E3E005h
bt esi, 03h
jnc 00007F83B0E3E058h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x57920	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11f000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x57920	0x57a00	cb66edc94fc7f35c30aab1700e5f4949	False	0.9247559290299572	data	7.888531611736978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11f000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x4ebe5	data			1.0003286485413896
RT_GROUP_ICON	0x11e3a0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11e418	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11e42c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11e440	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11e454	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11e530	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:38:20.989096+0100	2030171	ET MALWARE AgentTesla Exfil Via SMTP	1	192.168.2.6	49721	199.79.62.115	587	TCP
2025-01-10T21:38:20.989096+0100	2839723	ETPRO MALWARE Win32/Agent Tesla SMTP Activity	1	192.168.2.6	49721	199.79.62.115	587	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:38:35.523184061 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:35.528115988 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:35.528229952 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:36.217741013 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:36.225929976 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:36.230736017 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:36.375490904 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:36.397826910 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:36.402678967 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:36.559643030 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:36.613892078 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:36.770581007 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:36.775383949 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.052020073 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.052290916 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.057080984 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.201561928 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.201838970 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.206655025 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.370043039 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.370292902 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.375096083 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.519737959 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.520998001 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.521132946 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.521162033 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.521182060 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:38:37.525968075 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.526001930 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.526056051 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.526084900 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.812803030 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:38:37.863863945 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:40:15.239280939 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:40:15.244206905 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:40:15.589591980 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:40:15.589687109 CET	587	49721	199.79.62.115	192.168.2.6
Jan 10, 2025 21:40:15.589749098 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:40:15.589893103 CET	49721	587	192.168.2.6	199.79.62.115
Jan 10, 2025 21:40:15.594656944 CET	587	49721	199.79.62.115	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:38:35.218069077 CET	54311	53	192.168.2.6	1.1.1.1
Jan 10, 2025 21:38:35.511012077 CET	53	54311	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:38:35.218069077 CET	192.168.2.6	1.1.1.1	0x5c27	Standard query (0)	mail.mbarieservicesltd.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:38:35.511012077 CET	1.1.1.1	192.168.2.6	0x5c27	No error (0)	mail.mbarieservicesltd.com		199.79.62.115	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 21:38:36.217741013 CET	587	49721	199.79.62.115	192.168.2.6	220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Sat, 11 Jan 2025 02:08:36 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 10, 2025 21:38:36.225929976 CET	49721	587	192.168.2.6	199.79.62.115	EHLO 305090
Jan 10, 2025 21:38:36.375490904 CET	587	49721	199.79.62.115	192.168.2.6	250-md-54.webhostbox.net Hello 305090 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 10, 2025 21:38:36.397826910 CET	49721	587	192.168.2.6	199.79.62.115	AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
Jan 10, 2025 21:38:36.559643030 CET	587	49721	199.79.62.115	192.168.2.6	334 UGFzc3dvcmQ6
Jan 10, 2025 21:38:37.052020073 CET	587	49721	199.79.62.115	192.168.2.6	235 Authentication succeeded
Jan 10, 2025 21:38:37.052290916 CET	49721	587	192.168.2.6	199.79.62.115	MAIL FROM:<saless@mbarieservicesltd.com>
Jan 10, 2025 21:38:37.201561928 CET	587	49721	199.79.62.115	192.168.2.6	250 OK
Jan 10, 2025 21:38:37.201838970 CET	49721	587	192.168.2.6	199.79.62.115	RCPT TO:<iinfo@mbarieservicesltd.com>
Jan 10, 2025 21:38:37.370043039 CET	587	49721	199.79.62.115	192.168.2.6	250 Accepted
Jan 10, 2025 21:38:37.370292902 CET	49721	587	192.168.2.6	199.79.62.115	DATA
Jan 10, 2025 21:38:37.519737959 CET	587	49721	199.79.62.115	192.168.2.6	354 Enter message, ending with "." on a line by itself
Jan 10, 2025 21:38:37.521182060 CET	49721	587	192.168.2.6	199.79.62.115	.
Jan 10, 2025 21:38:37.812803030 CET	587	49721	199.79.62.115	192.168.2.6	250 OK id=1tWLm9-002SKW-1P
Jan 10, 2025 21:40:15.239280939 CET	49721	587	192.168.2.6	199.79.62.115	QUIT
Jan 10, 2025 21:40:15.589591980 CET	587	49721	199.79.62.115	192.168.2.6	221 md-54.webhostbox.net closing connection

Target ID:	0
Start time:	15:38:25
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\8BzIVoQT3w.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8BzIVoQT3w.exe"
Imagebase:	0xe60000
File size:	1'180'160 bytes
MD5 hash:	BE5D768419369E33FDB2C5DC667E0B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2188832245.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:38:28
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\8BzIVoQT3w.exe"
Imagebase:	0x340000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:38:29
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\8BzIVoQT3w.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8BzIVoQT3w.exe"
Imagebase:	0xe60000
File size:	1'180'160 bytes
MD5 hash:	BE5D768419369E33FDB2C5DC667E0B25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.2227100024.0000000003A60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:38:31
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\8BzIVoQT3w.exe"
Imagebase:	0x660000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3423496604.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3422846282.00000000028BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.3421919411.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3423292051.0000000002D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3424519335.0000000003E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000004.00000002.3423194086.0000000002B80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3423496604.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	10.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	157

Executed Functions

Function 00E63B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E63B68
IsDebuggerPresent.KERNEL32 ref: 00E63B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00F252F8,00F252E0,?,?), ref: 00E63BEB

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

Part of subcall function 00E7092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E63C14,00F252F8,?,?,?), ref: 00E7096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00E63C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F17770,00000010), ref: 00E9D281
SetCurrentDirectoryW.KERNEL32(?,00F252F8,?,?,?), ref: 00E9D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F14260,00F252F8,?,?,?), ref: 00E9D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E9D346

Part of subcall function 00E63A46: GetSysColorBrush.USER32(0000000F), ref: 00E63A50
Part of subcall function 00E63A46: LoadCursorW.USER32(00000000,00007F00), ref: 00E63A5F
Part of subcall function 00E63A46: LoadIconW.USER32(00000063), ref: 00E63A76
Part of subcall function 00E63A46: LoadIconW.USER32(000000A4), ref: 00E63A88
Part of subcall function 00E63A46: LoadIconW.USER32(000000A2), ref: 00E63A9A
Part of subcall function 00E63A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E63AC0
Part of subcall function 00E63A46: RegisterClassExW.USER32(?), ref: 00E63B16

Part of subcall function 00E639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E63A03
Part of subcall function 00E639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E63A24
Part of subcall function 00E639D5: ShowWindow.USER32(00000000,?,?), ref: 00E63A38
Part of subcall function 00E639D5: ShowWindow.USER32(00000000,?,?), ref: 00E63A41

Part of subcall function 00E6434A: _memset.LIBCMT ref: 00E64370
Part of subcall function 00E6434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E64415

Strings

This is a third-party compiled AutoIt script., xrefs: 00E9D279
%, xrefs: 00E63C44
runas, xrefs: 00E9D33A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: c68930aaa06b758212552f5cc9a04ef0e357334e4bb609344f2473b7bafab8f0
Instruction ID: 83d6d4f6e785a76200b9763f5466cd93a88e89e1dacf7c045efca1ce5a4528b7
Opcode Fuzzy Hash: c68930aaa06b758212552f5cc9a04ef0e357334e4bb609344f2473b7bafab8f0
Instruction Fuzzy Hash: F951267094824CEECF11EBB4FC059FDBBB4AB45B94F106069F451B61E2CA709646EB21

Function 00E649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E649CD

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

GetCurrentProcess.KERNEL32(?,00EEFAEC,00000000,00000000,?), ref: 00E64A9A
IsWow64Process.KERNEL32(00000000), ref: 00E64AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E64AE7
FreeLibrary.KERNEL32(00000000), ref: 00E64AF2
GetSystemInfo.KERNEL32(00000000), ref: 00E64B23
GetSystemInfo.KERNEL32(00000000), ref: 00E64B2F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 74754b83e77a29c629e736767418c48cbb305df95372058758220a727b81c981
Instruction ID: afa50c0bffa5975b929e6d8c73ce10cfabba1b4c20ede13916d1e21d0140be24
Opcode Fuzzy Hash: 74754b83e77a29c629e736767418c48cbb305df95372058758220a727b81c981
Instruction Fuzzy Hash: 5191E6719CD7C4DECB31CBA8A5501AAFFF5AF29344B4459AED0CBA3A42D220A508C759

Function 00E64E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E64D8E,?,?,00000000,00000000), ref: 00E64E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E64D8E,?,?,00000000,00000000), ref: 00E64EB0
LoadResource.KERNEL32(?,00000000,?,?,00E64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E64E2F), ref: 00E9D937
SizeofResource.KERNEL32(?,00000000,?,?,00E64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E64E2F), ref: 00E9D94C
LockResource.KERNEL32(00E64D8E,?,?,00E64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E64E2F,00000000), ref: 00E9D95F

Strings

SCRIPT, xrefs: 00E64EA6

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 3a592007cfb62ab1cd6b037e90da924286574393006c006f49436bb85483a3a0
Instruction ID: 49035a3c7f6aa5e7468bae5da0982a09ff23026f09a33a48e8776ad5b12970e6
Opcode Fuzzy Hash: 3a592007cfb62ab1cd6b037e90da924286574393006c006f49436bb85483a3a0
Instruction Fuzzy Hash: 731191B1240745BFD7208BA6EC48F677BB9FBC9751F104268F515AA1A0DB61EC048660

Function 00E6FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

%, xrefs: 00E6FCF3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharUpper
String ID: %
API String ID: 3964851224-2291192146
Opcode ID: 43930f9fdda8d7c7197df4183bd02bc5921dd1d17ebfa31c43d0583515ac16ec
Instruction ID: 62936cfc4cf8d9b7f7ebda36f67c3d6fa33f9d01484b95b1c6868c1b5ac63456
Opcode Fuzzy Hash: 43930f9fdda8d7c7197df4183bd02bc5921dd1d17ebfa31c43d0583515ac16ec
Instruction Fuzzy Hash: 1A926CB0608341CFD724DF14C480B6AB7E1BF89314F14A96DE89AAB392D775EC45CB92

Function 00EC445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00E9E398), ref: 00EC446A
FindFirstFileW.KERNELBASE(?,?), ref: 00EC447B
FindClose.KERNEL32(00000000), ref: 00EC448B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 6f924c6add4dc85b5474b0949f0512cdeb994131ed01f07d8e9d2e88499999e7
Instruction ID: 478d831e581bb2b859ccf87549a6bea758597dbd76299f61b9089ec95dd9b281
Opcode Fuzzy Hash: 6f924c6add4dc85b5474b0949f0512cdeb994131ed01f07d8e9d2e88499999e7
Instruction Fuzzy Hash: 6AE020738106446F42146B38EC5DDE9775CAF15335F304719F935E50E0E7745D0495D5

Function 00E6E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00EA3E62

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9c10c913ed987bf237d35da0a2e83c8c6e3e8108afe4a4d4933248e240eaceb4
Instruction ID: 43bdcef0eb02b5cf8c0d8d8a236b21d3b79de107e4fc1d9388cd76586f71e1b0
Opcode Fuzzy Hash: 9c10c913ed987bf237d35da0a2e83c8c6e3e8108afe4a4d4933248e240eaceb4
Instruction Fuzzy Hash: 28A29E78A40215CFCB24CF98E480AAAB7F2FF59354F249069E815BB391D771ED42CB91

Function 00E709D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E70A5B
timeGetTime.WINMM ref: 00E70D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E70E53
Sleep.KERNEL32(0000000A), ref: 00E70E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00E70EFA
DestroyWindow.USER32 ref: 00E70F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E70F20
Sleep.KERNEL32(0000000A,?,?), ref: 00EA4E83
TranslateMessage.USER32(?), ref: 00EA5C60
DispatchMessageW.USER32(?), ref: 00EA5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EA5C82

Strings

@TRAY_ID, xrefs: 00EA578F
@GUI_CTRLHANDLE, xrefs: 00EA4FE4
@COM_EVENTOBJ, xrefs: 00EA54F0
@GUI_CTRLID, xrefs: 00EA4F3A
@GUI_WINHANDLE, xrefs: 00EA4F8F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: d492f165dc01549dc41ecc93b201f5d2237d007d700ec2ad93e962a899bb24f3
Instruction ID: 01b638ab5a060ca32007174bb59dec231a505ad9cb418a17fd84c6b963ec8658
Opcode Fuzzy Hash: d492f165dc01549dc41ecc93b201f5d2237d007d700ec2ad93e962a899bb24f3
Instruction Fuzzy Hash: 88B2D371608741DFD724DF24C884BAAB7E4BF89308F14991DF49ABB2A1C771E845CB92

Function 00EC9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EC8F5F: __time64.LIBCMT ref: 00EC8F69

Part of subcall function 00E64EE5: _fseek.LIBCMT ref: 00E64EFD

__wsplitpath.LIBCMT ref: 00EC9234

Part of subcall function 00E840FB: __wsplitpath_helper.LIBCMT ref: 00E8413B

_wcscpy.LIBCMT ref: 00EC9247
_wcscat.LIBCMT ref: 00EC925A
__wsplitpath.LIBCMT ref: 00EC927F
_wcscat.LIBCMT ref: 00EC9295
_wcscat.LIBCMT ref: 00EC92A8

Part of subcall function 00EC8FA5: _memmove.LIBCMT ref: 00EC8FDE
Part of subcall function 00EC8FA5: _memmove.LIBCMT ref: 00EC8FED

_wcscmp.LIBCMT ref: 00EC91EF

Part of subcall function 00EC9734: _wcscmp.LIBCMT ref: 00EC9824
Part of subcall function 00EC9734: _wcscmp.LIBCMT ref: 00EC9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EC9452
_wcsncpy.LIBCMT ref: 00EC94C5
DeleteFileW.KERNEL32(?,?), ref: 00EC94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EC9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EC9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EC9534

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: d0d84165f37fc9b7105cc680b99f98e3546b0f5faa35a66219dbbf520a8ff438
Instruction ID: c17c991033b9de9255e63f9f3023fc7f0660de9b7dab7335a522aa7590b933c4
Opcode Fuzzy Hash: d0d84165f37fc9b7105cc680b99f98e3546b0f5faa35a66219dbbf520a8ff438
Instruction Fuzzy Hash: D7C14BB1E00219AADF21DFA5CD85EDEB7B8EF45300F0054AAF609F6151DB319A458F61

Function 00E63025 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E63074
RegisterClassExW.USER32(00000030), ref: 00E6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E630AF
InitCommonControlsEx.COMCTL32(?), ref: 00E630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E630DC
LoadIconW.USER32(000000A9), ref: 00E630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E63101

Strings

0, xrefs: 00E63056
TaskbarCreated, xrefs: 00E630A4
AutoIt v3 GUI, xrefs: 00E63090
+, xrefs: 00E6305D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dd57397472f5dc01ff7b428ce728ccf2b8a65db90e0b489dccb4f5e5db50e0f5
Instruction ID: 652ffbd63325816f7174cafb33829c296049510cd1f45e1e88e7a3230b64c731
Opcode Fuzzy Hash: dd57397472f5dc01ff7b428ce728ccf2b8a65db90e0b489dccb4f5e5db50e0f5
Instruction Fuzzy Hash: 113106B1951349EFDB50CFA5E889ADDBBF4FB09720F10412AF580EA2A0D3B50586DF91

Function 00E63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E63074
RegisterClassExW.USER32(00000030), ref: 00E6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E630AF
InitCommonControlsEx.COMCTL32(?), ref: 00E630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E630DC
LoadIconW.USER32(000000A9), ref: 00E630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E63101

Strings

0, xrefs: 00E63056
TaskbarCreated, xrefs: 00E630A4
AutoIt v3 GUI, xrefs: 00E63090
+, xrefs: 00E6305D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 4dddc9b76691eb8ec41635a3ec18c152afa5889c5c33749caaf0d809bb1ac9c4
Instruction ID: 38021cf0ea0a9826c868704b57753d5b6a495c54a98c24adf49050f04d18e662
Opcode Fuzzy Hash: 4dddc9b76691eb8ec41635a3ec18c152afa5889c5c33749caaf0d809bb1ac9c4
Instruction Fuzzy Hash: CF21C5B195165CAFDB10DFA5E889BDDBBF4FB08B10F00812AF510BA2A0D7B145499F91

Function 00E6708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E64706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F252F8,?,00E637AE,?), ref: 00E64724

Part of subcall function 00E8050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E67165), ref: 00E8052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E671A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E9E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E9E909
RegCloseKey.ADVAPI32(?), ref: 00E9E947
_wcscat.LIBCMT ref: 00E9E9A0

Strings

Include, xrefs: 00E9E8BF, 00E9E900
Software\AutoIt v3\AutoIt, xrefs: 00E6719E
\Include\, xrefs: 00E67165
\, xrefs: 00E9E9C3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 620b661e7f697e80a6f4ef36be6f2b02081f34d44bf501bb24704382359e4bfc
Instruction ID: 0a6df2f05488015d522722499790e93ae5a944d1115617c89e98d970a2cb1bc6
Opcode Fuzzy Hash: 620b661e7f697e80a6f4ef36be6f2b02081f34d44bf501bb24704382359e4bfc
Instruction Fuzzy Hash: BE71B171109305DECB10EF25E8819ABBBE8FF84350F40292EF585E72E0DB719949DB52

Function 00E63633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E636D2
KillTimer.USER32(?,00000001), ref: 00E636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E6371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E6372A
CreatePopupMenu.USER32 ref: 00E6373E
PostQuitMessage.USER32(00000000), ref: 00E6374D

Strings

TaskbarCreated, xrefs: 00E63725
%, xrefs: 00E9D081, 00E9D0CF

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: 47e2cede368a4581e4a553d6aafd4d503906f7732f44ef0d7ceb36c49e649b83
Instruction ID: babc392b30cdf67344b697567a979d57acb199cd7112f0ea8e60d1765f486edb
Opcode Fuzzy Hash: 47e2cede368a4581e4a553d6aafd4d503906f7732f44ef0d7ceb36c49e649b83
Instruction Fuzzy Hash: 964159B2184549FBDF209F74FC4DBBE3795EB10784F142126F502BA2E2CA71AE45A261

Function 00E63A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E63A50
LoadCursorW.USER32(00000000,00007F00), ref: 00E63A5F
LoadIconW.USER32(00000063), ref: 00E63A76
LoadIconW.USER32(000000A4), ref: 00E63A88
LoadIconW.USER32(000000A2), ref: 00E63A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E63AC0
RegisterClassExW.USER32(?), ref: 00E63B16

Part of subcall function 00E63041: GetSysColorBrush.USER32(0000000F), ref: 00E63074
Part of subcall function 00E63041: RegisterClassExW.USER32(00000030), ref: 00E6309E
Part of subcall function 00E63041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E630AF
Part of subcall function 00E63041: InitCommonControlsEx.COMCTL32(?), ref: 00E630CC
Part of subcall function 00E63041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E630DC
Part of subcall function 00E63041: LoadIconW.USER32(000000A9), ref: 00E630F2
Part of subcall function 00E63041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E63101

Strings

0, xrefs: 00E63AF4
#, xrefs: 00E63AFB
AutoIt v3, xrefs: 00E63B05

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 79c0e83e0ddf21606bce3278d6aee66241d7fe3361953017ebf6425ccd07a793
Instruction ID: 98aea1bd4b115f6406e52a763edd8f5a48dc01692ad7d760c5d4bb4d0bbd0857
Opcode Fuzzy Hash: 79c0e83e0ddf21606bce3278d6aee66241d7fe3361953017ebf6425ccd07a793
Instruction Fuzzy Hash: 73212AB0951308EFEB20DFA5EC49BAD7BB0EB08B11F00411AF500BA2E1D3B55655AF85

Function 00E63766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00E638BC
/ErrorStdOut, xrefs: 00E6387D
CMDLINERAW, xrefs: 00E637FB
/AutoIt3OutputDebug, xrefs: 00E63892
/AutoIt3ExecuteLine, xrefs: 00E638A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E637AE
CMDLINE, xrefs: 00E63822

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: f9106d272a10acaf72b162a4cc3007ca2a016f441f431e3e03c66dc7b9e1583a
Instruction ID: df7be75e2d65f8ee18b1d5886591f93b70b858df10be46a33472937b9a21ad16
Opcode Fuzzy Hash: f9106d272a10acaf72b162a4cc3007ca2a016f441f431e3e03c66dc7b9e1583a
Instruction Fuzzy Hash: FCA17F7295022D9ACF05EBA0EC95EEEB7B8FF54390F002529F415B7192DF749A08CB60

Function 010BCCA8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010BCD79
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010BCF9F

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction ID: 0572ca9884f68cf4bbfa4c6c10527cca65f1eec6f06bca19800f8c6b988f525c
Opcode Fuzzy Hash: 7a8af28d10d872e8c42d0e09e8738e4af41cabd85448581b7ead53f150642b41
Instruction Fuzzy Hash: 2CA12874E00209EBEB14CFA4C994BEEBBB5FF48304F208199E655BB280D7759A40CF54

Function 00E639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E63A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E63A24
ShowWindow.USER32(00000000,?,?), ref: 00E63A38
ShowWindow.USER32(00000000,?,?), ref: 00E63A41

Strings

edit, xrefs: 00E63A1E
AutoIt v3, xrefs: 00E639FB, 00E63A00, 00E63A01

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 435921f4e4423fbce47a58ddf2bf7c9b0972f35e8d6150e1fc389f8735ac595c
Instruction ID: 539fdea6dd01ac9074f096d136c1b898f82266cb733bce72d5c1142fe50c70db
Opcode Fuzzy Hash: 435921f4e4423fbce47a58ddf2bf7c9b0972f35e8d6150e1fc389f8735ac595c
Instruction Fuzzy Hash: 40F03A70500298BEEB3057636C49E3B3E7DD7C7F60B00002AF904BA1F0C2710842EAB0

Function 010BCA18 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010BC908: Sleep.KERNELBASE(000001F4), ref: 010BC919

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010BCB95

Strings

0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ, xrefs: 010BCBFE, 010BCC01

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateFileSleep
String ID: 0KJSW1OLSID8RVF5XBT1EL5ZK9PAKJ
API String ID: 2694422964-3037107976
Opcode ID: 75982015b78a5bdfcdcbf5ec68a3236ad1d614892dac37e968ada80fbbcf56c5
Instruction ID: e77febc28f5ec34fa08ca6a5c2842c44c5fa692c2c2a86c0b7b34d7b09a2eacb
Opcode Fuzzy Hash: 75982015b78a5bdfcdcbf5ec68a3236ad1d614892dac37e968ada80fbbcf56c5
Instruction Fuzzy Hash: 53718570D0438CDAEF11DBA8C855BDFBB75AF29304F004199D648BB2C1D7B91A45CBA6

Function 00E6407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E9D3D7

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

_memset.LIBCMT ref: 00E640FC
_wcscpy.LIBCMT ref: 00E64150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E64160

Strings

Line: , xrefs: 00E9D400

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: d36e5b42e34ae79df5d734daa7acb0a92fe1d0d81f166d632acd2310d6952da1
Instruction ID: 5e5a857fc852ee9931fdd0d105f94947b3a311c3e92f5149077b7cae4f225a11
Opcode Fuzzy Hash: d36e5b42e34ae79df5d734daa7acb0a92fe1d0d81f166d632acd2310d6952da1
Instruction Fuzzy Hash: 7731CD71048308ABD320EB60EC46BEA77D8AB44758F10591AF599A60E1EB709649CB93

Function 00E6686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E64DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E64E0F

_free.LIBCMT ref: 00E9E263
_free.LIBCMT ref: 00E9E2AA

Part of subcall function 00E66A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E66BAD

Strings

Bad directive syntax error, xrefs: 00E9E292
>>>AUTOIT SCRIPT<<<, xrefs: 00E9E039

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ec9f5f16fec2bbee5fe505d163781e9a7afa2c926931719fd628eef8fda18ec0
Instruction ID: d31ead9e05b6178e62c3d9f156501a3ae92a56e27a5c34c2c7b6bcd2f4b96eda
Opcode Fuzzy Hash: ec9f5f16fec2bbee5fe505d163781e9a7afa2c926931719fd628eef8fda18ec0
Instruction Fuzzy Hash: 5F919E71910219AFCF08EFA4DC819EEB7B8FF08354F10642AF915BB2A1DB71A945CB50

Function 00E6F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E80162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E80193
Part of subcall function 00E80162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E8019B
Part of subcall function 00E80162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E801A6
Part of subcall function 00E80162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E801B1
Part of subcall function 00E80162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E801B9
Part of subcall function 00E80162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E801C1

Part of subcall function 00E760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E6F930), ref: 00E76154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E6F9CD
OleInitialize.OLE32(00000000), ref: 00E6FA4A
CloseHandle.KERNEL32(00000000), ref: 00EA45C8

Strings

%, xrefs: 00E6F796, 00E6F7A8, 00E6F96E, 00E6FA51

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: %
API String ID: 1986988660-2291192146
Opcode ID: 026150b934523a0f0dab702aa85b692913579fa214016661a5c3def41c8c2f55
Instruction ID: 6916e3a4d11d2402917925764cf1ba4296b2761aece05a74c3a3a97e7d66c636
Opcode Fuzzy Hash: 026150b934523a0f0dab702aa85b692913579fa214016661a5c3def41c8c2f55
Instruction Fuzzy Hash: 9781F6B0901A4CCFC7A4EF79F865628BBE5FB98B16750912AD018DB372E7704486EF11

Function 00E635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E635A1,SwapMouseButtons,00000004,?), ref: 00E635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E635A1,SwapMouseButtons,00000004,?,?,?,?,00E62754), ref: 00E635F5
RegCloseKey.KERNELBASE(00000000,?,?,00E635A1,SwapMouseButtons,00000004,?,?,?,?,00E62754), ref: 00E63617

Strings

Control Panel\Mouse, xrefs: 00E635D2

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5269c69f0216c52531b90bacea698e59576b485bb111eb6353e5a15e170141d7
Instruction ID: a833408c1ce662635ca4544b22a572c911fa043ef2d1b9c022b1143e6745b00b
Opcode Fuzzy Hash: 5269c69f0216c52531b90bacea698e59576b485bb111eb6353e5a15e170141d7
Instruction Fuzzy Hash: 60115A71550218BFDB20CF65EC84DEEB7B8EF04784F0054A9F805EB210D2719F449760

Function 010BB908 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010BC135
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010BC159
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010BC17B
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 010BC484

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: 8780c15dadd006f81780a27766e8c11566e43d2e82ae2738a64701d70b4000ce
Instruction ID: f87943980c4e47221291a16458f4e7567e1e6a251c3be25a578b827dfa84a6bf
Opcode Fuzzy Hash: 8780c15dadd006f81780a27766e8c11566e43d2e82ae2738a64701d70b4000ce
Instruction Fuzzy Hash: FD620E30A14218DBEB24CFA4C980BDEB772EF58700F1091A9D14DEB390E7799E81CB59

Function 00EC955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E64EE5: _fseek.LIBCMT ref: 00E64EFD

Part of subcall function 00EC9734: _wcscmp.LIBCMT ref: 00EC9824
Part of subcall function 00EC9734: _wcscmp.LIBCMT ref: 00EC9837

_free.LIBCMT ref: 00EC96A2
_free.LIBCMT ref: 00EC96A9
_free.LIBCMT ref: 00EC9714

Part of subcall function 00E82D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E89A24), ref: 00E82D69
Part of subcall function 00E82D55: GetLastError.KERNEL32(00000000,?,00E89A24), ref: 00E82D7B

_free.LIBCMT ref: 00EC971C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 14ed4f01399ac6333f728f83ccbf6404abef7313831e47b6f3e3acdfdd042c4d
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 475140B1904258ABDF259F64DC85A9EBBB9EF48300F10549EF20DB7281DB715A81CF58

Function 00E8470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E847A0
__flush.LIBCMT ref: 00E847C0
__write.LIBCMT ref: 00E847F3
__flsbuf.LIBCMT ref: 00E84821

Part of subcall function 00E88B28: __getptd_noexit.LIBCMT ref: 00E88B28

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 4d52eff99123aac4a06db8725133cf03f23f84e976aa4ad933b544abe1f9a118
Instruction ID: a7c153d58ae4bb29cb0d04b27292c13b8987883744492776649412a170eec533
Opcode Fuzzy Hash: 4d52eff99123aac4a06db8725133cf03f23f84e976aa4ad933b544abe1f9a118
Instruction Fuzzy Hash: A241D5B5A007479BDB1CAFA9C8809AE77A5EF41368B24913EF81DA76C0E771DD408B40

Function 00E644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E644CF

Part of subcall function 00E6407C: _memset.LIBCMT ref: 00E640FC
Part of subcall function 00E6407C: _wcscpy.LIBCMT ref: 00E64150
Part of subcall function 00E6407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E64160

KillTimer.USER32(?,00000001,?,?), ref: 00E64524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E64533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E9D4B9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 23b045f4fdff5d4d5f8877fbd400556c6f0e33ef2978081a82558c0e6376dd90
Instruction ID: aeba09b60573eae221366818e85709e619cc6b5fa8d3c7e7a68182cdc5ee27df
Opcode Fuzzy Hash: 23b045f4fdff5d4d5f8877fbd400556c6f0e33ef2978081a82558c0e6376dd90
Instruction Fuzzy Hash: E121C8B4548798AFEB328B249C55BE7BBEC9B15318F04109DE69E7A1C1C3742A84C751

Function 00E64C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E64CBA

Strings

AU3!P/, xrefs: 00E64CB4
EA06, xrefs: 00E9D8CC

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: 5f2ae185db7635e95ea75d5a5a0e7a7e5c156f27f14dc56971fa812a3fb6bd6e
Instruction ID: dda37698024ba76c96f91be655b891b375a7272933d4224c76509ea80c5efbd3
Opcode Fuzzy Hash: 5f2ae185db7635e95ea75d5a5a0e7a7e5c156f27f14dc56971fa812a3fb6bd6e
Instruction Fuzzy Hash: 63419DA1E841585BDF219B54FC617FF7FE29B46380F287464ED86BB2C2D6208D4483A1

Function 00E67285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9EA39
GetOpenFileNameW.COMDLG32(?), ref: 00E9EA83

Part of subcall function 00E64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E64743,?,?,00E637AE,?), ref: 00E64770

Part of subcall function 00E80791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E807B0

Strings

X, xrefs: 00E9EA51

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 3f0168af888a1a8b7bac626a08af419185d203ba14b430c355fd77d82b78ddb0
Instruction ID: 0fa4e156a2442cd1e5864a2ee1d05a73f749922aa5f3c66b0be64ec1af17e0fc
Opcode Fuzzy Hash: 3f0168af888a1a8b7bac626a08af419185d203ba14b430c355fd77d82b78ddb0
Instruction Fuzzy Hash: D521C070A002989BCF41DF94D845BEE7BF9AF49714F00505AE548BB382DBF459898FA1

Function 00EC98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00EC98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EC990F

Strings

aut, xrefs: 00EC9909

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5ebb274a6e0a770df1c899bf3926b40f67efbc70c3b306591129500a54e7d312
Instruction ID: 8b01d068bb4a7202cd1df8cd0c99e0104d6590f8c4c4c9912d6d45d05b087ab8
Opcode Fuzzy Hash: 5ebb274a6e0a770df1c899bf3926b40f67efbc70c3b306591129500a54e7d312
Instruction Fuzzy Hash: 2FD05E7958030DAFDB509BA4DC8EFDA773CE708701F0002B1FB54A90A1EAB095998B92

Function 00EDCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95981957e94f6db0791875478f23221c1e68e5f50820a89d8630f9c0f387fa79
Instruction ID: cd2270bf391635561da340dd3f54fdee30a217aaf8797d5299fc23fe7762d515
Opcode Fuzzy Hash: 95981957e94f6db0791875478f23221c1e68e5f50820a89d8630f9c0f387fa79
Instruction Fuzzy Hash: 5DF13B716083059FC714DF28C580A6ABBE5FF88354F14992EF899AB352D731E946CF82

Function 00E6434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E64370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E64415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E64432

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 2f99ffb74990ff42ca9ebeef274be3f38b57cbdfea93caa8fccd98d790a19ea7
Instruction ID: 1f4be4fd22fe560445b01d13ee4ecec031c5a925a8a1e06891f353c7d93c030f
Opcode Fuzzy Hash: 2f99ffb74990ff42ca9ebeef274be3f38b57cbdfea93caa8fccd98d790a19ea7
Instruction Fuzzy Hash: 7A31C3B0545701CFC721EF24E88469BBBF8FB48749F00192EF69AA63D1E770A944CB52

Function 00E8571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E85733

Part of subcall function 00E8A16B: __NMSG_WRITE.LIBCMT ref: 00E8A192
Part of subcall function 00E8A16B: __NMSG_WRITE.LIBCMT ref: 00E8A19C

__NMSG_WRITE.LIBCMT ref: 00E8573A

Part of subcall function 00E8A1C8: GetModuleFileNameW.KERNEL32(00000000,00F233BA,00000104,?,00000001,00000000), ref: 00E8A25A
Part of subcall function 00E8A1C8: ___crtMessageBoxW.LIBCMT ref: 00E8A308

Part of subcall function 00E8309F: ___crtCorExitProcess.LIBCMT ref: 00E830A5
Part of subcall function 00E8309F: ExitProcess.KERNEL32 ref: 00E830AE

Part of subcall function 00E88B28: __getptd_noexit.LIBCMT ref: 00E88B28

RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000000,?,?,?,00E80DD3,?), ref: 00E8575F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 9edf975c476ba8baef7a1f8b64f32dcee76281fcd9a71f66b6df9015d08b2cd9
Instruction ID: 8524bc13264d9b71064dbdbc522a6dce37b6f2f54245218df9d1ed3561af77c3
Opcode Fuzzy Hash: 9edf975c476ba8baef7a1f8b64f32dcee76281fcd9a71f66b6df9015d08b2cd9
Instruction Fuzzy Hash: 9701D276340A05DEE6253774AC82A6A73888B82765F506427F91DBA1C1DF7588014760

Function 00EC98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00EC9548,?,?,?,?,?,00000004), ref: 00EC98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EC9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00EC98D1
CloseHandle.KERNEL32(00000000,?,00EC9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EC98D8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 13aad0aa2445b02e884204938438091e11c60a5448df3b526ad83fdfbaf0046a
Instruction ID: a29d7336e616167cbcc9327957fdca8734774162455c5e0cf5068cdf066d20e8
Opcode Fuzzy Hash: 13aad0aa2445b02e884204938438091e11c60a5448df3b526ad83fdfbaf0046a
Instruction Fuzzy Hash: 23E0863314121CBBD7211B55EC49FCA7B19AB06765F108220FB547D0E187B215159798

Function 00EC8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC8D1B

Part of subcall function 00E82D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E89A24), ref: 00E82D69
Part of subcall function 00E82D55: GetLastError.KERNEL32(00000000,?,00E89A24), ref: 00E82D7B

_free.LIBCMT ref: 00EC8D2C
_free.LIBCMT ref: 00EC8D3E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: f164bbdf3c21348e070516743a8c574a3a6f2546e0bdb88b36f67c4643f2ac2e
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 83E012B1601A0146CB24B5B8AB40F931BEC4F98356714291DB50EF71C6CE64FC438324

Function 00E6A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00E9FC01

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: cabe2fab7669e0602aeca3a27538081638affaa0a4abc8be6c6c758a47a47ec4
Instruction ID: 9e6d1e8fd188a16f09bb579f5017d7104a7b02956fe27dcdd84b9203276614b3
Opcode Fuzzy Hash: cabe2fab7669e0602aeca3a27538081638affaa0a4abc8be6c6c758a47a47ec4
Instruction Fuzzy Hash: B1225A70948200DFCB24DF14D454A6AB7E1BF85344F19A96DE89AAB362D731EC85CF82

Function 010BC998 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 010BC9F2

Strings

D, xrefs: 010BC9AC

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 1330c71cb4c89c8b1e281807e3c9a6e08ef806c671b37f4b5feb6cd6d9c0ce49
Instruction ID: a0222299bcd5ee6544889952c3cc144e021ab05ad4d58417cbabc1dfa0c34bdc
Opcode Fuzzy Hash: 1330c71cb4c89c8b1e281807e3c9a6e08ef806c671b37f4b5feb6cd6d9c0ce49
Instruction Fuzzy Hash: 9D01FB7194030CABEB20DBE0CD89FEE7778AB54701F408559AA56AA180EA749608CB65

Function 010BB905 Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 010BC135
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010BC159
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010BC17B
TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 010BC484

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
String ID:
API String ID: 572931308-0
Opcode ID: b08bb2783678b10138e513ecd794d38505d9e9f198f42efab623ac3380b13377
Instruction ID: b284e0f7223fab76c5ff51a53cbf8e959b8ab3aebe5dea673da4abf37ceb1e0c
Opcode Fuzzy Hash: b08bb2783678b10138e513ecd794d38505d9e9f198f42efab623ac3380b13377
Instruction Fuzzy Hash: 1112EE20E24658C6EB24DF64D8507DEB232EF68300F1090E9914DEB7A5E77A4F81CF5A

Function 00E67A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E67AAB
_memmove.LIBCMT ref: 00E67B16

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: be0ad0c3145088cbbd2f4ff073f925be22407186f5131d7a531138c9ed183903
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: B931E5B1604606AFC704DF68D8D1E69F3E9FF483687149629E569DB391EB30ED20CB90

Function 00E647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E64834

Part of subcall function 00E8336C: __lock.LIBCMT ref: 00E83372
Part of subcall function 00E8336C: DecodePointer.KERNEL32(00000001,?,00E64849,00EB7C74), ref: 00E8337E
Part of subcall function 00E8336C: EncodePointer.KERNEL32(?,?,00E64849,00EB7C74), ref: 00E83389

Part of subcall function 00E648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E64915
Part of subcall function 00E648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E6492A

Part of subcall function 00E63B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E63B68
Part of subcall function 00E63B3A: IsDebuggerPresent.KERNEL32 ref: 00E63B7A
Part of subcall function 00E63B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F252F8,00F252E0,?,?), ref: 00E63BEB
Part of subcall function 00E63B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00E63C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E64874

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: d63f29dd37f1cd85e80b28beca11f395042f7412556ca1dbf6dc8cbd64ca3a16
Instruction ID: abcb12e870bc7a6bfbb52e74bfe5f88892816cb3edd550523ff624f07879fdc6
Opcode Fuzzy Hash: d63f29dd37f1cd85e80b28beca11f395042f7412556ca1dbf6dc8cbd64ca3a16
Instruction Fuzzy Hash: 87118E71904349DFD710EF29EC4591ABBE8EB85B90F10451EF084A72B1DB709649DB92

Function 00E80DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E8571C: __FF_MSGBANNER.LIBCMT ref: 00E85733
Part of subcall function 00E8571C: __NMSG_WRITE.LIBCMT ref: 00E8573A
Part of subcall function 00E8571C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000000,?,?,?,00E80DD3,?), ref: 00E8575F

std::exception::exception.LIBCMT ref: 00E80DEC
__CxxThrowException@8.LIBCMT ref: 00E80E01

Part of subcall function 00E8859B: RaiseException.KERNEL32(?,?,?,00F19E78,00000000,?,?,?,?,00E80E06,?,00F19E78,?,00000001), ref: 00E885F0

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 150c61791bc32065a4958ab01dfae698e23f87a5950e959f19cb0c378a79bac8
Instruction ID: 5d659fce48e7a025844a92851fc1bf0860c0213bf397a78492e674295b5475a3
Opcode Fuzzy Hash: 150c61791bc32065a4958ab01dfae698e23f87a5950e959f19cb0c378a79bac8
Instruction Fuzzy Hash: 76F0813250021E66CB11BAA4ED129EF7BE89F01355F10642AFE1CB6291EFB19A84D3D1

Function 00E853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E88B28: __getptd_noexit.LIBCMT ref: 00E88B28

__lock_file.LIBCMT ref: 00E853EB

Part of subcall function 00E86C11: __lock.LIBCMT ref: 00E86C34

__fclose_nolock.LIBCMT ref: 00E853F6

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 8c7f597aa336db3677c1225a31e72d92d2ba51c361b654928486869f215b8cd3
Instruction ID: 4ab24a38f0ffb43b26aeb3e40e19da8317f583f26065f18e8580275b66b11b67
Opcode Fuzzy Hash: 8c7f597aa336db3677c1225a31e72d92d2ba51c361b654928486869f215b8cd3
Instruction Fuzzy Hash: C1F0BB32801A049AD7117F759D017ED77E06F41375F60A104E82CBB1C1CFFC8A415B52

Function 00E80C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00E80CB7

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: fc4e0a80f5e8068a9878816e3157679d48445cb6a621add1991e77b4a3e719a1
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8B31E270A001059FC798EF48C594A69F7A6FB49314B24A7A5E80EEB351D731EDC5DBC0

Function 00E9FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E9FCB7

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7dcff11a469c123881e5f2c896ecfc07290f53460de0a6e1e8cb1576b391e7f9
Instruction ID: b2393e3bc5392a7e129092fb8212a3d54beb9f98f5dbe10d38d3a4714812dae2
Opcode Fuzzy Hash: 7dcff11a469c123881e5f2c896ecfc07290f53460de0a6e1e8cb1576b391e7f9
Instruction Fuzzy Hash: 44410774A443518FDB24DF14C454B1ABBE1BF85358F0998ACE89AAB362C732E845CF52

Function 00E67B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E67BB3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e3eb7f3f946ac72f8c0baba0616297f8660f1e61503c47d7779fce05d9b250c7
Instruction ID: 81c43c013cf705b50e97ba7f5c514c4a157ce4580517fbdf2a4cf2b2cdaf9b83
Opcode Fuzzy Hash: e3eb7f3f946ac72f8c0baba0616297f8660f1e61503c47d7779fce05d9b250c7
Instruction Fuzzy Hash: 2F213672604A09EBDF14CF11F8417A9BBB4FB14394F21942DE5CAE5290EB7080D0D745

Function 00E806FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eabce923d582889ec4d559243424d6a22c0faf760015921450efb0c28694d86b
Instruction ID: 3d77a47c6697a67259cf3295078566f42bab773988486ef1c6dc2380633c4527
Opcode Fuzzy Hash: eabce923d582889ec4d559243424d6a22c0faf760015921450efb0c28694d86b
Instruction Fuzzy Hash: 74217836408248AFC7617A685C455FE73949F90370B204B5BE47D714E1E666149ECF45

Function 00E64DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E64BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00E64BEF

Part of subcall function 00E8525B: __wfsopen.LIBCMT ref: 00E85266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E64E0F

Part of subcall function 00E64B6A: FreeLibrary.KERNEL32(00000000), ref: 00E64BA4

Part of subcall function 00E64C70: _memmove.LIBCMT ref: 00E64CBA

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 5691eb84015bc485b09196eb0a5250e0f6aafb3761ae79704afab8a662584508
Instruction ID: f488c552a506d9f631e29989194d3f12e485ed4c79d9e8576183056d57c317a5
Opcode Fuzzy Hash: 5691eb84015bc485b09196eb0a5250e0f6aafb3761ae79704afab8a662584508
Instruction Fuzzy Hash: 9911E372680209ABCF25BF70DC16FAD77E8AF44790F109829F541BB1C2EE729A019B50

Function 00E9FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E9FD91

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a457f12b6db89d397195421aff97852ee080e11c378cce50938a373f9afdf603
Instruction ID: 85f311f1d62f9db7988b0840f9b253986262d2f23f5b05ca7d2e695de62a0c4b
Opcode Fuzzy Hash: a457f12b6db89d397195421aff97852ee080e11c378cce50938a373f9afdf603
Instruction Fuzzy Hash: E1214870A48341DFCB14DF14D444A1ABBE0BF88358F09986CF89A6B722D731E808CF52

Function 00E84863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E848A6

Part of subcall function 00E88B28: __getptd_noexit.LIBCMT ref: 00E88B28

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: c548fcb8e0656397bead61814811f36a309078ace8c9ac05b02bb8f7b667aa5c
Instruction ID: 958d20b176f2c3fc3e4c8296c835eb358f92a431204466abb596106841c1ed8a
Opcode Fuzzy Hash: c548fcb8e0656397bead61814811f36a309078ace8c9ac05b02bb8f7b667aa5c
Instruction Fuzzy Hash: 6AF0F471800206ABDF15BF608C053DE36E0EF00324F006404F81CB61C1CB788951DF41

Function 00E64E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E64E7E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4dd5635d92b4f9e7c16e389e0dc5327e1b46c601e3a4a3682d6deb4aea836135
Instruction ID: 6598f1091070dc8297f0f341a35786a2623eff6c97e62a7707c10074e67f9ea4
Opcode Fuzzy Hash: 4dd5635d92b4f9e7c16e389e0dc5327e1b46c601e3a4a3682d6deb4aea836135
Instruction Fuzzy Hash: 2CF039B1581B11CFCB349F64E894852BBF1BF143A93209A3EE1DBAA661C7339944DF40

Function 00E80791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E807B0

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: db34e59bca9636de61c11aa71e29135b153d68bb2aef2956be6fc87f0283c284
Instruction ID: e76dbc43e3410f0c74c502d00d9582de4eb27b7c0d4262625ef2d0cbad9ccc1e
Opcode Fuzzy Hash: db34e59bca9636de61c11aa71e29135b153d68bb2aef2956be6fc87f0283c284
Instruction Fuzzy Hash: 78E086369441285BC72096599C05FEA77DDDB886A0F0441B5FD08E7258D9609C808690

Function 00E8525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E85266

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 603e97744dde3d3248646396747bc2c830a66eb9f2e0bbf3c8cbae2a2563413b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: DEB0927644020C77CE012A82EC02A493B699B41764F408020FB0C28172AA73A6649A89

Function 010BC904 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010BC919

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 9cdd9e41f2caa72c9c10c56a04415041b8f17f6d437b4cfa68d899fcc0c7fc62
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: BEE0BF7494110DEFDB00DFA4D64D6ED7BB4EF04301F1005A1FD05D7680DB309E548A66

Function 010BC908 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010BC919

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 6d4201922d5e077df31450e2b07f7ed7e02167ea694fa246536af03739744f63
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 48E0BF7494110DAFDB00DFA4D6496ED7BB4EF04301F100161FD0192280D63099508A62

Non-executed Functions

Function 00EECABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EECB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EECB95
GetWindowLongW.USER32(?,000000F0), ref: 00EECBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EECC00
SendMessageW.USER32 ref: 00EECC29
_wcsncpy.LIBCMT ref: 00EECC95
GetKeyState.USER32(00000011), ref: 00EECCB6
GetKeyState.USER32(00000009), ref: 00EECCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EECCD9
GetKeyState.USER32(00000010), ref: 00EECCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EECD0C
SendMessageW.USER32 ref: 00EECD33
SendMessageW.USER32(?,00001030,?,00EEB348), ref: 00EECE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EECE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EECE60
SetCapture.USER32(?), ref: 00EECE69
ClientToScreen.USER32(?,?), ref: 00EECECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EECEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EECEF5
ReleaseCapture.USER32 ref: 00EECF00
GetCursorPos.USER32(?), ref: 00EECF3A
ScreenToClient.USER32(?,?), ref: 00EECF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EECFA3
SendMessageW.USER32 ref: 00EECFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EED00E
SendMessageW.USER32 ref: 00EED03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EED05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EED06D
GetCursorPos.USER32(?), ref: 00EED08D
ScreenToClient.USER32(?,?), ref: 00EED09A
GetParent.USER32(?), ref: 00EED0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EED123
SendMessageW.USER32 ref: 00EED154
ClientToScreen.USER32(?,?), ref: 00EED1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EED1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EED20C
SendMessageW.USER32 ref: 00EED22F
ClientToScreen.USER32(?,?), ref: 00EED281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EED2B5

Part of subcall function 00E625DB: GetWindowLongW.USER32(?,000000EB), ref: 00E625EC

GetWindowLongW.USER32(?,000000F0), ref: 00EED351

Strings

@GUI_DRAGID, xrefs: 00EECE9C
F, xrefs: 00EED235

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 6e19e1b2e8b9e7d75714af49e0def154d717c8456b53c3abb8fd8f9563b6a854
Instruction ID: 5f0f3bbcb909258432f150892f434247016aebfe2bdc0a17088c235e8afd857d
Opcode Fuzzy Hash: 6e19e1b2e8b9e7d75714af49e0def154d717c8456b53c3abb8fd8f9563b6a854
Instruction Fuzzy Hash: 3A42DE342042C9AFD724CF26C884AAABBE5FF48714F24191DF655EB2B0C771D846DB92

Function 00E76F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E771C3
_memset.LIBCMT ref: 00E77539
_memmove.LIBCMT ref: 00E776AC

Strings

[:>:]], xrefs: 00E77492
\b(?<=\w), xrefs: 00EB3773
3c, xrefs: 00EB23A0
Q\E, xrefs: 00E77FCB
DEFINE, xrefs: 00EB2103
_, xrefs: 00EB23CB
[:<:]], xrefs: 00E77479
\b(?=\w), xrefs: 00EB3769

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
API String ID: 1357608183-3681475764
Opcode ID: 5ba8b6f671b648b9ddc9300e3e22fa66d6f1d1aa0588028ea9e7569d3ad85716
Instruction ID: e2a6564446ab66c62ba846a9ca78f4e4878ddb7b716b43985fca1ecf89a19c9e
Opcode Fuzzy Hash: 5ba8b6f671b648b9ddc9300e3e22fa66d6f1d1aa0588028ea9e7569d3ad85716
Instruction Fuzzy Hash: 2A93A371E00219DBDB24CFA8C8917EEB7B1FF48314F25916AE959BB291E7709D81CB40

Function 00E648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00E648DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E9D665
IsIconic.USER32(?), ref: 00E9D66E
ShowWindow.USER32(?,00000009), ref: 00E9D67B
SetForegroundWindow.USER32(?), ref: 00E9D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E9D69B
GetCurrentThreadId.KERNEL32 ref: 00E9D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E9D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E9D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E9D6CF
SetForegroundWindow.USER32(?), ref: 00E9D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9D6E7
keybd_event.USER32(00000012,00000000), ref: 00E9D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9D6FC
keybd_event.USER32(00000012,00000000), ref: 00E9D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9D70A
keybd_event.USER32(00000012,00000000), ref: 00E9D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E9D719
keybd_event.USER32(00000012,00000000), ref: 00E9D71E
SetForegroundWindow.USER32(?), ref: 00E9D721
AttachThreadInput.USER32(?,?,00000000), ref: 00E9D748

Strings

Shell_TrayWnd, xrefs: 00E9D660

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7dbf9efd1a1c42499f5099c49c42c95f6c5b80af9d0503bb506ff22cbdce5aa1
Instruction ID: 3543dd6ac8403d564f67129b20997798c4b03398993ed55c28c0abadbbfdd228
Opcode Fuzzy Hash: 7dbf9efd1a1c42499f5099c49c42c95f6c5b80af9d0503bb506ff22cbdce5aa1
Instruction Fuzzy Hash: CB317571A4035CBFEF206BA29C89F7F7E6CEB44B50F104025FA04FA1D1C6B15D55AAA1

Function 00EB8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00EB87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EB882B
Part of subcall function 00EB87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EB8858
Part of subcall function 00EB87E1: GetLastError.KERNEL32 ref: 00EB8865

_memset.LIBCMT ref: 00EB8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EB83A5
CloseHandle.KERNEL32(?), ref: 00EB83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EB83CD
GetProcessWindowStation.USER32 ref: 00EB83E6
SetProcessWindowStation.USER32(00000000), ref: 00EB83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EB840A

Part of subcall function 00EB81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EB8309), ref: 00EB81E0
Part of subcall function 00EB81CB: CloseHandle.KERNEL32(?,?,00EB8309), ref: 00EB81F2

Strings

winsta0, xrefs: 00EB83C8
, xrefs: 00EB8362
default, xrefs: 00EB8405

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: ca73ffc708d250ed64426e5747af443b8843d2be80faa71c0746b08124cc0eab
Instruction ID: 5fee2df23908031866b38dee63ceb231a97d1ea37bfe61f75fad534e452d12e0
Opcode Fuzzy Hash: ca73ffc708d250ed64426e5747af443b8843d2be80faa71c0746b08124cc0eab
Instruction Fuzzy Hash: 65816971801249AFDF219FA4CE85AEF7BBCEF04308F146169F914B6261DB318E14DB60

Function 00ECC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ECC78D
FindClose.KERNEL32(00000000), ref: 00ECC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ECC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00ECC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00ECC844
__swprintf.LIBCMT ref: 00ECC890
__swprintf.LIBCMT ref: 00ECC8D3

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

__swprintf.LIBCMT ref: 00ECC927

Part of subcall function 00E83698: __woutput_l.LIBCMT ref: 00E836F1

__swprintf.LIBCMT ref: 00ECC975

Part of subcall function 00E83698: __flsbuf.LIBCMT ref: 00E83713
Part of subcall function 00E83698: __flsbuf.LIBCMT ref: 00E8372B

__swprintf.LIBCMT ref: 00ECC9C4
__swprintf.LIBCMT ref: 00ECCA13
__swprintf.LIBCMT ref: 00ECCA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00ECC88A
%4d, xrefs: 00ECC8CD
%02d, xrefs: 00ECC91B, 00ECC925, 00ECC973, 00ECC9C2, 00ECCA11, 00ECCA60

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 60bddfe6d823cc08f31374d04d09c0a873f3b660bbae4ab9653457244e84ea59
Instruction ID: 5636f0bd13d1f93d97613b0d960e577aa6c905201a198a4668cac9320a627b14
Opcode Fuzzy Hash: 60bddfe6d823cc08f31374d04d09c0a873f3b660bbae4ab9653457244e84ea59
Instruction Fuzzy Hash: 56A15DB2408344ABC704EFA4D985DAFB7ECFF94744F40191DF595A6192EB31EA08CB62

Function 00ECEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00ECEFB6
_wcscmp.LIBCMT ref: 00ECEFCB
_wcscmp.LIBCMT ref: 00ECEFE2
GetFileAttributesW.KERNEL32(?), ref: 00ECEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00ECF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00ECF026
FindClose.KERNEL32(00000000), ref: 00ECF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00ECF04D
_wcscmp.LIBCMT ref: 00ECF074
_wcscmp.LIBCMT ref: 00ECF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECF09D
SetCurrentDirectoryW.KERNEL32(00F18920), ref: 00ECF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ECF0C5
FindClose.KERNEL32(00000000), ref: 00ECF0D2
FindClose.KERNEL32(00000000), ref: 00ECF0E4

Strings

*.*, xrefs: 00ECF048

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6691621ccada8afe8b596e5ecc3c7f90a7165bc9c3ad0ee464bbb975f051f289
Instruction ID: e88a8e62e0151d44442ef63eb0508132bc8fea0145ee84d8931bb2213e5e17d8
Opcode Fuzzy Hash: 6691621ccada8afe8b596e5ecc3c7f90a7165bc9c3ad0ee464bbb975f051f289
Instruction Fuzzy Hash: D231053250024C6EDB14ABB1DD9AFEE77AD9F48764F104179F804F20A1DB71DA85CB51

Function 00EE0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EE0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EEF910,00000000,?,00000000,?,?), ref: 00EE09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EE0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EE0A92
RegCloseKey.ADVAPI32(?), ref: 00EE0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00EE0DBF

Strings

REG_BINARY, xrefs: 00EE0D4D
REG_MULTI_SZ, xrefs: 00EE0B7A
REG_QWORD, xrefs: 00EE0D00
REG_SZ, xrefs: 00EE0AD0
REG_DWORD, xrefs: 00EE0C83
REG_EXPAND_SZ, xrefs: 00EE0A2F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8267f290d1585e59e196016a531179ca2dc4d4ea7b4e7c52a7802a6410dc3bfa
Instruction ID: b660ff26838a88b5214406f154a6cdf3e0df835ed3cc29919c150c9f87ed94c3
Opcode Fuzzy Hash: 8267f290d1585e59e196016a531179ca2dc4d4ea7b4e7c52a7802a6410dc3bfa
Instruction Fuzzy Hash: E7027A756006459FCB14EF25D891E2AB7E5FF89324F04985CF89AAB362CB70EC45CB81

Function 00ECF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00ECF113
_wcscmp.LIBCMT ref: 00ECF128
_wcscmp.LIBCMT ref: 00ECF13F

Part of subcall function 00EC4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EC43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00ECF16E
FindClose.KERNEL32(00000000), ref: 00ECF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00ECF195
_wcscmp.LIBCMT ref: 00ECF1BC
_wcscmp.LIBCMT ref: 00ECF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECF1E5
SetCurrentDirectoryW.KERNEL32(00F18920), ref: 00ECF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ECF20D
FindClose.KERNEL32(00000000), ref: 00ECF21A
FindClose.KERNEL32(00000000), ref: 00ECF22C

Strings

*.*, xrefs: 00ECF190

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b9165fb4b29a9b1b126a15c706973ee66a97e4faa2e591b65ecae8ce38565427
Instruction ID: 784a84fa513156abb00df394af00a598f5c01f3fbc27e3b9e6f97ef5b84bd116
Opcode Fuzzy Hash: b9165fb4b29a9b1b126a15c706973ee66a97e4faa2e591b65ecae8ce38565427
Instruction Fuzzy Hash: 3531253650024DAEDB14ABB0ED98FEE77AE9F48364F141179F804F20A1DB32DE46CA54

Function 00ECA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00ECA20F
__swprintf.LIBCMT ref: 00ECA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00ECA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00ECA293
_memset.LIBCMT ref: 00ECA2B2
_wcsncpy.LIBCMT ref: 00ECA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00ECA323
CloseHandle.KERNEL32(00000000), ref: 00ECA32E
RemoveDirectoryW.KERNEL32(?), ref: 00ECA337
CloseHandle.KERNEL32(00000000), ref: 00ECA341

Strings

\, xrefs: 00ECA247
\??\%s, xrefs: 00ECA22B
:, xrefs: 00ECA252

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: ce7faccf5ea40dd1abd434c523e418dab639647523a7a4ef112f2656b1766d48
Instruction ID: 3bb9c784475f9859173885be74d8886ccd268e9315dd9c5a529b75335302299e
Opcode Fuzzy Hash: ce7faccf5ea40dd1abd434c523e418dab639647523a7a4ef112f2656b1766d48
Instruction Fuzzy Hash: F831BFB190014DABDB20DFA5DC89FEF37BCAF88704F1440BAFA08E6160E77196458B25

Function 00EB7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EB821E
Part of subcall function 00EB8202: GetLastError.KERNEL32(?,00EB7CE2,?,?,?), ref: 00EB8228
Part of subcall function 00EB8202: GetProcessHeap.KERNEL32(00000008,?,?,00EB7CE2,?,?,?), ref: 00EB8237
Part of subcall function 00EB8202: HeapAlloc.KERNEL32(00000000,?,00EB7CE2,?,?,?), ref: 00EB823E
Part of subcall function 00EB8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EB8255

Part of subcall function 00EB829F: GetProcessHeap.KERNEL32(00000008,00EB7CF8,00000000,00000000,?,00EB7CF8,?), ref: 00EB82AB
Part of subcall function 00EB829F: HeapAlloc.KERNEL32(00000000,?,00EB7CF8,?), ref: 00EB82B2
Part of subcall function 00EB829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EB7CF8,?), ref: 00EB82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EB7D13
_memset.LIBCMT ref: 00EB7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EB7D47
GetLengthSid.ADVAPI32(?), ref: 00EB7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00EB7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EB7DB1
GetLengthSid.ADVAPI32(?), ref: 00EB7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EB7DDD
HeapAlloc.KERNEL32(00000000), ref: 00EB7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EB7E05
CopySid.ADVAPI32(00000000), ref: 00EB7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EB7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EB7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EB7E77

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 31207785dbb2458a062eb53dda7b146490515fb1bb8fa605435ef3e466817270
Instruction ID: 02a82357fa3576beb1c7c4b5722f31d49b16c41056f5ecf0a2eecbdc3ba7f931
Opcode Fuzzy Hash: 31207785dbb2458a062eb53dda7b146490515fb1bb8fa605435ef3e466817270
Instruction Fuzzy Hash: 3E612871904209AFDF019FA5DC85AEEBBB9FF44304F048269F955BA291DB319E05CB60

Function 00E766E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

UTF16), xrefs: 00EB10CF
BSR_UNICODE), xrefs: 00EB1338
ANY), xrefs: 00EB12DE
CR), xrefs: 00EB1287
3c, xrefs: 00E768FF
CRLF), xrefs: 00EB12C1
LIMIT_RECURSION=, xrefs: 00EB11FC
NO_AUTO_POSSESS), xrefs: 00EB112E
NO_START_OPT), xrefs: 00EB114F
ANYCRLF), xrefs: 00EB12FB
UTF), xrefs: 00EB10FA
LF), xrefs: 00EB12A4
BSR_ANYCRLF), xrefs: 00EB131E
UCP), xrefs: 00EB110D
LIMIT_MATCH=, xrefs: 00EB1170
_, xrefs: 00EB1465, 00EB150C, 00EB15B4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
API String ID: 0-4228276721
Opcode ID: 6fbf812428896340f454f93b41ee70f8b7b97cefb1fa73d2df23408398ab187b
Instruction ID: fb203b19849e821a134cde714e5698c2f76a835075f5dc6ede3c61c72aa01698
Opcode Fuzzy Hash: 6fbf812428896340f454f93b41ee70f8b7b97cefb1fa73d2df23408398ab187b
Instruction Fuzzy Hash: DD727D71E006198BDB24CF59C8907EEB7F5FF44324F5491AAE849FB291E7309A81DB90

Function 00EC001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EC0097
SetKeyboardState.USER32(?), ref: 00EC0102
GetAsyncKeyState.USER32(000000A0), ref: 00EC0122
GetKeyState.USER32(000000A0), ref: 00EC0139
GetAsyncKeyState.USER32(000000A1), ref: 00EC0168
GetKeyState.USER32(000000A1), ref: 00EC0179
GetAsyncKeyState.USER32(00000011), ref: 00EC01A5
GetKeyState.USER32(00000011), ref: 00EC01B3
GetAsyncKeyState.USER32(00000012), ref: 00EC01DC
GetKeyState.USER32(00000012), ref: 00EC01EA
GetAsyncKeyState.USER32(0000005B), ref: 00EC0213
GetKeyState.USER32(0000005B), ref: 00EC0221

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 79abfe851c642151cf9e8acec0b20b8bd8286c91f4a3497e1fe7b977a3a48918
Instruction ID: 58bb84d2162c27154b512ac87cab15a267ffc4919205f6e7929785e07d130737
Opcode Fuzzy Hash: 79abfe851c642151cf9e8acec0b20b8bd8286c91f4a3497e1fe7b977a3a48918
Instruction Fuzzy Hash: 1F51F8209043C899FB35DBA08A55FEAFFF49F01384F08559ED9C1261C3DAA69B8DC761

Function 00EE03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDFDAD,?,?), ref: 00EE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EE04AC

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EE054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EE05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EE0822
RegCloseKey.ADVAPI32(00000000), ref: 00EE082F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 29ed87edff2e67005a7ca0da59ff56dd433b1605a64c2a3ec89d9ebfd71bd6af
Instruction ID: 17217df27b46cbb14e3dd36e5b3a169c1c7352811149e0bde9b9f32b9421d62a
Opcode Fuzzy Hash: 29ed87edff2e67005a7ca0da59ff56dd433b1605a64c2a3ec89d9ebfd71bd6af
Instruction Fuzzy Hash: 7CE16F71204244AFCB14DF65C891E6ABBE8EF89314F04996DF849EB262D730ED45CB91

Function 00ED83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

CoInitialize.OLE32 ref: 00ED8403
CoUninitialize.OLE32 ref: 00ED840E
CoCreateInstance.OLE32(?,00000000,00000017,00EF2BEC,?), ref: 00ED846E
IIDFromString.OLE32(?,?), ref: 00ED84E1
VariantInit.OLEAUT32(?), ref: 00ED857B
VariantClear.OLEAUT32(?), ref: 00ED85DC

Strings

Invalid parameter, xrefs: 00ED84FA
Failed to create object, xrefs: 00ED8479, 00ED852F
NULL Pointer assignment, xrefs: 00ED84B3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 1ff799595436bae9fad83f6d26b4dfbd6d9b62b0f683cd99510b11ef21fb6e85
Instruction ID: 3e336f5aeb147ee3e604e6d6ff18f5ec19e11e5bc5114c19a379ea87827a7796
Opcode Fuzzy Hash: 1ff799595436bae9fad83f6d26b4dfbd6d9b62b0f683cd99510b11ef21fb6e85
Instruction Fuzzy Hash: DC61AC706083129FC714DF54DA88FAAB7E8EF49754F00541AF991AB391CB70ED4ACB92

Function 00ED4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00ED418B
EmptyClipboard.USER32 ref: 00ED4191
GlobalAlloc.KERNEL32(00000002,?), ref: 00ED41A6
CloseClipboard.USER32 ref: 00ED4245

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3f9b119436d6200c37fdcbd0c81d070ee0f7b735ae6720940bc263a904c1d03b
Instruction ID: 1a0a1cc8a1e6b17af39a7fde4415799d613073635fe282e7c5c6688935d84603
Opcode Fuzzy Hash: 3f9b119436d6200c37fdcbd0c81d070ee0f7b735ae6720940bc263a904c1d03b
Instruction Fuzzy Hash: 49219F75201219DFDB11AF65EC49B6A7BA8EF54750F10802AF946BB2B1DB30AD01CB94

Function 00EC37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E64743,?,?,00E637AE,?), ref: 00E64770

Part of subcall function 00EC4A31: GetFileAttributesW.KERNEL32(?,00EC370B), ref: 00EC4A32

FindFirstFileW.KERNEL32(?,?), ref: 00EC38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00EC394B
MoveFileW.KERNEL32(?,?), ref: 00EC395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00EC397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EC399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00EC39B9

Strings

\*.*, xrefs: 00EC384E, 00EC3857, 00EC386C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 7dbbd995906e445ecb269179948d76a5092ef1ba4d697fb6345aa677c3eb69a9
Instruction ID: e6c55c63def4db565f373c5367f20ec31c595b7665bec129715d330837bd1ce8
Opcode Fuzzy Hash: 7dbbd995906e445ecb269179948d76a5092ef1ba4d697fb6345aa677c3eb69a9
Instruction Fuzzy Hash: EF51907184414C9ACF05EBA0EA92EEDB7B8AF54344F60506DE44277191EF326F0ACB61

Function 00ECF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00ECF440
Sleep.KERNEL32(0000000A), ref: 00ECF470
_wcscmp.LIBCMT ref: 00ECF484
_wcscmp.LIBCMT ref: 00ECF49F
FindNextFileW.KERNEL32(?,?), ref: 00ECF53D
FindClose.KERNEL32(00000000), ref: 00ECF553

Strings

*.*, xrefs: 00ECF425

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 7fc68d016eaf0629468ba34b5177d388e1075e7c2768c9c3b26a7d98a16abf3f
Instruction ID: d70615a831a153292e6d63ec3488379145f6b503902f8353cdbacdb881cba6eb
Opcode Fuzzy Hash: 7fc68d016eaf0629468ba34b5177d388e1075e7c2768c9c3b26a7d98a16abf3f
Instruction Fuzzy Hash: 2A418A7190020AAFCF14EF64D944BEEBBB5FF04314F10546AE818B6290DB319E89CB50

Function 00E73030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c, xrefs: 00E73225
_, xrefs: 00E73322

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c$_
API String ID: 674341424-4099079164
Opcode ID: 24f1156988b1709287b6d054af58a21b843361a84201be10aa62dac885664d6c
Instruction ID: 8cfeb4e208297e17678783932ac21579a217e05f04172a5bf241843c0ed6ae56
Opcode Fuzzy Hash: 24f1156988b1709287b6d054af58a21b843361a84201be10aa62dac885664d6c
Instruction Fuzzy Hash: 4922B1716083009FC764DF24D891BAFB7E4EF89714F04991DF49AAB291EB71E904CB92

Function 00E75760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E758A5
_memmove.LIBCMT ref: 00E758F5
_memmove.LIBCMT ref: 00E7595B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eeda16fb091f47049385e0ae64ae149a2ee4cfd1df979f5811323b8b0babd2ca
Instruction ID: 9eb79957bf10a1b32b3490d9d25f16d3150ee9baa71635a9178bf85d6029b72a
Opcode Fuzzy Hash: eeda16fb091f47049385e0ae64ae149a2ee4cfd1df979f5811323b8b0babd2ca
Instruction Fuzzy Hash: DE129A71A00609DFDF18DFA4D981AEEB3F5FF88300F109529E85AB7250EB75A914CB51

Function 00EC3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E64743,?,?,00E637AE,?), ref: 00E64770

Part of subcall function 00EC4A31: GetFileAttributesW.KERNEL32(?,00EC370B), ref: 00EC4A32

FindFirstFileW.KERNEL32(?,?), ref: 00EC3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EC3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EC3BEA
FindClose.KERNEL32(00000000), ref: 00EC3C01
FindClose.KERNEL32(00000000), ref: 00EC3C0A

Strings

\*.*, xrefs: 00EC3B5B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 10e176378f51cd2d21a784f0afff1238b04e3fac1c58ba8097a56d7d06bb2b0f
Instruction ID: 445abcafc7387cef0a27629ddc3a7e78f69e0257dd29972c5e120a362513bb58
Opcode Fuzzy Hash: 10e176378f51cd2d21a784f0afff1238b04e3fac1c58ba8097a56d7d06bb2b0f
Instruction Fuzzy Hash: 65318F710483849FC300EB64D991DAFB7E8AE95348F405D2DF4E5A2191EB21DE09CB63

Function 00EC51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EB882B
Part of subcall function 00EB87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EB8858
Part of subcall function 00EB87E1: GetLastError.KERNEL32 ref: 00EB8865

ExitWindowsEx.USER32(?,00000000), ref: 00EC51F9

Strings

SeShutdownPrivilege, xrefs: 00EC51C9
@, xrefs: 00EC51EC
, xrefs: 00EC51E7

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ae4acf216a69cae3fe14bb92de09b3b3cbd8ee6266eb0712e6674642884acad4
Instruction ID: d22c101302f3fb83c6fbe3331f415ec8f83b51661df4efaa02bc217916f6c641
Opcode Fuzzy Hash: ae4acf216a69cae3fe14bb92de09b3b3cbd8ee6266eb0712e6674642884acad4
Instruction Fuzzy Hash: 0101FC336916155BF72C5268AE8AFF772EC9704354F242429F913F61E2D9537C828590

Function 00ED6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00ED62DC
WSAGetLastError.WSOCK32(00000000), ref: 00ED62EB
bind.WSOCK32(00000000,?,00000010), ref: 00ED6307
listen.WSOCK32(00000000,00000005), ref: 00ED6316
WSAGetLastError.WSOCK32(00000000), ref: 00ED6330
closesocket.WSOCK32(00000000,00000000), ref: 00ED6344

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 697417eaa589b6242da56d8a8b00d15feae3029ebb4dd2a26ac1d361221b6a0d
Instruction ID: f251aee6ef13ff703de425298d5a8fe23dba64d3d13ad60a897be3cb5758d51c
Opcode Fuzzy Hash: 697417eaa589b6242da56d8a8b00d15feae3029ebb4dd2a26ac1d361221b6a0d
Instruction Fuzzy Hash: 5521EF716002049FCB10EF64D885B6EB7E9EF88324F14916AF816BB392CB70AD06CB51

Function 00E75520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00E80DB6: std::exception::exception.LIBCMT ref: 00E80DEC
Part of subcall function 00E80DB6: __CxxThrowException@8.LIBCMT ref: 00E80E01

_memmove.LIBCMT ref: 00EB0258
_memmove.LIBCMT ref: 00EB036D
_memmove.LIBCMT ref: 00EB0414

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: c55e97bfd40b96f918e6dc3fc627729c3a851ee6a350d0a25b0f10f9dbb6e48f
Instruction ID: 139c806b6d3b2a7a3c92369d8086ed2e8614c7f421c2ff454875133bea7f448f
Opcode Fuzzy Hash: c55e97bfd40b96f918e6dc3fc627729c3a851ee6a350d0a25b0f10f9dbb6e48f
Instruction Fuzzy Hash: 4A02BF71A00209DBDF08DF64D981AAFBBF5EF44300F14D069E84AEB295EB71E954CB91

Function 00E61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E619FA
GetSysColor.USER32(0000000F), ref: 00E61A4E
SetBkColor.GDI32(?,00000000), ref: 00E61A61

Part of subcall function 00E61290: DefDlgProcW.USER32(?,00000020,?), ref: 00E612D8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: a14986c3be145870a51643b7a30e3248e9a9066b1f5835732795728d4b7aacc3
Instruction ID: b15adb518f1f63227801dc916c370da1bfe7945177e8484348f4e6ac3dae513a
Opcode Fuzzy Hash: a14986c3be145870a51643b7a30e3248e9a9066b1f5835732795728d4b7aacc3
Instruction Fuzzy Hash: 17A16B70192588BEDA3AAB69BD48DFF359CDB823CEB1C315DF502F5192CA209D01D272

Function 00ECBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ECBCE6
_wcscmp.LIBCMT ref: 00ECBD16
_wcscmp.LIBCMT ref: 00ECBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00ECBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00ECBD6C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 07910d0bbdf704820d2061c1df3493ead1345cb72176031464b395e1bea06387
Instruction ID: 059ec220f566333933b23cea308620fc9c160d9de526a2e3155beef9bbec09ec
Opcode Fuzzy Hash: 07910d0bbdf704820d2061c1df3493ead1345cb72176031464b395e1bea06387
Instruction Fuzzy Hash: 6C51EB75A046028FC718DF28D591EAAB7E8EF49324F00561DF95AAB3A1CB31ED05CB91

Function 00ED6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00ED7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00ED679E
WSAGetLastError.WSOCK32(00000000), ref: 00ED67C7
bind.WSOCK32(00000000,?,00000010), ref: 00ED6800
WSAGetLastError.WSOCK32(00000000), ref: 00ED680D
closesocket.WSOCK32(00000000,00000000), ref: 00ED6821

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d362042cf703337565f151c0a9edfca27a81f5c3887202ae850a629e3f9e4117
Instruction ID: c8d196a1dba162e98ce56ba89bd6d21b7166fc219c0bbab4aaca9606291e1b4c
Opcode Fuzzy Hash: d362042cf703337565f151c0a9edfca27a81f5c3887202ae850a629e3f9e4117
Instruction Fuzzy Hash: 73410175A40214AFEB14AF649C82F6E77E8DF18794F049559F906BB3C3CA709D018BA2

Function 00EE5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EE53C5
IsWindowEnabled.USER32 ref: 00EE53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00EE53E0
IsIconic.USER32 ref: 00EE53EE
IsZoomed.USER32 ref: 00EE53FC

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fad206b8f172cfebe3de8de098c79c727549936310edf03237a256adc0636e8e
Instruction ID: 6e95a83382ec9f6d8a700b175fbf047e8f3b2c383bbaa157b17ad6e48c78fa00
Opcode Fuzzy Hash: fad206b8f172cfebe3de8de098c79c727549936310edf03237a256adc0636e8e
Instruction Fuzzy Hash: BE11B272340A996FDB216F279C84A6A7B98EF447A9F505429F846F7242CB709C018AA4

Function 00EB80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EB80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EB80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EB80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EB80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EB80F6

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d4fa8c720e093776671096498576c80eaaeab87747b60e6ce97c5a42d43b868b
Instruction ID: 4e040454083c18fd8f64d6547ec5e1ff9b5fa26820e45e2efd8ebe270f84d2f9
Opcode Fuzzy Hash: d4fa8c720e093776671096498576c80eaaeab87747b60e6ce97c5a42d43b868b
Instruction Fuzzy Hash: 42F06831242249AFDB104F65ECCDEA73BACEF85759F000025F545E6250CB61DD45DA60

Function 00E64B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E64AD0), ref: 00E64B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E64B57

Strings

GetNativeSystemInfo, xrefs: 00E64B51
kernel32.dll, xrefs: 00E64B40

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 463006f595a3e1cc7689e2e3a81364975d94707ec08843b791068791ff8506b2
Instruction ID: 598722cbbeaa3048ff9885ce80eac2e2353d913a3da5dfa8120a924291344893
Opcode Fuzzy Hash: 463006f595a3e1cc7689e2e3a81364975d94707ec08843b791068791ff8506b2
Instruction Fuzzy Hash: ABD01774A50B5BCFD7209F33E868B0676E4AF46395B11D83EE486FA190E670E880CA54

Function 00EDEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EDEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00EDEE4B

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Process32NextW.KERNEL32(00000000,?), ref: 00EDEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EDEF1A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: a443c9914de4038e7591ad3c3e06b7deec7cc14ed9a967161f7d97822026610e
Instruction ID: f689b761cabbf6288a5c62a0734105b6dacaaa44b1faacb266a1614d70f91f1a
Opcode Fuzzy Hash: a443c9914de4038e7591ad3c3e06b7deec7cc14ed9a967161f7d97822026610e
Instruction Fuzzy Hash: 1951A1711083059FD310EF20DC85E6FB7E8EF94784F50582DF895A72A2EB70A909CB92

Function 00EBE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EBE628

Strings

(, xrefs: 00EBE66E
|, xrefs: 00EBE658

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 21c997f49be50b71de55960165392f71f1e203b0a1abc9ecc9bcf64960b1cede
Instruction ID: 735bd2dbf4eddec24ca676deb9275ce3f462292a35aee0f5e3356d345a9578c9
Opcode Fuzzy Hash: 21c997f49be50b71de55960165392f71f1e203b0a1abc9ecc9bcf64960b1cede
Instruction Fuzzy Hash: 11322675A007059FD728DF59C4819AAB7F0FF48320B15D56EE89AEB3A1EB70E941CB40

Function 00ED22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00ED180A,00000000), ref: 00ED23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00ED2418

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 9d457bf3d2f467244b86e0a8a982ec9dac1ffb18a9a46591255b338ef1e0c222
Instruction ID: f91a3990a508f4310673a1faefb9a12eec73cf290f4a336854f79d753a0d3e07
Opcode Fuzzy Hash: 9d457bf3d2f467244b86e0a8a982ec9dac1ffb18a9a46591255b338ef1e0c222
Instruction Fuzzy Hash: 0741D37190420ABFEB209E95DC85EBBB7FCEB50718F10502FFB15B6340DA759E429660

Function 00ECB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ECB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00ECB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00ECB4B2

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 39649cbeca3cd74f29933f7c20ea7c1c14f0a6f5821a4a25dc1eac6aaf89fea4
Instruction ID: 5559d06866e1b528df891db322e21d7ba4191c68f3070a8651fa26ccc780a4a6
Opcode Fuzzy Hash: 39649cbeca3cd74f29933f7c20ea7c1c14f0a6f5821a4a25dc1eac6aaf89fea4
Instruction Fuzzy Hash: 9C215E75A00508EFCB00EFA5E881EEDBBF8FF49314F1480A9E905AB362DB319915CB51

Function 00EB87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E80DB6: std::exception::exception.LIBCMT ref: 00E80DEC
Part of subcall function 00E80DB6: __CxxThrowException@8.LIBCMT ref: 00E80E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EB882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EB8858
GetLastError.KERNEL32 ref: 00EB8865

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d8dd56f368dea68fe9c50d9a1a1d14980060158fb9744eacad6d09e0a00cea51
Instruction ID: c0333e52a2b5043659d5845725a717210bf552a098cfa3dea50758eaac9fe919
Opcode Fuzzy Hash: d8dd56f368dea68fe9c50d9a1a1d14980060158fb9744eacad6d09e0a00cea51
Instruction Fuzzy Hash: 51118FB2414204AFE718EFA4DD85D6BB7FDEB44710B60952EF459A7251EB30BC44CB60

Function 00EB874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00EB8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EB878B
FreeSid.ADVAPI32(?), ref: 00EB879B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a01259f7bfe76d46714bf2242cf00ece21c656df2efaac759fd1e46e201f2fc4
Instruction ID: 59b85a7b8f4021bc46443b29795d8fb0dfb5839ddd9adca34a12eff6a8db2f5f
Opcode Fuzzy Hash: a01259f7bfe76d46714bf2242cf00ece21c656df2efaac759fd1e46e201f2fc4
Instruction Fuzzy Hash: D4F04975A1130CBFDF00DFF4DD89AAEBBBCEF08211F1044A9F901E6281E6716A088B50

Function 00EC4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00EC4CB3

Strings

DOWN, xrefs: 00EC4C98

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: ca1b16eb4ef9387c1dce38edb83274260401dc9d20a2749bc2a050ee4ea20318
Instruction ID: 978e47d7cd542b1da8a74df1917a48ff798b7912908db6cc2763dd1d4274b8c5
Opcode Fuzzy Hash: ca1b16eb4ef9387c1dce38edb83274260401dc9d20a2749bc2a050ee4ea20318
Instruction Fuzzy Hash: ABE04FB11997213CF9042518BD12EF7028C8B22735B20114AF818F54D1DD556C8625BD

Function 00ECC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00ECC6FB
FindClose.KERNEL32(00000000), ref: 00ECC72B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 878fcbe3bbff37ed4c8e242a734cad5458a0760301370d4099bae05cffc2e88e
Instruction ID: ba9e1ac51017bb0a1546f9c15f53d9cb7531a399672bca5624bd29769e8d0262
Opcode Fuzzy Hash: 878fcbe3bbff37ed4c8e242a734cad5458a0760301370d4099bae05cffc2e88e
Instruction Fuzzy Hash: D711A5716002049FDB10DF29D885A6AF7E8FF45364F10851EF9A9E7291DB30AC05CF81

Function 00ECA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00ED9468,?,00EEFB84,?), ref: 00ECA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00ED9468,?,00EEFB84,?), ref: 00ECA0A9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d97666ffd3c4c56913faa70f4dfc824a7031bc0212d572ee62ab7c190856ad90
Instruction ID: d6d2de99861f95b9e02963a3032925fe477395b8a7c0a482ab34928fb342a4ce
Opcode Fuzzy Hash: d97666ffd3c4c56913faa70f4dfc824a7031bc0212d572ee62ab7c190856ad90
Instruction Fuzzy Hash: 9DF0273510422DBBDB209FA4CC89FEA736CFF083A1F004169F908E7180C7309904CBA1

Function 00EB81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EB8309), ref: 00EB81E0
CloseHandle.KERNEL32(?,?,00EB8309), ref: 00EB81F2

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: ba1f2390df36260d95caaa8cbaa5d9dbf30a69df72537d775ea1f6e51d5883a0
Instruction ID: f5ffebe2afafde935dfbd1b217deb1c0e052b8692ad05116898b438d14ed97ab
Opcode Fuzzy Hash: ba1f2390df36260d95caaa8cbaa5d9dbf30a69df72537d775ea1f6e51d5883a0
Instruction Fuzzy Hash: 1CE08C32001610AFEB212B21FC08D737BEEEF00311B10982DF8AA94470CB22AC94DB10

Function 00E8A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E88D57,?,?,?,00000001), ref: 00E8A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E8A163

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9aec236f3c24e17b3e87abc6b4c27403f26760172f5c46f87ec55991a42bc4f6
Instruction ID: 11d2ef25b2e42b5f8b5f6bf0503b1257fa8a0efcfcb624beec63f509b019a495
Opcode Fuzzy Hash: 9aec236f3c24e17b3e87abc6b4c27403f26760172f5c46f87ec55991a42bc4f6
Instruction Fuzzy Hash: CFB0923105424CAFCA002B92EC49B883F68EB44AA2F404020F60D98464CB6255548A91

Function 00E8F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fbd7b9d75ca411de8c85342dc7671ff6541a60d346ff88794b56ff74253dd8
Instruction ID: 73a08b4fc7f6613d090f49de19de19d30a9b526dcb35be12c4b6bc9941eb0e18
Opcode Fuzzy Hash: 27fbd7b9d75ca411de8c85342dc7671ff6541a60d346ff88794b56ff74253dd8
Instruction Fuzzy Hash: 3732E062D29F014DD723A635D832336A649AFF73D4F15E737E81EB59A5EB28C4838200

Function 00E9242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b678741cdeb9e3fac7e158072871a3343b41c432587c4110b9acaf3437b7af3f
Instruction ID: 436f7db2103037279148b46893c6de947535022f427bd49cea6b7b45e4ede722
Opcode Fuzzy Hash: b678741cdeb9e3fac7e158072871a3343b41c432587c4110b9acaf3437b7af3f
Instruction Fuzzy Hash: 85B1F260E2AF414DD723963A8831336B65CAFFB2C5F55D72BFC2A74D22EB2185878141

Function 00EC8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00EC889B

Part of subcall function 00E8520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00EC8F6E,00000000,?,?,?,?,00EC911F,00000000,?), ref: 00E85213
Part of subcall function 00E8520A: __aulldiv.LIBCMT ref: 00E85233

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: e6639e187dd228b4ee7f228a8fd9f3ddb8f3405cc809daf74c4a7946299a2773
Instruction ID: 83043c4d3fa5521619a611647722595446136ebf1c72cdef5bae276d22f6fd0a
Opcode Fuzzy Hash: e6639e187dd228b4ee7f228a8fd9f3ddb8f3405cc809daf74c4a7946299a2773
Instruction Fuzzy Hash: B821E133A356108BC329CF29D841B52B3E1EFA4311B689E6CD0F5CB2C0CA35B906DB54

Function 00EB87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EB8389), ref: 00EB87D1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 189246b57f61b6787ca07bcf9bb7252c6e11ca81c45aa0ec12b8620436bbcc6d
Instruction ID: 2c752c97d50beb890139ba28dbde3d0012e8505fbd345c4f04cd6ccad915ccce
Opcode Fuzzy Hash: 189246b57f61b6787ca07bcf9bb7252c6e11ca81c45aa0ec12b8620436bbcc6d
Instruction Fuzzy Hash: 6BD05E3226090EAFEF018EA4DC01EAE3B69EB04B01F408111FE15D50A1C775D835AB60

Function 00E8A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E8A12A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7e849cf060d8c1038bb405733eb743c7b98169ebfe0a793ad1df0d45d6baa794
Instruction ID: f06d16b631b82e154a8ad303335f0aef23dd4ee3e65f5141c44e3ba8bc656ca9
Opcode Fuzzy Hash: 7e849cf060d8c1038bb405733eb743c7b98169ebfe0a793ad1df0d45d6baa794
Instruction Fuzzy Hash: 7DA0113000020CAB8A002B82EC08888BFACEB002A0B008020F80C880228B32A8208A80

Function 00E78808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d21ed4b0def3070276cff6620a77f5613359b2d68056c251ae90bb9fe82f88c
Instruction ID: 6ce16492ef9aa69a9c1065140de5d7c7ffc3da62c598c8a336c9355cb28deb13
Opcode Fuzzy Hash: 7d21ed4b0def3070276cff6620a77f5613359b2d68056c251ae90bb9fe82f88c
Instruction Fuzzy Hash: B6223731548506CBDF288A18C5987FD77A1FBA1308F28E06AD64EBB5A2DB70DD81C741

Function 00E821C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 7af34e4e05d4cb80821212ba0599cb0ba96b04b483858e6860b08b7e23d59cdf
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: BAC1A7322050930ADF2D6739843413EFAA55EA27B631A679DD4BFFB1D4EE10C925D720

Function 00E825FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 23c48c948635054a74ee806d6e16affce237a6ad7233d9f85f4964b5c532d5d1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CDC196322051930ADF2D563AC43413EBAA15EA27B631A67ADD4BFFB1D4EE10C925D720

Function 00E81978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 61ff2432b95a9f7d80080e96e527f8646a6cf8fa2cb71e326d79a6f535784913
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 2BC1943220509349DF2D5639C43413EFAA55EA27B631A67EDD4BFFB1C4EE20C9269710

Function 010BDCC8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: ad39596a8a3523fab447a4241380b883d7deef865fd1bfe2877f0f0d40aa6de1
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 2F41C071D1051CEBCF48CFADC991AEEBBF2AF88201F548299D556AB345D730AB41DB80

Function 010BDBB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 47069bff15ba9f9f7e8031b9987ff4145bcff95ad99394b7ffa030975c68b5c6
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: DB019278A04109EFCB84DF98C5909AEF7F5FB48314F208599D859A7301D730AE41DB80

Function 010BDB58 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 6afdae1c67c401d0b8768a7ab1df2bd39e7ac6b57adaa63b1e93765b897dc05f
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 58018078A01109EFCB48DF98C5909AEF7F5FB48314F208599D959A7301D730AE41DB80

Function 010BC4D8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188584144.00000000010BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 010BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10ba000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00ED7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00ED785B
DeleteObject.GDI32(00000000), ref: 00ED786D
DestroyWindow.USER32 ref: 00ED787B
GetDesktopWindow.USER32 ref: 00ED7895
GetWindowRect.USER32(00000000), ref: 00ED789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00ED79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00ED79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7A35
GetClientRect.USER32(00000000,?), ref: 00ED7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00ED7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7ABB
GlobalLock.KERNEL32(00000000), ref: 00ED7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7AD3
GlobalUnlock.KERNEL32(00000000), ref: 00ED7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7AE3
GlobalFree.KERNEL32(00000000), ref: 00ED7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00EF2CAC,00000000), ref: 00ED7B16
GlobalFree.KERNEL32(00000000), ref: 00ED7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00ED7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00ED7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00ED7D7A

Strings

, xrefs: 00ED7D00
static, xrefs: 00ED7A75, 00ED7BCC
AutoIt v3, xrefs: 00ED7A2D
DISPLAY, xrefs: 00ED7BDD

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: acd6d6f8aa46dfff605397942261d267933be1b2edce851582ac8a0d237e0788
Instruction ID: 11ef3846f584106af970ce3448f7457d06fdcf0ab0a02caf84706c439d6fa4cb
Opcode Fuzzy Hash: acd6d6f8aa46dfff605397942261d267933be1b2edce851582ac8a0d237e0788
Instruction Fuzzy Hash: 4A026B71900119EFDB14DFA5DC89EAEBBB9EF48314F108159F955BB2A1D730AD02CB60

Function 00EE356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00EEF910), ref: 00EE3627
IsWindowVisible.USER32(?), ref: 00EE364B

Strings

CURRENTTAB, xrefs: 00EE36BD
SENDCOMMANDID, xrefs: 00EE39DA
ISVISIBLE, xrefs: 00EE3637
EDITPASTE, xrefs: 00EE395F
DELSTRING, xrefs: 00EE3749
ISCHECKED, xrefs: 00EE3839
SETCURRENTSELECTION, xrefs: 00EE37B6
GETCURRENTLINE, xrefs: 00EE38ED
GETLINECOUNT, xrefs: 00EE38C6
ADDSTRING, xrefs: 00EE3716
HIDEDROPDOWN, xrefs: 00EE3700
CHECK, xrefs: 00EE386D
GETCURRENTSELECTION, xrefs: 00EE37E3
FINDSTRING, xrefs: 00EE3776
ISENABLED, xrefs: 00EE366B
GETLINE, xrefs: 00EE399B
SELECTSTRING, xrefs: 00EE3806
GETSELECTED, xrefs: 00EE38A3
TABRIGHT, xrefs: 00EE369D
TABLEFT, xrefs: 00EE3687
GETCURRENTCOL, xrefs: 00EE3928
SHOWDROPDOWN, xrefs: 00EE36E0
UNCHECK, xrefs: 00EE3883

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 993db46cc0f309f2e9e6a4f8869c077c4c2c59751bb76a31fc3254f7eff03e22
Instruction ID: 0da2a3d0387823f7b957a8eef5f74cefe7b1ed1d2bd9b41849bf905d21504994
Opcode Fuzzy Hash: 993db46cc0f309f2e9e6a4f8869c077c4c2c59751bb76a31fc3254f7eff03e22
Instruction Fuzzy Hash: F9D1A5742083459BCB04EF21C456AAE77E5AF94394F156468F8897B3E3CB31DE4ACB81

Function 00EEA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EEA630
GetSysColorBrush.USER32(0000000F), ref: 00EEA661
GetSysColor.USER32(0000000F), ref: 00EEA66D
SetBkColor.GDI32(?,000000FF), ref: 00EEA687
SelectObject.GDI32(?,00000000), ref: 00EEA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00EEA6C1
GetSysColor.USER32(00000010), ref: 00EEA6C9
CreateSolidBrush.GDI32(00000000), ref: 00EEA6D0
FrameRect.USER32(?,?,00000000), ref: 00EEA6DF
DeleteObject.GDI32(00000000), ref: 00EEA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00EEA731
FillRect.USER32(?,?,00000000), ref: 00EEA763
GetWindowLongW.USER32(?,000000F0), ref: 00EEA78E

Part of subcall function 00EEA8CA: GetSysColor.USER32(00000012), ref: 00EEA903
Part of subcall function 00EEA8CA: SetTextColor.GDI32(?,?), ref: 00EEA907
Part of subcall function 00EEA8CA: GetSysColorBrush.USER32(0000000F), ref: 00EEA91D
Part of subcall function 00EEA8CA: GetSysColor.USER32(0000000F), ref: 00EEA928
Part of subcall function 00EEA8CA: GetSysColor.USER32(00000011), ref: 00EEA945
Part of subcall function 00EEA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EEA953
Part of subcall function 00EEA8CA: SelectObject.GDI32(?,00000000), ref: 00EEA964
Part of subcall function 00EEA8CA: SetBkColor.GDI32(?,00000000), ref: 00EEA96D
Part of subcall function 00EEA8CA: SelectObject.GDI32(?,?), ref: 00EEA97A
Part of subcall function 00EEA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00EEA999
Part of subcall function 00EEA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EEA9B0
Part of subcall function 00EEA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00EEA9C5
Part of subcall function 00EEA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EEA9ED

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 5bb71db1b7150e07d69bb99914e43011c2f3dfae10da2c26b87a93bee5f4bb6f
Instruction ID: e2b0a1423614416a379360e9e9153fc5fcb6c4d29f2cedea1f4d3d93dd50104d
Opcode Fuzzy Hash: 5bb71db1b7150e07d69bb99914e43011c2f3dfae10da2c26b87a93bee5f4bb6f
Instruction Fuzzy Hash: 3091AF71008389EFDB109F65DC48A5B7BB9FF88321F141A2DF562AA1A1D730E948CB52

Function 00ED74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00ED74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00ED759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00ED75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00ED75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00ED7633
GetClientRect.USER32(00000000,?), ref: 00ED763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00ED7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00ED7692
GetStockObject.GDI32(00000011), ref: 00ED76A2
SelectObject.GDI32(00000000,00000000), ref: 00ED76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00ED76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ED76BF
DeleteDC.GDI32(00000000), ref: 00ED76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00ED76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00ED770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00ED7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00ED775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00ED776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00ED779B
GetStockObject.GDI32(00000011), ref: 00ED77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00ED77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00ED77BB

Strings

static, xrefs: 00ED767D, 00ED7795
AutoIt v3, xrefs: 00ED762B
msctls_progress32, xrefs: 00ED773C
DISPLAY, xrefs: 00ED7688

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 0ca7f0ad40d6af562e144ff8878e4c3bba2e44f9de27f606f95955f3d58d201f
Instruction ID: 25bf9af581af54f18855a5d1e8b86a96ba0e64afd62863d26ab84ed3b0e8b3ae
Opcode Fuzzy Hash: 0ca7f0ad40d6af562e144ff8878e4c3bba2e44f9de27f606f95955f3d58d201f
Instruction Fuzzy Hash: B5A1A071A40619BFEB14DBA5DC8AFAE7BB9EB44710F108115FA14BB2E1D770AD01CB60

Function 00ECAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ECAD1E
GetDriveTypeW.KERNEL32(?,00EEFAC0,?,\\.\,00EEF910), ref: 00ECADFB
SetErrorMode.KERNEL32(00000000,00EEFAC0,?,\\.\,00EEF910), ref: 00ECAF59

Strings

SATA, xrefs: 00ECAF0C
SCSI, xrefs: 00ECAEC6
iSCSI, xrefs: 00ECAEFE
RAID, xrefs: 00ECAEF7
USB, xrefs: 00ECAEF0
ATA, xrefs: 00ECAED4
SAS, xrefs: 00ECAF05
1394, xrefs: 00ECAEDB
ATAPI, xrefs: 00ECAECD
Unknown, xrefs: 00ECAE1B, 00ECAEBF
PhysicalDrive, xrefs: 00ECADA7
RAMDisk, xrefs: 00ECAE25
Virtual, xrefs: 00ECAF21
FileBackedVirtual, xrefs: 00ECAF28
CDROM, xrefs: 00ECAE2F
Network, xrefs: 00ECAE39
SSA, xrefs: 00ECAEE2
Fixed, xrefs: 00ECAE43
\\.\, xrefs: 00ECAD70
MMC, xrefs: 00ECAF1A
Removable, xrefs: 00ECAE4D
Fibre, xrefs: 00ECAEE9
SSD, xrefs: 00ECAE86

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8f8d80a0d6f5a7f23ec88eb2d7ff98fe63489b5457b4bec133a3729921eb0f7a
Instruction ID: 16dccab302aa3fbbf3e839f5ee86e253861cde9659a044bba0906fb033e7f162
Opcode Fuzzy Hash: 8f8d80a0d6f5a7f23ec88eb2d7ff98fe63489b5457b4bec133a3729921eb0f7a
Instruction Fuzzy Hash: 4D5184B074824DAB8710DB50CB82EED73A1EB4474C728557EE417B7291CA32DD83A753

Function 00E668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E66931
__wcsnicmp.LIBCMT ref: 00E66949
__wcsnicmp.LIBCMT ref: 00E66961
__wcsnicmp.LIBCMT ref: 00E66979
__wcsnicmp.LIBCMT ref: 00E66991
__wcsnicmp.LIBCMT ref: 00E669A9
__wcsnicmp.LIBCMT ref: 00E669C1
__wcsnicmp.LIBCMT ref: 00E669D5
__wcsnicmp.LIBCMT ref: 00E66A16
__wcsnicmp.LIBCMT ref: 00E66A2A
__wcsnicmp.LIBCMT ref: 00E66A3E
__wcsnicmp.LIBCMT ref: 00E66A52

Strings

Bad directive syntax error, xrefs: 00E9E31A
#ce, xrefs: 00E66A4C
#cs, xrefs: 00E669CF, 00E66A24
#pragma compile, xrefs: 00E6692B
Cannot parse #include, xrefs: 00E9E3F0
#comments-end, xrefs: 00E66A38
#comments-start, xrefs: 00E669BB, 00E66A10
#requireadmin, xrefs: 00E6695B
#OnAutoItStartRegister, xrefs: 00E66973
#include, xrefs: 00E669A3
#include-once, xrefs: 00E6698B
#notrayicon, xrefs: 00E66943
Unterminated group of comments, xrefs: 00E9E403

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 32fef7ae343f5b8ae8fb8f64de16e968aa22398c12cf1f10dfe3eb9032ec7c7e
Instruction ID: 49aa205a979525e4f4902c6f09c1b4d0a99d099ad4cfa83749f743dca90eb42d
Opcode Fuzzy Hash: 32fef7ae343f5b8ae8fb8f64de16e968aa22398c12cf1f10dfe3eb9032ec7c7e
Instruction Fuzzy Hash: 0C81E6B1680205AACF10FA61EC42FBB37A8AF15784F046029FE09BA196EB61DE45D351

Function 00EE9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00EE9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00EE9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00EE9BA7

Strings

0, xrefs: 00EE9BE4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 56c6ce0fe487f86d5fa3a932dcea6daaff1fefc33a3633a6b0e4872f376bade9
Instruction ID: 55a15dcf697bc0c5418ca1bf0aa8c5167ee96edddc1b92915a81e56ba2567f1f
Opcode Fuzzy Hash: 56c6ce0fe487f86d5fa3a932dcea6daaff1fefc33a3633a6b0e4872f376bade9
Instruction Fuzzy Hash: 8702F330204389AFD725CF16C889BBABBE5FF45308F04552DF599EA2A2C774D944CB52

Function 00EEA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EEA903
SetTextColor.GDI32(?,?), ref: 00EEA907
GetSysColorBrush.USER32(0000000F), ref: 00EEA91D
GetSysColor.USER32(0000000F), ref: 00EEA928
CreateSolidBrush.GDI32(?), ref: 00EEA92D
GetSysColor.USER32(00000011), ref: 00EEA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EEA953
SelectObject.GDI32(?,00000000), ref: 00EEA964
SetBkColor.GDI32(?,00000000), ref: 00EEA96D
SelectObject.GDI32(?,?), ref: 00EEA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00EEA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EEA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00EEA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EEA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EEAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00EEAA32
DrawFocusRect.USER32(?,?), ref: 00EEAA3D
GetSysColor.USER32(00000011), ref: 00EEAA4B
SetTextColor.GDI32(?,00000000), ref: 00EEAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EEAA67
SelectObject.GDI32(?,00EEA5FA), ref: 00EEAA7E
DeleteObject.GDI32(?), ref: 00EEAA89
SelectObject.GDI32(?,?), ref: 00EEAA8F
DeleteObject.GDI32(?), ref: 00EEAA94
SetTextColor.GDI32(?,?), ref: 00EEAA9A
SetBkColor.GDI32(?,?), ref: 00EEAAA4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: bde64c58c6620aadae47dbc33467aa3b42785cae669186dacceae3daa234507b
Instruction ID: c4ff75de09b10726ad0ad65f938917cec687884d513af4678efbaaa9108a2d27
Opcode Fuzzy Hash: bde64c58c6620aadae47dbc33467aa3b42785cae669186dacceae3daa234507b
Instruction Fuzzy Hash: 5A516C7180124CEFDF109FA5DC88EAE7BB9EB48320F154229F915BB2A2D7719944DF90

Function 00EE89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EE8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EE8AD2
CharNextW.USER32(0000014E), ref: 00EE8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EE8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EE8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EE8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EE8B86
SetWindowTextW.USER32(?,0000014E), ref: 00EE8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EE8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EE8C1F
_memset.LIBCMT ref: 00EE8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EE8C8D
_memset.LIBCMT ref: 00EE8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EE8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EE8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00EE8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00EE8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EE8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EE8EB4
DrawMenuBar.USER32(?), ref: 00EE8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00EE8EEB

Strings

0, xrefs: 00EE8E55

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: db8c180a7fbc6acfc3f9270b97b9ab5636216160b23c8638256aeaafd09136aa
Instruction ID: 6425df2f9c9f5da2c7711c257bf449042346f59616786cf92d68747f85d7fa78
Opcode Fuzzy Hash: db8c180a7fbc6acfc3f9270b97b9ab5636216160b23c8638256aeaafd09136aa
Instruction Fuzzy Hash: 0AE1607090029DAFDB209F62CD84EEE7BB9EF05714F109166F91DBA190DB708A84DF61

Function 00EE488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EE49CA
GetDesktopWindow.USER32 ref: 00EE49DF
GetWindowRect.USER32(00000000), ref: 00EE49E6
GetWindowLongW.USER32(?,000000F0), ref: 00EE4A48
DestroyWindow.USER32(?), ref: 00EE4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EE4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EE4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EE4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00EE4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EE4B09
IsWindowVisible.USER32(?), ref: 00EE4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EE4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EE4B58
GetWindowRect.USER32(?,?), ref: 00EE4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00EE4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00EE4BB0
CopyRect.USER32(?,?), ref: 00EE4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00EE4C32

Strings

0, xrefs: 00EE4975
tooltips_class32, xrefs: 00EE4A96
(, xrefs: 00EE4BA3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a163877837f6b4cf69b442506c5d257d3bc2c7ea94292779541cb21a436b4946
Instruction ID: faf0696ee6b640e35ade5e85cff06268c117be8e6ccdd9c8787966e1060f356a
Opcode Fuzzy Hash: a163877837f6b4cf69b442506c5d257d3bc2c7ea94292779541cb21a436b4946
Instruction Fuzzy Hash: B4B1CFB1604385AFDB04DF66D884B6ABBE4FF88314F00892CF599AB291D771EC05CB95

Function 00EC449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EC44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EC44D2
_wcscpy.LIBCMT ref: 00EC4500
_wcscmp.LIBCMT ref: 00EC450B
_wcscat.LIBCMT ref: 00EC4521
_wcsstr.LIBCMT ref: 00EC452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EC4548
_wcscat.LIBCMT ref: 00EC4591
_wcscat.LIBCMT ref: 00EC4598
_wcsncpy.LIBCMT ref: 00EC45C3

Strings

%u.%u.%u.%u, xrefs: 00EC4626
04090000, xrefs: 00EC457E
\VarFileInfo\Translation, xrefs: 00EC4540
StringFileInfo\, xrefs: 00EC451B
DefaultLangCodepage, xrefs: 00EC45AB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f7498df6efc4467f0e195f3360c584bb49dea8eb7749970ba27e5d3d4afb03fa
Instruction ID: e9baf1eebbd97a6b2dd70ed024ed7a39e519073fa539f156dd4fb50b0501f9d2
Opcode Fuzzy Hash: f7498df6efc4467f0e195f3360c584bb49dea8eb7749970ba27e5d3d4afb03fa
Instruction Fuzzy Hash: 9241C271A002047BDB10BA759D56FBF7BECDF81710F04146AF90DB61C2EA359A0297A9

Function 00E627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E628BC
GetSystemMetrics.USER32(00000007), ref: 00E628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E628EF
GetSystemMetrics.USER32(00000008), ref: 00E628F7
GetSystemMetrics.USER32(00000004), ref: 00E6291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E62939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E62949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E6297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E62990
GetClientRect.USER32(00000000,000000FF), ref: 00E629AE
GetStockObject.GDI32(00000011), ref: 00E629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E629D5

Part of subcall function 00E62344: GetCursorPos.USER32(?), ref: 00E62357
Part of subcall function 00E62344: ScreenToClient.USER32(00F257B0,?), ref: 00E62374
Part of subcall function 00E62344: GetAsyncKeyState.USER32(00000001), ref: 00E62399
Part of subcall function 00E62344: GetAsyncKeyState.USER32(00000002), ref: 00E623A7

SetTimer.USER32(00000000,00000000,00000028,00E61256), ref: 00E629FC

Strings

AutoIt v3 GUI, xrefs: 00E62974

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: cddaaf432a09c269aef0c6ad2ce954c5c81dedfcd58a589e32abbbdbeef5c6dd
Instruction ID: 93bf1ccce60a688192442995ea69bdfde22d3be915a9aa9e757b0126f96448e7
Opcode Fuzzy Hash: cddaaf432a09c269aef0c6ad2ce954c5c81dedfcd58a589e32abbbdbeef5c6dd
Instruction Fuzzy Hash: 8FB17B71A4060AEFDF14DFA9EC85BAE7BB4FB08714F105229FA15BB290DB749841CB50

Function 00EBA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EBA47A
__swprintf.LIBCMT ref: 00EBA51B
_wcscmp.LIBCMT ref: 00EBA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EBA583
_wcscmp.LIBCMT ref: 00EBA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00EBA5F6
GetDlgCtrlID.USER32(?), ref: 00EBA648
GetWindowRect.USER32(?,?), ref: 00EBA67E
GetParent.USER32(?), ref: 00EBA69C
ScreenToClient.USER32(00000000), ref: 00EBA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00EBA71D
_wcscmp.LIBCMT ref: 00EBA731
GetWindowTextW.USER32(?,?,00000400), ref: 00EBA757
_wcscmp.LIBCMT ref: 00EBA76B

Part of subcall function 00E8362C: _iswctype.LIBCMT ref: 00E83634

Strings

%s%u, xrefs: 00EBA515

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 3ab4c6c36d188dea46e5e70ed5ee8109247bb29c5e801b1151cdbe4f4ce67ee2
Instruction ID: 0e8e81ff24b657b198327247233f0f30c1ff5e107e77278f985ed530cec1690c
Opcode Fuzzy Hash: 3ab4c6c36d188dea46e5e70ed5ee8109247bb29c5e801b1151cdbe4f4ce67ee2
Instruction Fuzzy Hash: 8CA1C171204216AFDB14DF64C884BEBB7E8FF44318F08952AF999E6190DB30E955CB92

Function 00EBAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00EBAF18
_wcscmp.LIBCMT ref: 00EBAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00EBAF51
CharUpperBuffW.USER32(?,00000000), ref: 00EBAF6E
_wcscmp.LIBCMT ref: 00EBAF8C
_wcsstr.LIBCMT ref: 00EBAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EBAFD5
_wcscmp.LIBCMT ref: 00EBAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00EBB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EBB055
_wcscmp.LIBCMT ref: 00EBB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00EBB08D
GetWindowRect.USER32(00000004,?), ref: 00EBB0F6

Strings

@, xrefs: 00EBAEF9
ThumbnailClass, xrefs: 00EBAFE0, 00EBB060

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 24f9e3bd21e5b40b5de8a0c2b52333f94aa30f00d63705f6a44d9e90e3bab852
Instruction ID: 277f7ac2bc6b15d505f03b7d919df6d4c1b9bf0f036e8f1c7b0a786f146b97ac
Opcode Fuzzy Hash: 24f9e3bd21e5b40b5de8a0c2b52333f94aa30f00d63705f6a44d9e90e3bab852
Instruction Fuzzy Hash: 4281AE711082099FDB04DF15C881BFB77E8EF84718F08A46AFD89AA091DB70DD49CBA1

Function 00EBABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EBAC33

Strings

CLASSNAME=, xrefs: 00EBAC70
HANDLE=, xrefs: 00EBAC2C
[HANDLE:, xrefs: 00EBAC3F
[CLASS:, xrefs: 00EBAC83
[ALL, xrefs: 00EBACD9
REGEXP=, xrefs: 00EBAC48
LAST, xrefs: 00EBABF8
[LAST, xrefs: 00EBACE0
[ACTIVE, xrefs: 00EBAC20
ALL, xrefs: 00EBACC7
ACTIVE, xrefs: 00EBAC0E
[REGEXPTITLE:, xrefs: 00EBAC5B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 6ebf8ec053fdb44115655054c9a1d6b457a95c54ac328701336365fbabfb1617
Instruction ID: fea2ad7e23d4e498281c59d6edafe585eb78e8e7e3f9eb01c767c7225235bcee
Opcode Fuzzy Hash: 6ebf8ec053fdb44115655054c9a1d6b457a95c54ac328701336365fbabfb1617
Instruction Fuzzy Hash: 0031A431688309A6DB10FA60EE03EEFB7F49F10754F242529F449710E1EF65AF449A53

Function 00ED4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00ED5013
LoadCursorW.USER32(00000000,00007F00), ref: 00ED501E
LoadCursorW.USER32(00000000,00007F03), ref: 00ED5029
LoadCursorW.USER32(00000000,00007F8B), ref: 00ED5034
LoadCursorW.USER32(00000000,00007F01), ref: 00ED503F
LoadCursorW.USER32(00000000,00007F81), ref: 00ED504A
LoadCursorW.USER32(00000000,00007F88), ref: 00ED5055
LoadCursorW.USER32(00000000,00007F80), ref: 00ED5060
LoadCursorW.USER32(00000000,00007F86), ref: 00ED506B
LoadCursorW.USER32(00000000,00007F83), ref: 00ED5076
LoadCursorW.USER32(00000000,00007F85), ref: 00ED5081
LoadCursorW.USER32(00000000,00007F82), ref: 00ED508C
LoadCursorW.USER32(00000000,00007F84), ref: 00ED5097
LoadCursorW.USER32(00000000,00007F04), ref: 00ED50A2
LoadCursorW.USER32(00000000,00007F02), ref: 00ED50AD
LoadCursorW.USER32(00000000,00007F89), ref: 00ED50B8
GetCursorInfo.USER32(?), ref: 00ED50C8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: c82be9eb8219a62d5ca7a556fbcc63ad4ebaa4f778469b44f98c5112d83ea434
Instruction ID: 09c5e42a870c1cc2d03f8f52beec99e2b9dde4ba8a7ddc0ad2ff63706a8f5736
Opcode Fuzzy Hash: c82be9eb8219a62d5ca7a556fbcc63ad4ebaa4f778469b44f98c5112d83ea434
Instruction Fuzzy Hash: 973101B1D48319AADB109FB68C899AFBFE8FB04754F50452BA50CF7280DA78A5018F91

Function 00EEA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEA259
DestroyWindow.USER32(?,?), ref: 00EEA2D3

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EEA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EEA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EEA382
DestroyWindow.USER32(00000000), ref: 00EEA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E60000,00000000), ref: 00EEA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EEA3F4
GetDesktopWindow.USER32 ref: 00EEA40D
GetWindowRect.USER32(00000000), ref: 00EEA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EEA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EEA444

Part of subcall function 00E625DB: GetWindowLongW.USER32(?,000000EB), ref: 00E625EC

Strings

tooltips_class32, xrefs: 00EEA346, 00EEA3D4
0, xrefs: 00EEA26F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 6b7082e85fa00f9f3c2a7bc80674713f14d30d2cc1b3be4cce05d7b12ff77845
Instruction ID: d1c303a41422ec1b98ec2028db683c09d71b89bc0a8a711e4cb240320843b73d
Opcode Fuzzy Hash: 6b7082e85fa00f9f3c2a7bc80674713f14d30d2cc1b3be4cce05d7b12ff77845
Instruction Fuzzy Hash: 6771C370140289AFD721CF19CC49FAA77E6FB88704F08452DF995EB2A0D7B0E906DB52

Function 00EEC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

DragQueryPoint.SHELL32(?,?), ref: 00EEC627

Part of subcall function 00EEAB37: ClientToScreen.USER32(?,?), ref: 00EEAB60
Part of subcall function 00EEAB37: GetWindowRect.USER32(?,?), ref: 00EEABD6
Part of subcall function 00EEAB37: PtInRect.USER32(?,?,00EEC014), ref: 00EEABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00EEC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EEC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EEC6BE
_wcscat.LIBCMT ref: 00EEC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EEC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00EEC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00EEC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00EEC757
DragFinish.SHELL32(?), ref: 00EEC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EEC851

Strings

@GUI_DROPID, xrefs: 00EEC77E
@GUI_DRAGID, xrefs: 00EEC7C9
@GUI_DRAGFILE, xrefs: 00EEC800

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 9c72c72bc77072db0f3fb99d6e15a696faa862988a9502e6cd9b41df7d52f8cf
Instruction ID: 1020f6f9531857660ae0d44fdbaf14a18cca271b7336c15f0103c596288c4cf4
Opcode Fuzzy Hash: 9c72c72bc77072db0f3fb99d6e15a696faa862988a9502e6cd9b41df7d52f8cf
Instruction Fuzzy Hash: B261BD71108385AFC701EF65DC85DAFBBE8FF88750F00092EF595A61A1DB709A49CB92

Function 00EE4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EE4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EE446F

Strings

GETITEMCOUNT, xrefs: 00EE4551
EXPAND, xrefs: 00EE4521
GETTOTALCOUNT, xrefs: 00EE4456
GETTEXT, xrefs: 00EE45C2
ISCHECKED, xrefs: 00EE45F2
GETSELECTED, xrefs: 00EE457F
EXISTS, xrefs: 00EE44D8
COLLAPSE, xrefs: 00EE44B5
SELECT, xrefs: 00EE4620
CHECK, xrefs: 00EE448F
UNCHECK, xrefs: 00EE464B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 056e2ac5d6623defccfd2c0fc56e060e22f9461d12f084d9140e8150d5e0eff6
Instruction ID: d4b8dbc481eece6f6775fe389264442ce38e557a1e673d100952700659617d46
Opcode Fuzzy Hash: 056e2ac5d6623defccfd2c0fc56e060e22f9461d12f084d9140e8150d5e0eff6
Instruction Fuzzy Hash: 11915BB42047459BCB08EF11C451AAEB7E5AF95394F046868F8967B3E3CB31ED49CB81

Function 00EEB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EEB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EE91C2), ref: 00EEB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EEB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EEB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EEB9C3
FreeLibrary.KERNEL32(?), ref: 00EEB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EEB9DF
DestroyIcon.USER32(?,?,?,?,?,00EE91C2), ref: 00EEB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EEBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EEBA17

Part of subcall function 00E82EFD: __wcsicmp_l.LIBCMT ref: 00E82F86

Strings

.exe, xrefs: 00EEB84A
.dll, xrefs: 00EEB86D
.icl, xrefs: 00EEB82A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 934c42a77baecec4f2bb0e7c12f4b0a010ee5ae3069fa81022564c969bbdb1d3
Instruction ID: 170897da4aeef163743aa6ddf5f177752a430b8bc0777c9f706365c5c17f9b9d
Opcode Fuzzy Hash: 934c42a77baecec4f2bb0e7c12f4b0a010ee5ae3069fa81022564c969bbdb1d3
Instruction Fuzzy Hash: A661D071900259BEEB18DF66CC81FBB77ACEB08710F104119FA15FA1D1DB759A80DBA0

Function 00ECDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ECDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00ECDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00ECDCF8
__wsplitpath.LIBCMT ref: 00ECDD56
_wcscat.LIBCMT ref: 00ECDD6E
_wcscat.LIBCMT ref: 00ECDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ECDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECDDFC
_wcscpy.LIBCMT ref: 00ECDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00ECDE47

Strings

*.*, xrefs: 00ECDE02

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ffc4ed6b3a39b406e21b3109e7ce3c38ff5e4886f56409aedd26c46c49c7ec00
Instruction ID: 5d90f96974bba39af900441713259f4340df422c8576b2c6775a8912678ff1e8
Opcode Fuzzy Hash: ffc4ed6b3a39b406e21b3109e7ce3c38ff5e4886f56409aedd26c46c49c7ec00
Instruction Fuzzy Hash: 7C616C725083459FCB10EF60D944EAEB3E8FF89314F04592DF989A7251EB32E946CB52

Function 00EC9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00EC9C7F

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EC9CA0
__swprintf.LIBCMT ref: 00EC9CF9
__swprintf.LIBCMT ref: 00EC9D12
_wprintf.LIBCMT ref: 00EC9DB9
_wprintf.LIBCMT ref: 00EC9DD7

Strings

"%s" (%d) : ==> %s:, xrefs: 00EC9DD2
Line %d (File "%s"):, xrefs: 00EC9CF3, 00EC9D0C
^ ERROR , xrefs: 00EC9D4E
Incorrect parameters to object property !, xrefs: 00EC9D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 00EC9DB4
Error: , xrefs: 00EC9D81

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: a88fc11d33e43b360b80ce967bfd42164ed5d2cd9b8a22b3f3e3ff797b7652a4
Instruction ID: 16ba8e0ab1e14430708d7b7060cc76e2e6807f453c17195ee81c2ac01309dad9
Opcode Fuzzy Hash: a88fc11d33e43b360b80ce967bfd42164ed5d2cd9b8a22b3f3e3ff797b7652a4
Instruction Fuzzy Hash: FB51A23294060DAACF14FBE0DE46EEEB7B9AF14344F101065F519720A2EB316F5ADB61

Function 00ECA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

CharLowerBuffW.USER32(?,?), ref: 00ECA3CB
GetDriveTypeW.KERNEL32 ref: 00ECA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ECA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ECA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00ECA4C5

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

Strings

close cd wait, xrefs: 00ECA4B0
wait, xrefs: 00ECA482
open, xrefs: 00ECA3F2
close, xrefs: 00ECA3D1
set cd door , xrefs: 00ECA466
type cdaudio alias cd wait, xrefs: 00ECA443
closed, xrefs: 00ECA3DF, 00ECA3E8
open , xrefs: 00ECA427

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 1cbb7821261c5348496ee39fae19a68a4479bc03f1ddb69e52c53a19ea8259c2
Instruction ID: ad4080e52bf9cfaf2b4cff541c21c60092ada401f501341eb4d4ed573e4c369c
Opcode Fuzzy Hash: 1cbb7821261c5348496ee39fae19a68a4479bc03f1ddb69e52c53a19ea8259c2
Instruction Fuzzy Hash: CD515F711043059FC704EF10D991D6AB3E8FF98798F04596DF89A67262DB31ED0ACB52

Function 00EBF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00E9E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00EBF8DF
LoadStringW.USER32(00000000,?,00E9E029,00000001), ref: 00EBF8E8

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00E9E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00EBF90A
LoadStringW.USER32(00000000,?,00E9E029,00000001), ref: 00EBF90D
__swprintf.LIBCMT ref: 00EBF95D
__swprintf.LIBCMT ref: 00EBF96E
_wprintf.LIBCMT ref: 00EBFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EBFA2E

Strings

Line %d (File "%s"):, xrefs: 00EBF957
^ ERROR, xrefs: 00EBF9C3
%s (%d) : ==> %s: %s %s, xrefs: 00EBFA12
Line %d:, xrefs: 00EBF968
Error: , xrefs: 00EBF9E5

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 125460a8cc13c4736f740bd5f7130da6e4311f9dbb555eebb2d8ccb4e3c15876
Instruction ID: 58f751bffd26baed1a86a12272347bf3ef797a2e72116c679cb425d2732be37f
Opcode Fuzzy Hash: 125460a8cc13c4736f740bd5f7130da6e4311f9dbb555eebb2d8ccb4e3c15876
Instruction Fuzzy Hash: C0415F7294420DAACF05FBE0ED86DEEB7B8AF58384F101065F545B6092EB316F49CB61

Function 00EEBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00EE9207,?,?), ref: 00EEBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00EE9207,?,?,00000000,?), ref: 00EEBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00EE9207,?,?,00000000,?), ref: 00EEBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00EE9207,?,?,00000000,?), ref: 00EEBA85
GlobalLock.KERNEL32(00000000), ref: 00EEBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00EE9207,?,?,00000000,?), ref: 00EEBA9D
GlobalUnlock.KERNEL32(00000000), ref: 00EEBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00EE9207,?,?,00000000,?), ref: 00EEBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00EE9207,?,?,00000000,?), ref: 00EEBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00EF2CAC,?), ref: 00EEBAD7
GlobalFree.KERNEL32(00000000), ref: 00EEBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00EEBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00EEBB36
DeleteObject.GDI32(00000000), ref: 00EEBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00EEBB74

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 20da5045010ceb339af54716ff3e1cc6d78f9fb085819a18af66858735e05b2b
Instruction ID: bb31bab2fc5d5b712728b744085d65da04d169a5b072b3eeaf5396b69aeabb11
Opcode Fuzzy Hash: 20da5045010ceb339af54716ff3e1cc6d78f9fb085819a18af66858735e05b2b
Instruction Fuzzy Hash: E9411B7550124CEFDB119FA6DC88EAB7BB9FB89715F104168F909EB260D7309E05CB60

Function 00ECD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00ECDA10
_wcscat.LIBCMT ref: 00ECDA28
_wcscat.LIBCMT ref: 00ECDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ECDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECDA63
GetFileAttributesW.KERNEL32(?), ref: 00ECDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00ECDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00ECDAA7

Strings

*.*, xrefs: 00ECDAE6

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 0ebf9dee7700996b6f69fcc92e02de5a466cbd2b9b84f8bcdb5a3147a107c2f4
Instruction ID: ba09eb1e9a16886f34fe8c51f2587d369992f51b574ed00829ccaec8ebf7fb88
Opcode Fuzzy Hash: 0ebf9dee7700996b6f69fcc92e02de5a466cbd2b9b84f8bcdb5a3147a107c2f4
Instruction Fuzzy Hash: 1881A2755083409FCB24EF64CD40EAAB7E8AFC9314F14583EF489E7251D672D946CB52

Function 00EEC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EEC1FC
GetFocus.USER32 ref: 00EEC20C
GetDlgCtrlID.USER32(00000000), ref: 00EEC217
_memset.LIBCMT ref: 00EEC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EEC36D
GetMenuItemCount.USER32(?), ref: 00EEC38D
GetMenuItemID.USER32(?,00000000), ref: 00EEC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EEC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EEC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EEC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EEC489

Strings

0, xrefs: 00EEC33A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d3cee5465fe984620577e92e8625dd36b7c408c0eb6e9ffbab7c3bcaa8bb01c7
Instruction ID: c843f444c347132ce66206310fd2af4a8014d6b84c16a5448d090a1c7b65ac73
Opcode Fuzzy Hash: d3cee5465fe984620577e92e8625dd36b7c408c0eb6e9ffbab7c3bcaa8bb01c7
Instruction Fuzzy Hash: 0681C1711083899FD710CF16D894A7BBBE8FB88718F20592DFA95A7291C730DD06CB52

Function 00ED731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00ED738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00ED739B
CreateCompatibleDC.GDI32(?), ref: 00ED73A7
SelectObject.GDI32(00000000,?), ref: 00ED73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00ED7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00ED7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00ED7468
SelectObject.GDI32(00000006,?), ref: 00ED7470
DeleteObject.GDI32(?), ref: 00ED7479
DeleteDC.GDI32(00000006), ref: 00ED7480
ReleaseDC.USER32(00000000,?), ref: 00ED748B

Strings

(, xrefs: 00ED7410

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 405378097eea656a457b3989d0611af2ad9cfb0e2e4fd023a53133ab94cfe2a8
Instruction ID: 0ace7fcb2afc5f3d4d3d2c99b686b403f3120308858481b452669d6ed99ef618
Opcode Fuzzy Hash: 405378097eea656a457b3989d0611af2ad9cfb0e2e4fd023a53133ab94cfe2a8
Instruction Fuzzy Hash: 1D513871904249EFCB15CFA9CC84EAEBBB9EF48310F14842EF999A7311D731A9458B50

Function 00E66A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E80957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E66B0C,?,00008000), ref: 00E80973

Part of subcall function 00E64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E64743,?,?,00E637AE,?), ref: 00E64770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E66BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00E66CFA

Part of subcall function 00E6586D: _wcscpy.LIBCMT ref: 00E658A5

Part of subcall function 00E8363D: _iswctype.LIBCMT ref: 00E83645

Strings

Bad directive syntax error, xrefs: 00E9E79D
Error opening the file, xrefs: 00E9E43D, 00E9E4B8
EA06, xrefs: 00E9E452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00E9E421
>>>AUTOIT SCRIPT<<<, xrefs: 00E9E496
Unterminated string, xrefs: 00E9E7E4
AU3!, xrefs: 00E66B61

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: b9ae9431f230544939d59285c00d8a33e3c50ecf0a4edbaabdb4ea0fa7bb6c7f
Instruction ID: 4bf761a0f91b7d9bc727944238e725783452feb2357f28ec2041dcc3a639e759
Opcode Fuzzy Hash: b9ae9431f230544939d59285c00d8a33e3c50ecf0a4edbaabdb4ea0fa7bb6c7f
Instruction Fuzzy Hash: 8802AD711483409FCB24EF24D8819AFBBE5BF94398F10591DF5DAA72A2DB30D949CB42

Function 00EC2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00EC2DDD
GetMenuItemCount.USER32(00F25890), ref: 00EC2E66
DeleteMenu.USER32(00F25890,00000005,00000000,000000F5,?,?), ref: 00EC2EF6
DeleteMenu.USER32(00F25890,00000004,00000000), ref: 00EC2EFE
DeleteMenu.USER32(00F25890,00000006,00000000), ref: 00EC2F06
DeleteMenu.USER32(00F25890,00000003,00000000), ref: 00EC2F0E
GetMenuItemCount.USER32(00F25890), ref: 00EC2F16
SetMenuItemInfoW.USER32(00F25890,00000004,00000000,00000030), ref: 00EC2F4C
GetCursorPos.USER32(?), ref: 00EC2F56
SetForegroundWindow.USER32(00000000), ref: 00EC2F5F
TrackPopupMenuEx.USER32(00F25890,00000000,?,00000000,00000000,00000000), ref: 00EC2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EC2F7E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 5c812ef8911e2a74cf80bbdbf24f19821a1df483df1da35bfbec4e077007a7d1
Instruction ID: fdea18be5fc7b034caadc7d4e71df5a5f05a56b51caf67fb7425ebe6c3b7995b
Opcode Fuzzy Hash: 5c812ef8911e2a74cf80bbdbf24f19821a1df483df1da35bfbec4e077007a7d1
Instruction Fuzzy Hash: 0871E370600249BEEB218F55DD85FAABF64FB04318F14121EF725BA1E1C7B25C15DB91

Function 00ED88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ED88D7
CoInitialize.OLE32(00000000), ref: 00ED8904
CoUninitialize.OLE32 ref: 00ED890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00ED8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00ED8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00EF2C0C), ref: 00ED8B6F
CoGetObject.OLE32(?,00000000,00EF2C0C,?), ref: 00ED8B92
SetErrorMode.KERNEL32(00000000), ref: 00ED8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00ED8C25
VariantClear.OLEAUT32(?), ref: 00ED8C35

Strings

,,, xrefs: 00ED88C1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: 8f0f5415345134bd54fc3950579f19fda984d61168b25bd9a64041bd3ab19a64
Instruction ID: b8a423e433a77e2023e251ef100058330ba57131ca44684f30b6f653be9f97a4
Opcode Fuzzy Hash: 8f0f5415345134bd54fc3950579f19fda984d61168b25bd9a64041bd3ab19a64
Instruction Fuzzy Hash: 6AC124B1208305AFC704DF64C98496AB7E9FF89348F00591EF98AAB251DB71ED06CB52

Function 00EB77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

_memset.LIBCMT ref: 00EB786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EB78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EB78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EB78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EB7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00EB792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EB7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EB793A

Strings

\IPC$, xrefs: 00EB7882
\CLSID, xrefs: 00EB7822
SOFTWARE\Classes\, xrefs: 00EB780C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: b4e3c73ab091cf0fca257708989984f79c038fd7aa90a6647d9354818e3a458a
Instruction ID: 43f6383dfa0ec3e9b153edbcc7e3afa3515e3332adc124390f5a0930e437dc8d
Opcode Fuzzy Hash: b4e3c73ab091cf0fca257708989984f79c038fd7aa90a6647d9354818e3a458a
Instruction Fuzzy Hash: 0F411872C5422DABCF15EBA4EC85DEEB7B8BF54354F005129F855B71A1DA309E04CB90

Function 00EE0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDFDAD,?,?), ref: 00EE0E31

Strings

HKCU, xrefs: 00EE0F21
HKCC, xrefs: 00EE0EFF
HKU, xrefs: 00EE0F43
HKEY_USERS, xrefs: 00EE0F32
HKEY_CURRENT_CONFIG, xrefs: 00EE0EEE
HKCR, xrefs: 00EE0ED9
HKEY_CURRENT_USER, xrefs: 00EE0F10
HKEY_CLASSES_ROOT, xrefs: 00EE0EC4
HKLM, xrefs: 00EE0EAF
HKEY_LOCAL_MACHINE, xrefs: 00EE0E9A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 582de619e2e5b32316f7ea34ea5a01cf549db7a2fca68cc407e48fbb3719e72b
Instruction ID: 3ac16827be1593c78cf57ee6f8dd3d912e52eea3eb91d6853329e18997076fe8
Opcode Fuzzy Hash: 582de619e2e5b32316f7ea34ea5a01cf549db7a2fca68cc407e48fbb3719e72b
Instruction Fuzzy Hash: A94162352043898BCF14EF11E866AEE37A0BF11344F546454FC9937292DBB19DAADBA0

Function 00EBF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E9E2A0,00000010,?,Bad directive syntax error,00EEF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EBF7C2
LoadStringW.USER32(00000000,?,00E9E2A0,00000010), ref: 00EBF7C9

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

_wprintf.LIBCMT ref: 00EBF7FC
__swprintf.LIBCMT ref: 00EBF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EBF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00EBF7F7
Line %d (File "%s"):, xrefs: 00EBF833
Line %d:, xrefs: 00EBF818
Error: , xrefs: 00EBF85B
., xrefs: 00EBF873

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a44b791bb69f7ca2199b994828c9d49abee40010577d61426d8d40a555c3efa2
Instruction ID: fdf12345b23ffa9c91059d815ed59c4179cf731b1339f8240659bce8d363363f
Opcode Fuzzy Hash: a44b791bb69f7ca2199b994828c9d49abee40010577d61426d8d40a555c3efa2
Instruction Fuzzy Hash: 2121BD3294021EFBCF12EFA0DC4AEEE77B9BF18344F000465F519760A2EA319658DB51

Function 00EC52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

Part of subcall function 00E67924: _memmove.LIBCMT ref: 00E679AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EC5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EC5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EC5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EC5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EC537A

Strings

alias PlayMe, xrefs: 00EC5309
status PlayMe mode, xrefs: 00EC532B
play PlayMe, xrefs: 00EC5375
close PlayMe, xrefs: 00EC5341, 00EC536E
open , xrefs: 00EC52DF
play PlayMe wait, xrefs: 00EC5364

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b461ce3157415a849511b7cee4f92dd4c4df3991c348821ed2ad02e7bab33940
Instruction ID: 036f35f4a1f68517045df113be5a3a48f157c90b874c91074d270a27f8731e13
Opcode Fuzzy Hash: b461ce3157415a849511b7cee4f92dd4c4df3991c348821ed2ad02e7bab33940
Instruction Fuzzy Hash: A711E621A9015D79D720B665DD49DFFBBBCEBD5BC4F00042DB451B20D1DEA05C86C661

Function 00EC46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EC46D2
gethostname.WSOCK32(?,00000100), ref: 00EC46EC
gethostbyname.WSOCK32(?), ref: 00EC46F9
_wcscpy.LIBCMT ref: 00EC4721
_memmove.LIBCMT ref: 00EC4734
inet_ntoa.WSOCK32(?), ref: 00EC473F
_strcat.LIBCMT ref: 00EC474D
_wcscpy.LIBCMT ref: 00EC4764
WSACleanup.WSOCK32 ref: 00EC4772
_wcscpy.LIBCMT ref: 00EC4780

Strings

0.0.0.0, xrefs: 00EC471B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8e57f8fdd8545653ddc254e863ea97866333fe05af0f9e4bc8763dc00fdb0d4e
Instruction ID: fa847306026c395b6efcdbb67083861738a52565e643f16963505e9e1828360c
Opcode Fuzzy Hash: 8e57f8fdd8545653ddc254e863ea97866333fe05af0f9e4bc8763dc00fdb0d4e
Instruction Fuzzy Hash: 8C11C371900118AFCB25AB709D86EDA77ACEB41711F0411BAF949B60D1EF729A868750

Function 00EC4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EC4F7A

Part of subcall function 00E8049F: timeGetTime.WINMM(?,7694B400,00E70E7B), ref: 00E804A3

Sleep.KERNEL32(0000000A), ref: 00EC4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00EC4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EC4FEC
SetActiveWindow.USER32 ref: 00EC500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EC5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EC5038
Sleep.KERNEL32(000000FA), ref: 00EC5043
IsWindow.USER32 ref: 00EC504F
EndDialog.USER32(00000000), ref: 00EC5060

Strings

BUTTON, xrefs: 00EC4FDE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 82ca737082507dcdd8b779a54b60e438bc4d6e6bbf75e1a20eac7c55e73dc379
Instruction ID: 653abb521a212e42c1e7115560b15b461867718526c036e7ddf3454f65a9c156
Opcode Fuzzy Hash: 82ca737082507dcdd8b779a54b60e438bc4d6e6bbf75e1a20eac7c55e73dc379
Instruction Fuzzy Hash: 7421D47120064DAFE7205F30EECAF263BA9EB44745F08302CF405E51F5CB329E46A661

Function 00ECD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

CoInitialize.OLE32(00000000), ref: 00ECD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00ECD67D
SHGetDesktopFolder.SHELL32(?), ref: 00ECD691
CoCreateInstance.OLE32(00EF2D7C,00000000,00000001,00F18C1C,?), ref: 00ECD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00ECD74C
CoTaskMemFree.OLE32(?,?), ref: 00ECD7A4
_memset.LIBCMT ref: 00ECD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00ECD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00ECD840
CoTaskMemFree.OLE32(00000000), ref: 00ECD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00ECD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00ECD880

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 1e911d87008c013383ca35707d19f5e5638e29fb514141b1ba73756676b440bf
Instruction ID: 668d0ceb29cd67315cf3af67211fea6821c0bc7351bdbef3e4c7a2f00a3fee1e
Opcode Fuzzy Hash: 1e911d87008c013383ca35707d19f5e5638e29fb514141b1ba73756676b440bf
Instruction Fuzzy Hash: 81B1FB75A00109AFDB04DFA4D984EAEBBF9EF48314B0494A9F909EB261DB31ED45CB50

Function 00EBC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EBC283
GetWindowRect.USER32(00000000,?), ref: 00EBC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00EBC2F3
GetDlgItem.USER32(?,00000002), ref: 00EBC2FE
GetWindowRect.USER32(00000000,?), ref: 00EBC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00EBC364
GetDlgItem.USER32(?,000003E9), ref: 00EBC372
GetWindowRect.USER32(00000000,?), ref: 00EBC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00EBC3C6
GetDlgItem.USER32(?,000003EA), ref: 00EBC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EBC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00EBC3FE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9beed2fe02d5380c6f08d861d2bf4e0af17c50bbb019c8dd37fc425dbca68dcc
Instruction ID: d2d782114abbbeccda9f74792f191f3586cd23a4c30eee7010bf47c78b8c9e0c
Opcode Fuzzy Hash: 9beed2fe02d5380c6f08d861d2bf4e0af17c50bbb019c8dd37fc425dbca68dcc
Instruction Fuzzy Hash: 3A516271B00209AFDB18CFA9DD99AAEBBBAFB88310F14817DF515E7290D7709D048B50

Function 00E6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E62036,?,00000000,?,?,?,?,00E616CB,00000000,?), ref: 00E61B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E620D3
KillTimer.USER32(-00000001,?,?,?,?,00E616CB,00000000,?,?,00E61AE2,?,?), ref: 00E6216E
DestroyAcceleratorTable.USER32(00000000), ref: 00E9BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E616CB,00000000,?,?,00E61AE2,?,?), ref: 00E9BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E616CB,00000000,?,?,00E61AE2,?,?), ref: 00E9BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E616CB,00000000,?,?,00E61AE2,?,?), ref: 00E9BD0A
DeleteObject.GDI32(00000000), ref: 00E9BD1C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d19603efdae427c0ca25669b6806d5989cf05efb80effd3687bb6eafcd6aa689
Instruction ID: 12220a3643e3aaeb568fb038ddc174e0e42ee9d879104068915ee7c27b8a55e8
Opcode Fuzzy Hash: d19603efdae427c0ca25669b6806d5989cf05efb80effd3687bb6eafcd6aa689
Instruction Fuzzy Hash: E661AF30141A48DFCB359F15E948B69B7F1FF4075AF10A52DE642BA9B1C7B0A891EB80

Function 00E621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E625DB: GetWindowLongW.USER32(?,000000EB), ref: 00E625EC

GetSysColor.USER32(0000000F), ref: 00E621D3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: baf9f90eb21a35f7e5be56116233fafeecb6a80d41497512e423b12f229407e0
Instruction ID: 45f3f39acfe7bccea73cd473088aac43cd3920b23e731d0d7ed779a2f378411b
Opcode Fuzzy Hash: baf9f90eb21a35f7e5be56116233fafeecb6a80d41497512e423b12f229407e0
Instruction Fuzzy Hash: 6F41AD310419489FDB215F28BC98BB93B65EB06365F149269FE61AE1F6C7318C42DB21

Function 00ECA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00EEF910), ref: 00ECA90B
GetDriveTypeW.KERNEL32(00000061,00F189A0,00000061), ref: 00ECA9D5
_wcscpy.LIBCMT ref: 00ECA9FF

Strings

unknown, xrefs: 00ECA996
cdrom, xrefs: 00ECA927
ramdisk, xrefs: 00ECA97F
network, xrefs: 00ECA969
removable, xrefs: 00ECA93D
fixed, xrefs: 00ECA953
all, xrefs: 00ECA911

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 8022c15f63d2a54537b8e9ded125c80d67afdb82ec022679912577a248bbbc88
Instruction ID: c5f0b2b36d9c387c4e69d43176b39b3b4a422adb75708395750b58b2c7d7ea74
Opcode Fuzzy Hash: 8022c15f63d2a54537b8e9ded125c80d67afdb82ec022679912577a248bbbc88
Instruction Fuzzy Hash: F251B4311443059BC314EF14DA92FAFB7E5EF84748F58682DF499672A2DB32990ACB43

Function 00E69837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E69862
__swprintf.LIBCMT ref: 00E698AC
__i64tow.LIBCMT ref: 00E9F5E6

Strings

%.15g, xrefs: 00E698A6
False, xrefs: 00E9F5AE
True, xrefs: 00E9F5A7
0x%p, xrefs: 00E9F5C8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 9de46831d625597cdad3e0b799fe3d663811cb83e2109838ecd4361229fcec5f
Instruction ID: 5a8db0380f488e1dcb60865b66fe2b245f53b794d4641bfde782bff9bc9bc6dd
Opcode Fuzzy Hash: 9de46831d625597cdad3e0b799fe3d663811cb83e2109838ecd4361229fcec5f
Instruction Fuzzy Hash: 2C41C371500205AFDB28EF34E842ABA77E8EF45354F20546EE54DF7292EA329D428B11

Function 00EE7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE716A
CreateMenu.USER32 ref: 00EE7185
SetMenu.USER32(?,00000000), ref: 00EE7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE7221
IsMenu.USER32(?), ref: 00EE7237
CreatePopupMenu.USER32 ref: 00EE7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EE726E
DrawMenuBar.USER32 ref: 00EE7276

Strings

F, xrefs: 00EE7262
0, xrefs: 00EE7160

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8617a3105ccf3aded7191496a34b9963589f0533779f3829112ff7044aab12a7
Instruction ID: 00dd8a10e080e107dd91136630bb2f04bc55913e864c2d9a9bc18448371d2b8a
Opcode Fuzzy Hash: 8617a3105ccf3aded7191496a34b9963589f0533779f3829112ff7044aab12a7
Instruction Fuzzy Hash: B74136B4A01249EFDB20DFA5E884EAA7BB5FF48350F144029FA45AB361D731AD14DF90

Function 00EE74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EE755E
CreateCompatibleDC.GDI32(00000000), ref: 00EE7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EE7578
SelectObject.GDI32(00000000,00000000), ref: 00EE7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EE758B
DeleteDC.GDI32(00000000), ref: 00EE7594
GetWindowLongW.USER32(?,000000EC), ref: 00EE759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EE75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EE75BE

Strings

static, xrefs: 00EE74F6

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f5ef3d6f38291c106dce7c32ea3ab4887e33de17ba0774da1f46f41b6854cc7b
Instruction ID: aac7b22069be431373351513c648803592c6feb93bb4eccee37d247779c0bd96
Opcode Fuzzy Hash: f5ef3d6f38291c106dce7c32ea3ab4887e33de17ba0774da1f46f41b6854cc7b
Instruction Fuzzy Hash: 87317832105299AFDF129FA6DC48FEA3BA9EF09324F101225FA55A60A0C731D815DBA0

Function 00E86E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E86E3E

Part of subcall function 00E88B28: __getptd_noexit.LIBCMT ref: 00E88B28

__gmtime64_s.LIBCMT ref: 00E86ED7
__gmtime64_s.LIBCMT ref: 00E86F0D
__gmtime64_s.LIBCMT ref: 00E86F2A
__allrem.LIBCMT ref: 00E86F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E86F9C
__allrem.LIBCMT ref: 00E86FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E86FD1
__allrem.LIBCMT ref: 00E86FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E87006
__invoke_watson.LIBCMT ref: 00E87077

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: b41609ffc0c5769ff0f95e51eb948be82a5df98400d3910cd50befd1b40f1fae
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: C571F6B6A00716ABDB14BE78DC81B5AB3E8AF04768F245229F55CF72C1E770DE408790

Function 00EC2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC2542
GetMenuItemInfoW.USER32(00F25890,000000FF,00000000,00000030), ref: 00EC25A3
SetMenuItemInfoW.USER32(00F25890,00000004,00000000,00000030), ref: 00EC25D9
Sleep.KERNEL32(000001F4), ref: 00EC25EB
GetMenuItemCount.USER32(?), ref: 00EC262F
GetMenuItemID.USER32(?,00000000), ref: 00EC264B
GetMenuItemID.USER32(?,-00000001), ref: 00EC2675
GetMenuItemID.USER32(?,?), ref: 00EC26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EC2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC2735

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 2d5743f3bdf363bc9ff06280355f778a3168edb7c29e8aa8a57b3d8079aaecc4
Instruction ID: f52b4280bcf9f546985b52ded99d02bb47483e1897e2ffe385f4231ac6b5b4fa
Opcode Fuzzy Hash: 2d5743f3bdf363bc9ff06280355f778a3168edb7c29e8aa8a57b3d8079aaecc4
Instruction Fuzzy Hash: FE618F70900249AFDB11CF64DE88EBE7BB8EB45308F14556DFA41B7291D732AD0ADB21

Function 00EE6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EE6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EE6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00EE6FCC
_memset.LIBCMT ref: 00EE6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EE6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EE7067

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: d9967331b1147e4863090548134148df343e203ae0d02d2415b03578101043c0
Instruction ID: 926940ba729a389bd78dce530f754adb46de890855b0fe92e2926c8c62a8db57
Opcode Fuzzy Hash: d9967331b1147e4863090548134148df343e203ae0d02d2415b03578101043c0
Instruction Fuzzy Hash: AB617C75A00288AFDB20DFA4CC81EEE77F8EB08714F100159FA14EB2A1C771AD41DB90

Function 00EB6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EB6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00EB6C18
VariantInit.OLEAUT32(?), ref: 00EB6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EB6C4A
VariantCopy.OLEAUT32(?,?), ref: 00EB6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EB6CB1
VariantClear.OLEAUT32(?), ref: 00EB6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EB6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EB6CDC
VariantClear.OLEAUT32(?), ref: 00EB6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EB6CF9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4abd69272552e9ddb475380f8029adf27f96f6f368badf89a2920066df71f69b
Instruction ID: 7cbd06a39b50b34ac2647349cda750c737c054ae0055289c1eafa22fa9db9981
Opcode Fuzzy Hash: 4abd69272552e9ddb475380f8029adf27f96f6f368badf89a2920066df71f69b
Instruction Fuzzy Hash: 64412D75A001199FDF049FA9D884DEEBBB9EF48354F008069F955BB2A1CB34A949CF90

Function 00ED5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00ED5793
inet_addr.WSOCK32(?,?,?), ref: 00ED57D8
gethostbyname.WSOCK32(?), ref: 00ED57E4
IcmpCreateFile.IPHLPAPI ref: 00ED57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00ED5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00ED5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00ED58ED
WSACleanup.WSOCK32 ref: 00ED58F3

Strings

Ping, xrefs: 00ED5816

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e802af4a759035ad6e2e3e45d9b5bf6780c5c8d54845b138a4ca9fd6d05c45bb
Instruction ID: b5296ed1efa35c5d182882274d58e2eaaba5b6bfc56fbe92b83681274313fa2c
Opcode Fuzzy Hash: e802af4a759035ad6e2e3e45d9b5bf6780c5c8d54845b138a4ca9fd6d05c45bb
Instruction Fuzzy Hash: F751BD366007009FDB24AF25DC85B6ABBE4EF48324F04592AF956FB3A1DB30E805DB41

Function 00ECB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ECB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00ECB546
GetLastError.KERNEL32 ref: 00ECB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00ECB5BD

Strings

READONLY, xrefs: 00ECB588
NOTREADY, xrefs: 00ECB57C
UNKNOWN, xrefs: 00ECB575
READY, xrefs: 00ECB596
INVALID, xrefs: 00ECB58F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1650cb5ab3eb48f23b7b243db8f0963c5f003e3e8d42e5f2191a3545a33ce069
Instruction ID: 30d54c34b3f1dff3850145c54c19845374812ad5897bb649c7fdd2ab5b4f05f9
Opcode Fuzzy Hash: 1650cb5ab3eb48f23b7b243db8f0963c5f003e3e8d42e5f2191a3545a33ce069
Instruction Fuzzy Hash: 4631A035A402099FCB00DBA8DA86FEE77B5FF48354F105029F501BB291DB729A47CB41

Function 00EB8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EBAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EB9014
GetDlgCtrlID.USER32 ref: 00EB901F
GetParent.USER32 ref: 00EB903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EB903E
GetDlgCtrlID.USER32(?), ref: 00EB9047
GetParent.USER32(?), ref: 00EB9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EB9066

Strings

ListBox, xrefs: 00EB8FD1
ComboBox, xrefs: 00EB8F9C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8cff0cf8750f2850fc2284c732dc9543dc09eca87b18be8a9880d0e23985afd4
Instruction ID: 04c671329679394ee07f9f750406371ec243126e2d9b3d76715bd016eb43b507
Opcode Fuzzy Hash: 8cff0cf8750f2850fc2284c732dc9543dc09eca87b18be8a9880d0e23985afd4
Instruction Fuzzy Hash: 5421F870A00249BFDF04ABA1CC85EFEBBB5EF45310F104119FA61B72A2DB755819DB20

Function 00EB907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EBAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EB90FD
GetDlgCtrlID.USER32 ref: 00EB9108
GetParent.USER32 ref: 00EB9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EB9127
GetDlgCtrlID.USER32(?), ref: 00EB9130
GetParent.USER32(?), ref: 00EB914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EB914F

Strings

ListBox, xrefs: 00EB90BC
ComboBox, xrefs: 00EB9087

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 574b2b93e14be5bf11754ea1861b74beec85229e669ac21a702a873b59687d81
Instruction ID: 05e112d8c387fbcf0e8aeefc349819f6fc78f52597795597b6d5085569567d7b
Opcode Fuzzy Hash: 574b2b93e14be5bf11754ea1861b74beec85229e669ac21a702a873b59687d81
Instruction Fuzzy Hash: 80210775A40249BFDF10ABA5CC85EFEBBB4EF44300F104015FA61B72A2DB758819EB20

Function 00EB9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EB916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00EB9184
_wcscmp.LIBCMT ref: 00EB9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EB9211

Strings

details, xrefs: 00EB91BF
smallicons, xrefs: 00EB91D9
SHELLDLL_DefView, xrefs: 00EB9190
largeicons, xrefs: 00EB91A5
list, xrefs: 00EB91F3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 7b3f87544c7b58d96b90afd519168f417d7ee191360684125cc3f9ff9d7927d1
Instruction ID: 8ceef1ae8b8e00a1a8d11ef5671c89cf0701d8d8083220d48ba3df2812fd75a1
Opcode Fuzzy Hash: 7b3f87544c7b58d96b90afd519168f417d7ee191360684125cc3f9ff9d7927d1
Instruction Fuzzy Hash: B6112C3A688307BAFA113634EC06DE737DC9B15720F201026FB08B50E3FE71A8556A99

Function 00EC7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00EC7A6C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 3f85d002202f5791b207e54dc795534f7cf18e6f3227a852cdc42ec75e5b35fa
Instruction ID: 2b07015d37ce9d0197b60501d58e54c236d08e1f4ff72f3edcf54e4106793d01
Opcode Fuzzy Hash: 3f85d002202f5791b207e54dc795534f7cf18e6f3227a852cdc42ec75e5b35fa
Instruction Fuzzy Hash: D4B1897190820A9FDB00DFA4C984FBEB7F4EF09325F205029E991BB291D735A946CF90

Function 00E6FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E6FAA6
OleUninitialize.OLE32(?,00000000), ref: 00E6FB45
UnregisterHotKey.USER32(?), ref: 00E6FC9C
DestroyWindow.USER32(?), ref: 00EA45D6
FreeLibrary.KERNEL32(?), ref: 00EA463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EA4668

Strings

close all, xrefs: 00E6FAA1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 83388c40bad694060e54c8e836304d246e0ec810349bc1f19e0aaaa294731c86
Instruction ID: fc0f684f70dffae541e1e1a721e95260aec54722d2b6c21cbbd3019d3407a82f
Opcode Fuzzy Hash: 83388c40bad694060e54c8e836304d246e0ec810349bc1f19e0aaaa294731c86
Instruction Fuzzy Hash: 37A19171701216CFCB19EF14D595A69F3A4BF8A744F1462ADE80ABB2A1CB30ED16CF50

Function 00ED9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED9167
VariantInit.OLEAUT32(?), ref: 00ED9238
VariantInit.OLEAUT32(?), ref: 00ED9339
VariantClear.OLEAUT32(?), ref: 00ED9343
VariantClear.OLEAUT32(?), ref: 00ED93A0

Strings

,,, xrefs: 00ED91E5
Incorrect Object type in FOR..IN loop, xrefs: 00ED931C
Null Object assignment in FOR..IN loop, xrefs: 00ED91C8, 00ED92F6, 00ED93AE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: 032cf03622b7a116a49d23f4a41acaf1363462c88e0573c67085d1e201802983
Instruction ID: 736b9b56dc3bc39ae9f25621ccbeab9067ab2b6eae8df0d038cd6e507c949e2b
Opcode Fuzzy Hash: 032cf03622b7a116a49d23f4a41acaf1363462c88e0573c67085d1e201802983
Instruction Fuzzy Hash: B291BE71A00219ABDF24CFA1DC48FEEBBB8EF45714F10911AF515BB292D7709946CBA0

Function 00EBA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00EBA439), ref: 00EBA377

Strings

CLASS, xrefs: 00EBA0F6
TEXT, xrefs: 00EBA2AE
CLASSNN, xrefs: 00EBA119
REGEXPCLASS, xrefs: 00EBA13C
INSTANCE, xrefs: 00EBA285
NAME, xrefs: 00EBA1A9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fef414991e74dad684db8b721f1823b082f3a77a4fa97a5b3f9c143cb5f15060
Instruction ID: 93e68f05c18fcea521f48224b8a80606e3f0b74b179bc68a85d0e8d2e5b93dd3
Opcode Fuzzy Hash: fef414991e74dad684db8b721f1823b082f3a77a4fa97a5b3f9c143cb5f15060
Instruction Fuzzy Hash: DF919231604605AACF48EFA4C482BEFFBF4BF04304F58A129E85DB7251DB316999DB91

Function 00E62E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E62EAE

Part of subcall function 00E61DB3: GetClientRect.USER32(?,?), ref: 00E61DDC
Part of subcall function 00E61DB3: GetWindowRect.USER32(?,?), ref: 00E61E1D
Part of subcall function 00E61DB3: ScreenToClient.USER32(?,?), ref: 00E61E45

GetDC.USER32 ref: 00E9CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E9CD45
SelectObject.GDI32(00000000,00000000), ref: 00E9CD53
SelectObject.GDI32(00000000,00000000), ref: 00E9CD68
ReleaseDC.USER32(?,00000000), ref: 00E9CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E9CDFB

Strings

U, xrefs: 00E9CCD0

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 46ccb7a5594d9434878e2b89e62af433ee16103da80ba746522ce4aff4f563be
Instruction ID: dcfff31ee1d455468712248c4c73b672fe74bbe063735d16ce44f23ef0c48470
Opcode Fuzzy Hash: 46ccb7a5594d9434878e2b89e62af433ee16103da80ba746522ce4aff4f563be
Instruction Fuzzy Hash: B171C231500609DFCF21AF64D880AEA7FB5FF48368F24627AED557A2A6C7318841DB50

Function 00ED1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ED1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00ED1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00ED1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00ED1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ED1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00ED1B10
InternetCloseHandle.WININET(00000000), ref: 00ED1B57

Part of subcall function 00ED2483: GetLastError.KERNEL32(?,?,00ED1817,00000000,00000000,00000001), ref: 00ED2498
Part of subcall function 00ED2483: SetEvent.KERNEL32(?,?,00ED1817,00000000,00000000,00000001), ref: 00ED24AD

Strings

, xrefs: 00ED1B01

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 529b598c92f323cf842ceba9cace94e4fb6d849bc07658af5ffeb1f81a60e7ac
Instruction ID: d0ad3f296d75c8c015cde0d1f291ce2eea0a06a76211c23bea04e7260383062f
Opcode Fuzzy Hash: 529b598c92f323cf842ceba9cace94e4fb6d849bc07658af5ffeb1f81a60e7ac
Instruction Fuzzy Hash: 0F416DB1501219BFEB119F61CC89FFA7BACEF08354F00516BFA05AA241E7709E459BA0

Function 00ED8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00EEF910), ref: 00ED8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00EEF910), ref: 00ED8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00ED8ED6
SysFreeString.OLEAUT32(?), ref: 00ED8F00

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 14e258b33a8e709827144bfd29a289ccf069f9584f2678f99142d0e59f5e15e2
Instruction ID: 149d224290d3dc843d7f7cec58c7087634e6543d6c2133fff8aba7715ca7e61c
Opcode Fuzzy Hash: 14e258b33a8e709827144bfd29a289ccf069f9584f2678f99142d0e59f5e15e2
Instruction Fuzzy Hash: 6CF12671A00209EFCB14DF94C984EAEB7B9FF49314F109599F905BB251DB31AE46CB50

Function 00EDF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EDF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EDF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EDF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EDF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EDF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EDFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EDFA7C
CloseHandle.KERNEL32(?), ref: 00EDFAAB
CloseHandle.KERNEL32(?), ref: 00EDFB22

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 58f8ac7be486d0e5ffa5dd14c3f8b88a054587fd7fe6b5c234b24e7823c410f9
Instruction ID: 9da2bd4038d1033542b19f2b2ef2ecaf18f55a684d9db4b51da5b7a37be38e4c
Opcode Fuzzy Hash: 58f8ac7be486d0e5ffa5dd14c3f8b88a054587fd7fe6b5c234b24e7823c410f9
Instruction Fuzzy Hash: 6BE1C2316043409FC714EF24D891B6ABBE5EF85354F14956EF88AAB3A2CB31DC46CB52

Function 00EC4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EC3697,?), ref: 00EC468B

Part of subcall function 00EC466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EC3697,?), ref: 00EC46A4

Part of subcall function 00EC4A31: GetFileAttributesW.KERNEL32(?,00EC370B), ref: 00EC4A32

lstrcmpiW.KERNEL32(?,?), ref: 00EC4D40
_wcscmp.LIBCMT ref: 00EC4D5A
MoveFileW.KERNEL32(?,?), ref: 00EC4D75

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ddd30150c3957065733e0d30f19d60a60b4d981fef9093ebe1e012cb1b88779a
Instruction ID: 5662f83b6c51db42ede33fa1d589ef05138a49b7accbc7433eb76c5dc47f6302
Opcode Fuzzy Hash: ddd30150c3957065733e0d30f19d60a60b4d981fef9093ebe1e012cb1b88779a
Instruction Fuzzy Hash: 2C5172F21083859BC724EB60D991EDF77ECAF84354F00192EF28AE3191EE31A589C756

Function 00EE8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EE86FF

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 81e2d083b78dc40b0454a954844c3819f8e76611eca2044e9761a26c0817266f
Instruction ID: 5adca9334e921df8fa4f2625c65c20293c0420d5f9964c674f5fb296ad9c10cd
Opcode Fuzzy Hash: 81e2d083b78dc40b0454a954844c3819f8e76611eca2044e9761a26c0817266f
Instruction Fuzzy Hash: 8051C2305002CDBFEB249B26DE85FAD3BA4AB05754F606116F959FA1E0CF71A980DB40

Function 00E62B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E9C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E9C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E9C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E9C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E9C370
DestroyIcon.USER32(00000000), ref: 00E9C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E9C39C
DestroyIcon.USER32(?), ref: 00E9C3AB

Part of subcall function 00EEA4AF: DeleteObject.GDI32(00000000), ref: 00EEA4E8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 332fe470803512396f59653e750532589667a2b450fd40089089edcb58ccf609
Instruction ID: e403e0833fb21e9d3fa4862be41e1a2f9aba71bb9212de73301adedb97271481
Opcode Fuzzy Hash: 332fe470803512396f59653e750532589667a2b450fd40089089edcb58ccf609
Instruction Fuzzy Hash: CD517B70640609AFDF20DF25DC85FAA7BE5EB48754F20552CFA02BB2A0DB70AD90DB50

Function 00EB966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EBA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EBA84C
Part of subcall function 00EBA82C: GetCurrentThreadId.KERNEL32 ref: 00EBA853
Part of subcall function 00EBA82C: AttachThreadInput.USER32(00000000,?,00EB9683,?,00000001), ref: 00EBA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EB968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EB96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00EB96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EB96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EB96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EB96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EB96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EB96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EB96FB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 1462f68f12392a2e0f5aa69855afa33851ec9a47e75528a676f99e5c779fd07b
Instruction ID: 651386be7f5a0fbfa481751d63468a7d5377824fb4186276261afef7a2bd023a
Opcode Fuzzy Hash: 1462f68f12392a2e0f5aa69855afa33851ec9a47e75528a676f99e5c779fd07b
Instruction Fuzzy Hash: 1D11CEB191061CBFFA106B619C89FAA3F6DEB4C750F101425F244BB0E1C9F25C109AA4

Function 00EB8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EB853C,00000B00,?,?), ref: 00EB892A
HeapAlloc.KERNEL32(00000000,?,00EB853C,00000B00,?,?), ref: 00EB8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EB853C,00000B00,?,?), ref: 00EB8946
GetCurrentProcess.KERNEL32(?,00000000,?,00EB853C,00000B00,?,?), ref: 00EB894E
DuplicateHandle.KERNEL32(00000000,?,00EB853C,00000B00,?,?), ref: 00EB8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EB853C,00000B00,?,?), ref: 00EB8961
GetCurrentProcess.KERNEL32(00EB853C,00000000,?,00EB853C,00000B00,?,?), ref: 00EB8969
DuplicateHandle.KERNEL32(00000000,?,00EB853C,00000B00,?,?), ref: 00EB896C
CreateThread.KERNEL32(00000000,00000000,00EB8992,00000000,00000000,00000000), ref: 00EB8986

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8c465a93759fa37879c66cd93a01ee2a5568bc9087efc86e8865baf62bc058b6
Instruction ID: 3faa857bc7cedb50d247a925489f9c6ed88e44816965f96161abab1e6a77d923
Opcode Fuzzy Hash: 8c465a93759fa37879c66cd93a01ee2a5568bc9087efc86e8865baf62bc058b6
Instruction Fuzzy Hash: 9C01AC7564134CFFE610ABA5DC89F673B6CEB89711F418421FA05EF1A2CA70D804CA20

Function 00ED9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00ED9BA4, 00ED9EC8
Not an Object type, xrefs: 00ED9B7B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8afe7df7db28a20514e7fffec46bce8c8068103a2030da7b5613380031e3acfc
Instruction ID: 99afe0c8db5abf80e99c4e7d980a2ccedfeac03aa1355ad5a78dc3de80a17857
Opcode Fuzzy Hash: 8afe7df7db28a20514e7fffec46bce8c8068103a2030da7b5613380031e3acfc
Instruction Fuzzy Hash: 59C19271A002099FDF10DF98CD84AEEB7F5EB48314F15942AE905BB381E771AD46CB90

Function 00ED975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00EB710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?,?,00EB7455), ref: 00EB7127
Part of subcall function 00EB710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?), ref: 00EB7142
Part of subcall function 00EB710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?), ref: 00EB7150
Part of subcall function 00EB710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?), ref: 00EB7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00ED9806
_memset.LIBCMT ref: 00ED9813
_memset.LIBCMT ref: 00ED9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00ED9982
CoTaskMemFree.OLE32(?), ref: 00ED998D

Strings

NULL Pointer assignment, xrefs: 00ED99DB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d4fd1a929c852f7cf5b7550867bf8e34d23bff41abf3a6bb22b11caed7a193fa
Instruction ID: 233b00aad57058f2f9b73e77a9a638f7ca3303a22fd5d1cac47f9cfe8ca6320b
Opcode Fuzzy Hash: d4fd1a929c852f7cf5b7550867bf8e34d23bff41abf3a6bb22b11caed7a193fa
Instruction Fuzzy Hash: 5E913371D00228EBDB10DFA5DC81ADEBBB9EF48350F20512AF519B7281DB319A45CFA0

Function 00EE6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EE6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00EE6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EE6E52
_wcscat.LIBCMT ref: 00EE6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EE6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EE6EF2

Strings

SysListView32, xrefs: 00EE6DF6

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: e35f7f5156a870c3e29dab2f9d8d0edfd1919d0b14c9254b92c17143ac2a3af1
Instruction ID: b6d748808e3c319c6ffba634c483cb9577d85114dafa4b6e5ab046746cfafcca
Opcode Fuzzy Hash: e35f7f5156a870c3e29dab2f9d8d0edfd1919d0b14c9254b92c17143ac2a3af1
Instruction Fuzzy Hash: 1A41A070A0038DAFDB219F65CC85BEA77E8EF18794F10142AF584B72D1D7729D848B60

Function 00EDE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00EC3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00EC3C7A
Part of subcall function 00EC3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00EC3C88
Part of subcall function 00EC3C55: CloseHandle.KERNEL32(00000000), ref: 00EC3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EDE9A4
GetLastError.KERNEL32 ref: 00EDE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EDE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00EDEA63
GetLastError.KERNEL32(00000000), ref: 00EDEA6E
CloseHandle.KERNEL32(00000000), ref: 00EDEAA3

Strings

SeDebugPrivilege, xrefs: 00EDE9C2

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: dae562374a29e572d086e4de0e6dc0ff6e6545d0d3e2fa2bcfaaeb71e5f769d8
Instruction ID: 759c58060a563a6faeb1ad47c9c530274537dc79fd3eece646282b041b9620ef
Opcode Fuzzy Hash: dae562374a29e572d086e4de0e6dc0ff6e6545d0d3e2fa2bcfaaeb71e5f769d8
Instruction Fuzzy Hash: 254179712002059FDB24EF64DCA5FAEB7E5AF40354F04A459F906AF3D2CB75A809CB91

Function 00EC2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EC3033

Strings

stop, xrefs: 00EC3004
warning, xrefs: 00EC301C
info, xrefs: 00EC2FD4
blank, xrefs: 00EC2FB5
question, xrefs: 00EC2FEC

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: ef92a053a85a20db1fb0eb292eeac7c06b8c029f9e93f65f7dc05a3639bc4b4f
Instruction ID: 6d3df8af7aa7e6f0939ae4a62badc87c39ec991b667ab5b7a45953c62b0a31fb
Opcode Fuzzy Hash: ef92a053a85a20db1fb0eb292eeac7c06b8c029f9e93f65f7dc05a3639bc4b4f
Instruction Fuzzy Hash: A711BE32348386BED7115A24CD83EEB779CDF15370B10402EFA0476281DB729F4212A9

Function 00EC42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EC4312
LoadStringW.USER32(00000000), ref: 00EC4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EC432F
LoadStringW.USER32(00000000), ref: 00EC4336
_wprintf.LIBCMT ref: 00EC435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EC437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EC4357

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4e1f42a4b2418b981af4524841e7aa5547c43a3b42aa7da8a9a7af8f10e78164
Instruction ID: 71cbb0f0785d96a57a34b1d4cafab3b868724503a2099ff68675218974633237
Opcode Fuzzy Hash: 4e1f42a4b2418b981af4524841e7aa5547c43a3b42aa7da8a9a7af8f10e78164
Instruction Fuzzy Hash: 72014FF290024CBFE711A7A5DD89EEA776CEB08700F0005A5FB49F6051EA759E894B71

Function 00EED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

GetSystemMetrics.USER32(0000000F), ref: 00EED47C
GetSystemMetrics.USER32(0000000F), ref: 00EED49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EED6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EED6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EED716
ShowWindow.USER32(00000003,00000000), ref: 00EED735
InvalidateRect.USER32(?,00000000,00000001), ref: 00EED75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EED77D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 4bc6c3d47fe799ec9eb83bdedf33d18ce24331281e09e6a543f9e1b318c8c570
Instruction ID: 6f93890186b7bf8c5ea4dbf96f1753398307e3caeb8e6cfe097421017edc63ed
Opcode Fuzzy Hash: 4bc6c3d47fe799ec9eb83bdedf33d18ce24331281e09e6a543f9e1b318c8c570
Instruction Fuzzy Hash: 66B1A9306042AAEFDF14CF6AC9C57AD7BB1FF04705F08906AEC48AE295D730A954CB90

Function 00E62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E9C1C7,00000004,00000000,00000000,00000000), ref: 00E62ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E9C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00E62B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E9C1C7,00000004,00000000,00000000,00000000), ref: 00E9C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E9C1C7,00000004,00000000,00000000,00000000), ref: 00E9C286

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 89ef8eb64424d72e1a10c433028e9dcedd480540a202abb56a741f159b9ae818
Instruction ID: 603e1df936220b1bc80270d820a5cbc73302adc48ddff612d200580b007490a3
Opcode Fuzzy Hash: 89ef8eb64424d72e1a10c433028e9dcedd480540a202abb56a741f159b9ae818
Instruction Fuzzy Hash: 87412930644FC09ECB359B69BCCCBBB7B91AB45344F24A81DF297B6570C6B09845E710

Function 00EC70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EC70DD

Part of subcall function 00E80DB6: std::exception::exception.LIBCMT ref: 00E80DEC
Part of subcall function 00E80DB6: __CxxThrowException@8.LIBCMT ref: 00E80E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00EC7114
EnterCriticalSection.KERNEL32(?), ref: 00EC7130
_memmove.LIBCMT ref: 00EC717E
_memmove.LIBCMT ref: 00EC719B
LeaveCriticalSection.KERNEL32(?), ref: 00EC71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00EC71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EC71DE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5d6587bd7febe398724a7f5c70724b96b7133d8d1c5574c63e4c00e4dd3397f7
Instruction ID: f277fc456a05eb9904bbb1bfbb9e2fce294d9704b49705fd73ddb5f49c90cb58
Opcode Fuzzy Hash: 5d6587bd7febe398724a7f5c70724b96b7133d8d1c5574c63e4c00e4dd3397f7
Instruction Fuzzy Hash: D4315031900209EFCF40EFA5DD85AAB77B8EF45710F1581A9F908AB256D7709E15CB60

Function 00EE61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EE61EB
GetDC.USER32(00000000), ref: 00EE61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EE61FE
ReleaseDC.USER32(00000000,00000000), ref: 00EE620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EE6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EE6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EE902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00EE6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EE62B1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6fbe83bf7dc66858613a9bc20976bed3de3c220f5a912e46d3ba08ceac2987f4
Instruction ID: 36ad15d90db155b16a57f554adc5df796de4f0b74d5c3b8f4a57242f842882fe
Opcode Fuzzy Hash: 6fbe83bf7dc66858613a9bc20976bed3de3c220f5a912e46d3ba08ceac2987f4
Instruction Fuzzy Hash: 0C316D72101258BFEF118F51CC8AFEA3BA9EF59765F044065FE08AE2A1D6759C41CBA0

Function 00EBBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00EBBBC4
_memcmp.LIBCMT ref: 00EBBBE6
_memcmp.LIBCMT ref: 00EBBBFE
_memcmp.LIBCMT ref: 00EBBC11
_memcmp.LIBCMT ref: 00EBBC2B
_memcmp.LIBCMT ref: 00EBBC3E
_memcmp.LIBCMT ref: 00EBBC56
_memcmp.LIBCMT ref: 00EBBC71

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5942548f4edb5b0523655fcc6b864a9ff37ca98ea855ba79ca91180250eb5b8a
Instruction ID: a972e7cc517b4b53fa7884667144b4ad3f93cbc4c9582b4a07e8a4ebcfd7fabc
Opcode Fuzzy Hash: 5942548f4edb5b0523655fcc6b864a9ff37ca98ea855ba79ca91180250eb5b8a
Instruction Fuzzy Hash: C621A7726017097BE604B7119D82FFBB79D9E1038CF046064FF0CB6647EB95DE1186A1

Function 00ECEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

Part of subcall function 00E7FC86: _wcscpy.LIBCMT ref: 00E7FCA9

_wcstok.LIBCMT ref: 00ECEC94
_wcscpy.LIBCMT ref: 00ECED23
_memset.LIBCMT ref: 00ECED56

Strings

X, xrefs: 00ECED93

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 07ad93e77dbf2a9f4eac809daf7ca24e5fe95aad8e661d4448268bed81bd1281
Instruction ID: eba97ab2557efce2b38e0c0188ed07fd571d40da501206c16b3e5e4ad683e5c9
Opcode Fuzzy Hash: 07ad93e77dbf2a9f4eac809daf7ca24e5fe95aad8e661d4448268bed81bd1281
Instruction Fuzzy Hash: 92C18D716083409FC714EF64D981E6AB7E4EF85354F00592DF899AB3A2DB31EC46CB42

Function 00ED6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00ED6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00ED6C21
WSAGetLastError.WSOCK32(00000000), ref: 00ED6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00ED6CEA
inet_ntoa.WSOCK32(?), ref: 00ED6CA7

Part of subcall function 00EBA7E9: _strlen.LIBCMT ref: 00EBA7F3
Part of subcall function 00EBA7E9: _memmove.LIBCMT ref: 00EBA815

_strlen.LIBCMT ref: 00ED6D44
_memmove.LIBCMT ref: 00ED6DAD

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: eabfefb746b4e848133eff16495565313229b9e1c2f0e55b3072a1b48c954580
Instruction ID: d760e27451cade1089bd41798ee0922cfc07bb3aff7e7c950983bd4c9c297eef
Opcode Fuzzy Hash: eabfefb746b4e848133eff16495565313229b9e1c2f0e55b3072a1b48c954580
Instruction Fuzzy Hash: AC81C171204300AFC710EB64EC82EABB7E9EF94758F10691EF555BB292DB70AD05CB52

Function 00E61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a70715104fb932a5ec2c26b625f3d66b37e7c066adf9c790ea27f284dafb2257
Instruction ID: a50276425cd57f00e03bc4171154afa7463867ada900cabc3bf387923fdf32e8
Opcode Fuzzy Hash: a70715104fb932a5ec2c26b625f3d66b37e7c066adf9c790ea27f284dafb2257
Instruction Fuzzy Hash: F6717D30940119EFCB05CF98DC89ABEBB79FF85354F189299F915BB251C730AA51CB60

Function 00EEB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010348D8), ref: 00EEB3EB
IsWindowEnabled.USER32(010348D8), ref: 00EEB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00EEB4DB
SendMessageW.USER32(010348D8,000000B0,?,?), ref: 00EEB512
IsDlgButtonChecked.USER32(?,?), ref: 00EEB54F
GetWindowLongW.USER32(010348D8,000000EC), ref: 00EEB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EEB589

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: fb4fb48374b2ae08e0d6b34155e0a5134d7709f531da6ad5cd9e40da777d7df9
Instruction ID: 4bc98641ecce322ed0a43e568ee0d47f5c7c20698a3369bf4383b4b6a9c1464e
Opcode Fuzzy Hash: fb4fb48374b2ae08e0d6b34155e0a5134d7709f531da6ad5cd9e40da777d7df9
Instruction Fuzzy Hash: 1571AB3460028CAFDB219F56C8D1FBB7BB9EF09304F145069F965A72A2E771AD40DB50

Function 00EDF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EDF448
_memset.LIBCMT ref: 00EDF511
ShellExecuteExW.SHELL32(?), ref: 00EDF556

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

Part of subcall function 00E7FC86: _wcscpy.LIBCMT ref: 00E7FCA9

GetProcessId.KERNEL32(00000000), ref: 00EDF5CD
CloseHandle.KERNEL32(00000000), ref: 00EDF5FC

Strings

@, xrefs: 00EDF525

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 0979be0955f67de7d18bb938c1ce08d39c86c31063ab71b50b7f311d4b0146f1
Instruction ID: 56b67e5d4cb059653a9168b53ff6d56581970b95a42eeff192e1350007e2b5ba
Opcode Fuzzy Hash: 0979be0955f67de7d18bb938c1ce08d39c86c31063ab71b50b7f311d4b0146f1
Instruction Fuzzy Hash: F6618D75A00619DFCB14EFA4D4819AEBBF5FF49314F14906AE85ABB351CB30AD41CB90

Function 00EC0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EC0F8C
GetKeyboardState.USER32(?), ref: 00EC0FA1
SetKeyboardState.USER32(?), ref: 00EC1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EC1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EC104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EC1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EC10B8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ddd4c4cfac841b129191f87754d4832256cf174a5f6376de4ff0bdbc554ba9d7
Instruction ID: 3559fd9fe2f55f7a2c22144df00d9ec0b37627818dfdab5ee456de9e47881846
Opcode Fuzzy Hash: ddd4c4cfac841b129191f87754d4832256cf174a5f6376de4ff0bdbc554ba9d7
Instruction Fuzzy Hash: 5D5100606047C53EFB3642348D16FBABEA95B07308F0895CDE1D4A58D3C29A9CCAD750

Function 00EC0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EC0DA5
GetKeyboardState.USER32(?), ref: 00EC0DBA
SetKeyboardState.USER32(?), ref: 00EC0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EC0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EC0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EC0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EC0EC9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 755c5135738565558a854e8b1266243cacc7162e41ebd8489657d8e224954e9f
Instruction ID: 17d6bb4e8ebe5a6341c93b7f0c7f8edb1c0019548414dfcaf8df42539ab1d51d
Opcode Fuzzy Hash: 755c5135738565558a854e8b1266243cacc7162e41ebd8489657d8e224954e9f
Instruction Fuzzy Hash: 445125A06447D5BEFB3283648D51FBA7EA95B06304F08988CF1D5664C2C396AC9AE360

Function 00EC55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EC560A
_wcsncpy.LIBCMT ref: 00EC563F
_wcsncpy.LIBCMT ref: 00EC5671
_wcsncpy.LIBCMT ref: 00EC56A4
_wcsncpy.LIBCMT ref: 00EC56E6
_wcsncpy.LIBCMT ref: 00EC5720
_wcsncpy.LIBCMT ref: 00EC574F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 4fdc0c4201838dcec6680d2b1e7804b1097c033e08298f4ef0fa593a91853944
Instruction ID: d1511291ac76c4ca992a9b2be60dfe8a801ddf0117cc4284165fe934ca4c321a
Opcode Fuzzy Hash: 4fdc0c4201838dcec6680d2b1e7804b1097c033e08298f4ef0fa593a91853944
Instruction Fuzzy Hash: 7F418576C1161476CB11FBB48846ACFB3F8DF04310F50655AEA1CF3121EA35A695C7AA

Function 00EBD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EBD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EBD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EBD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EBD69D

Strings

DllGetClassObject, xrefs: 00EBD610
,,, xrefs: 00EBD578

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: f8ae4641ed440c729f319b21cd36f80da668a02ab3e3715ae786fb640b1faf4e
Instruction ID: 23bc81835e82bec32e399edc776369d42fb5a6a0c4af18816a2a06b7471a1295
Opcode Fuzzy Hash: f8ae4641ed440c729f319b21cd36f80da668a02ab3e3715ae786fb640b1faf4e
Instruction Fuzzy Hash: EA418EB5604208EFDB05DF54CC84ADB7BA9EF48314F1590A9ED09AF20AE7B1D944CBA0

Function 00EC3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EC3697,?), ref: 00EC468B

Part of subcall function 00EC466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EC3697,?), ref: 00EC46A4

lstrcmpiW.KERNEL32(?,?), ref: 00EC36B7
_wcscmp.LIBCMT ref: 00EC36D3
MoveFileW.KERNEL32(?,?), ref: 00EC36EB
_wcscat.LIBCMT ref: 00EC3733
SHFileOperationW.SHELL32(?), ref: 00EC379F

Strings

\*.*, xrefs: 00EC372D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 28d3aefaaa60531bac6d1edccf389cba3d58e3b1d689d54faacc6f468a78bb69
Instruction ID: 62fde6de3cf5bea6f0601c0d57019e579c750ac744c504159fe81aef158d43ff
Opcode Fuzzy Hash: 28d3aefaaa60531bac6d1edccf389cba3d58e3b1d689d54faacc6f468a78bb69
Instruction Fuzzy Hash: 8541A2B1108344AEC751EF74D551EDF77E8AF88384F00682EF499E3291EA35D68AC752

Function 00EE7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE7351
IsMenu.USER32(?), ref: 00EE7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EE73B1
DrawMenuBar.USER32 ref: 00EE73C4

Strings

0, xrefs: 00EE729E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 45ac713177407e470f2b3b8e4cf7d62bc1db82074378979b7d1d7f39c49872a6
Instruction ID: 9d7eeac457138a08acc8eccdcb87fad30b20290d53e5ad05e7aef6c8fdd834c8
Opcode Fuzzy Hash: 45ac713177407e470f2b3b8e4cf7d62bc1db82074378979b7d1d7f39c49872a6
Instruction Fuzzy Hash: 2E415975A0428DEFDB20DF51D884AAABBF4FB04314F14A42AFD45AB250D730AD14EF60

Function 00EE0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EE0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EE0FFE
FreeLibrary.KERNEL32(00000000), ref: 00EE10B5

Part of subcall function 00EE0FA5: RegCloseKey.ADVAPI32(?), ref: 00EE101B
Part of subcall function 00EE0FA5: FreeLibrary.KERNEL32(?), ref: 00EE106D
Part of subcall function 00EE0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EE1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EE1058

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: a69ff0867c59bc80940b7b46bad3c6605693b7b99b6f49c577ad3f885c633881
Instruction ID: 266bc1dee5dd61c5824f2b50eaa81ddaeab2e33e00b42b128f3a482aa1d99901
Opcode Fuzzy Hash: a69ff0867c59bc80940b7b46bad3c6605693b7b99b6f49c577ad3f885c633881
Instruction Fuzzy Hash: A1311A7190114DBFDB15DB91DC89EFFB7BCEF08314F0001AAF511B6241EA749E899AA0

Function 00EE62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EE62EC
GetWindowLongW.USER32(010348D8,000000F0), ref: 00EE631F
GetWindowLongW.USER32(010348D8,000000F0), ref: 00EE6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EE6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EE63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00EE63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EE63DB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 48330fec93c632c9b57fde7f69ee2b0015aebac08dee4de6f5ca8b625cb62f2a
Instruction ID: c46ea809990ad3bc991a79edab2fb1a89410da38f101b18d9e5f35b1e6cc083c
Opcode Fuzzy Hash: 48330fec93c632c9b57fde7f69ee2b0015aebac08dee4de6f5ca8b625cb62f2a
Instruction Fuzzy Hash: FC3116306402999FDB20CF1ADC84F5937E1FBAAB58F1911A4F511EF2B2CB71AC449B51

Function 00EBDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EBDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EBDB54
SysAllocString.OLEAUT32(00000000), ref: 00EBDB57
SysAllocString.OLEAUT32(?), ref: 00EBDB75
SysFreeString.OLEAUT32(?), ref: 00EBDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00EBDBA3
SysAllocString.OLEAUT32(?), ref: 00EBDBB1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c34392bb13ee9a6baf1b8265cbc9a6b8ae3f4fc63a781b50e0ecc2bb0ffccb3
Instruction ID: fb1304a95ea69f67bf399ec3c38aa8dfb3f1ae5c3d09775a8c117c990311df18
Opcode Fuzzy Hash: 2c34392bb13ee9a6baf1b8265cbc9a6b8ae3f4fc63a781b50e0ecc2bb0ffccb3
Instruction Fuzzy Hash: 4621903660421DAFDF10EFA9DCC8CFB73ACEB09364B018565F918EB2A0E6709D458764

Function 00ED6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00ED7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00ED7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00ED61C6
WSAGetLastError.WSOCK32(00000000), ref: 00ED61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00ED620E
connect.WSOCK32(00000000,?,00000010), ref: 00ED6217
WSAGetLastError.WSOCK32 ref: 00ED6221
closesocket.WSOCK32(00000000), ref: 00ED624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00ED6263

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: fe244718361b3253087a910af4fadbdc919578da49544433bffde9abb9bbe0cd
Instruction ID: 0abd94f4fb2d5b9b69dd2d9a2188c9503f9ab9ace99fb8b2d349dad72980467c
Opcode Fuzzy Hash: fe244718361b3253087a910af4fadbdc919578da49544433bffde9abb9bbe0cd
Instruction Fuzzy Hash: EF31A171600118AFEF10AF64DC85BBE77ADEB45754F04402AFD05BB291DB74AC098BA1

Function 00EBF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EBF671
__wcsnicmp.LIBCMT ref: 00EBF692
__wcsnicmp.LIBCMT ref: 00EBF6AC

Strings

#requireadmin, xrefs: 00EBF68C
#OnAutoItStartRegister, xrefs: 00EBF6A6
#notrayicon, xrefs: 00EBF669

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: e8e5a33841dfbe3e5973820c6e9682547ee12d444b3b1c14d63113ae3e4055a8
Instruction ID: 4300a18a5d6625103faddb41b2c75fef70aaae299e542528f93ba141fabbbd46
Opcode Fuzzy Hash: e8e5a33841dfbe3e5973820c6e9682547ee12d444b3b1c14d63113ae3e4055a8
Instruction Fuzzy Hash: 4C2146722152216AD621BA34AC02EF7B3D8EF55748F10603BFA4AB6095EF919E42C3D5

Function 00EBDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EBDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EBDC2F
SysAllocString.OLEAUT32(00000000), ref: 00EBDC32
SysAllocString.OLEAUT32 ref: 00EBDC53
SysFreeString.OLEAUT32 ref: 00EBDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00EBDC76
SysAllocString.OLEAUT32(?), ref: 00EBDC84

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 275e449b7252e6c5432237370029be1b09618c9b84a6d7beb4ea911064fffa1b
Instruction ID: 67b0326ef591a2b68d16649317284787ae23dd06f8183407e25be8d5290e7568
Opcode Fuzzy Hash: 275e449b7252e6c5432237370029be1b09618c9b84a6d7beb4ea911064fffa1b
Instruction Fuzzy Hash: B9214735608149AF9B10DFA9DCC8DFBB7ECEB09360B118125F914EB2A1E670DD45CB64

Function 00EE75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E61D73
Part of subcall function 00E61D35: GetStockObject.GDI32(00000011), ref: 00E61D87
Part of subcall function 00E61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E61D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EE7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EE763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EE764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EE7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EE7665

Strings

Msctls_Progress32, xrefs: 00EE7603

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d085f0b4ca210c42acbb2367b86d1a0bdfa5bcbb41c6fd886fa994748a9d146d
Instruction ID: 92f840ad1975499cbf33e4adf972b5e23ff43ccd50261925662d02d89f285d09
Opcode Fuzzy Hash: d085f0b4ca210c42acbb2367b86d1a0bdfa5bcbb41c6fd886fa994748a9d146d
Instruction Fuzzy Hash: 951190B215021EBFEF118F65CC85EE77F6DEF08798F015114FA45A60A0CA729C21DBA4

Function 00E89AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00E89AE6

Part of subcall function 00E83187: EncodePointer.KERNEL32(00000000), ref: 00E8318A
Part of subcall function 00E83187: __initp_misc_winsig.LIBCMT ref: 00E831A5
Part of subcall function 00E83187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E89EA0
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E89EB4
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E89EC7
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E89EDA
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E89EED
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E89F00
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E89F13
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E89F26
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E89F39
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E89F4C
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E89F5F
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E89F72
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E89F85
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E89F98
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E89FAB
Part of subcall function 00E83187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E89FBE

__mtinitlocks.LIBCMT ref: 00E89AEB
__mtterm.LIBCMT ref: 00E89AF4

Part of subcall function 00E89B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E89AF9,00E87CD0,00F1A0B8,00000014), ref: 00E89C56
Part of subcall function 00E89B5C: _free.LIBCMT ref: 00E89C5D
Part of subcall function 00E89B5C: DeleteCriticalSection.KERNEL32(00F1EC00,?,?,00E89AF9,00E87CD0,00F1A0B8,00000014), ref: 00E89C7F

__calloc_crt.LIBCMT ref: 00E89B19
__initptd.LIBCMT ref: 00E89B3B
GetCurrentThreadId.KERNEL32 ref: 00E89B42

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: fabab532362d287744aeb72bf8d0edafa533bcc6777ba3265d334e7808b0c14b
Instruction ID: 7bb41fae6acb5957c71973080a38661b0d664334134085a36ba34d0e992eb4ea
Opcode Fuzzy Hash: fabab532362d287744aeb72bf8d0edafa533bcc6777ba3265d334e7808b0c14b
Instruction Fuzzy Hash: 19F09632D0971159E63877B47C076AA36D09F02734F286A59F45CF60D3FF2098414368

Function 00E8406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E83F85), ref: 00E84085
GetProcAddress.KERNEL32(00000000), ref: 00E8408C
EncodePointer.KERNEL32(00000000), ref: 00E84097
DecodePointer.KERNEL32(00E83F85), ref: 00E840B2

Strings

RoUninitialize, xrefs: 00E84074
combase.dll, xrefs: 00E84080

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 758bfebfee5e16c78e9082aef3f5405173bf64448ed98ac5fa51e57d113d1d2e
Instruction ID: 8f891c1cf124b672262679764bf4bb22e48bc5d4ddb646c2087830114c4c113d
Opcode Fuzzy Hash: 758bfebfee5e16c78e9082aef3f5405173bf64448ed98ac5fa51e57d113d1d2e
Instruction Fuzzy Hash: 4EE0BFB0A8534DDFDB20AF62EC4DB153AA4B704746F105028F615F50E0CB7B4615EB15

Function 00EC64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EC660B
_memmove.LIBCMT ref: 00EC6546

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

_memmove.LIBCMT ref: 00EC65B9
_memmove.LIBCMT ref: 00EC66A0
_memmove.LIBCMT ref: 00EC66B9
_memmove.LIBCMT ref: 00EC66D5

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c00e04c43b8803e7dc8fdcf789198f69674dfe3197ef5d5d1fcfb4536096add8
Instruction ID: b6a892af4973880f6f3d2acc78c31c43ace6f97d04893d053b78b0606eb812f1
Opcode Fuzzy Hash: c00e04c43b8803e7dc8fdcf789198f69674dfe3197ef5d5d1fcfb4536096add8
Instruction Fuzzy Hash: EC61873150065A9BCF05EF60C982FFF37E9AF05348F046928F8597B292DB36A806CB50

Function 00EE01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDFDAD,?,?), ref: 00EE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EE02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EE02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EE0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EE0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EE038C
RegCloseKey.ADVAPI32(00000000), ref: 00EE0399

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: fc335e254a0d75b49c02eff27af079443979769f20ded5483a361a0b0043bdc4
Instruction ID: e887a364a22f152c60858206450d2dd906f2c52b46ce6eff68911a320e7d7c5e
Opcode Fuzzy Hash: fc335e254a0d75b49c02eff27af079443979769f20ded5483a361a0b0043bdc4
Instruction Fuzzy Hash: 69517A312082449FC710EF64D885EAFBBE8FF84314F00591DF595AB2A2DB71E949CB52

Function 00EE5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EE57FB
GetMenuItemCount.USER32(00000000), ref: 00EE5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EE585A
GetMenuItemID.USER32(?,?), ref: 00EE58C9
GetSubMenu.USER32(?,?), ref: 00EE58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00EE5928

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: d0fd5c8518b70e280ec40c4cf00a0dc09b57ea90b233b949ccd87fceba1f0a13
Instruction ID: 70e3ec9c08d14e3419276448ad13907b9a2a276c1d5cfc405ff474576c4a2474
Opcode Fuzzy Hash: d0fd5c8518b70e280ec40c4cf00a0dc09b57ea90b233b949ccd87fceba1f0a13
Instruction Fuzzy Hash: FD515C36E00659EFCF15EFA5C885AAEB7F4EF48324F105069E815BB351CB31AE418B94

Function 00EBEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EBEF06
VariantClear.OLEAUT32(00000013), ref: 00EBEF78
VariantClear.OLEAUT32(00000000), ref: 00EBEFD3
_memmove.LIBCMT ref: 00EBEFFD
VariantClear.OLEAUT32(?), ref: 00EBF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EBF078

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: d5bb7e320b5e464e2c37a1907f6e8ec99b2f0acc274646a3ab2ca8fd885213a8
Instruction ID: f7d001cbc6c9d4f0d83f7618ca66a4457e167e0ba505307a5c7a5e9b2159d1d9
Opcode Fuzzy Hash: d5bb7e320b5e464e2c37a1907f6e8ec99b2f0acc274646a3ab2ca8fd885213a8
Instruction Fuzzy Hash: A35169B5A00209EFCB14DF58C880AAAB7B9FF4C314B158569F959EB351E334E911CBA0

Function 00EC220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EC22A3
IsMenu.USER32(00000000), ref: 00EC22C3
CreatePopupMenu.USER32 ref: 00EC22F7
GetMenuItemCount.USER32(000000FF), ref: 00EC2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00EC2386

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b6679c00938c116bd546ba8924a013822c63777689f310c8fa540d4ff30dc797
Instruction ID: 8cb669fef1e6422c888e43719b3b2e91103bd33c26329100bbb0764ab44a7e8b
Opcode Fuzzy Hash: b6679c00938c116bd546ba8924a013822c63777689f310c8fa540d4ff30dc797
Instruction Fuzzy Hash: FF51B13060028ADFDF25CF68CA88FADBBF5AF45318F10512DEA11BB290D3768906CB51

Function 00E61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E6179A
GetWindowRect.USER32(?,?), ref: 00E617FE
ScreenToClient.USER32(?,?), ref: 00E6181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E6182C
EndPaint.USER32(?,?), ref: 00E61876

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: e1af0eef8150a7188f929afd25fa768e2557c1b54724477df535876e5c226c85
Instruction ID: b48c5d7ee295f2264e887bbf24dfe23ceaff9da7657ec644f85d883d3efe4479
Opcode Fuzzy Hash: e1af0eef8150a7188f929afd25fa768e2557c1b54724477df535876e5c226c85
Instruction Fuzzy Hash: FC41D5301403449FD721DF25ECC4FBA7BE8FB49764F084669F595AB1A1C7709805DB62

Function 00EEB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00F257B0,00000000,010348D8,?,?,00F257B0,?,00EEB5A8,?,?), ref: 00EEB712
EnableWindow.USER32(00000000,00000000), ref: 00EEB736
ShowWindow.USER32(00F257B0,00000000,010348D8,?,?,00F257B0,?,00EEB5A8,?,?), ref: 00EEB796
ShowWindow.USER32(00000000,00000004,?,00EEB5A8,?,?), ref: 00EEB7A8
EnableWindow.USER32(00000000,00000001), ref: 00EEB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00EEB7EF

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 031f1bf95d1dccaeafd4c35b556627c26b92a35c89874e63556471cb844899d8
Instruction ID: 9766e756b123a2ab56dd94ae86507436126043e116db853d8cdf199bea075a56
Opcode Fuzzy Hash: 031f1bf95d1dccaeafd4c35b556627c26b92a35c89874e63556471cb844899d8
Instruction Fuzzy Hash: D141C834600188EFDB21CF25C4D9B967BE0FF45314F1852BAF948AFAA2C731A856CB50

Function 00ED709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00ED4E41,?,?,00000000,00000001), ref: 00ED70AC

Part of subcall function 00ED39A0: GetWindowRect.USER32(?,?), ref: 00ED39B3

GetDesktopWindow.USER32 ref: 00ED70D6
GetWindowRect.USER32(00000000), ref: 00ED70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00ED710F

Part of subcall function 00EC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EC52BC

GetCursorPos.USER32(?), ref: 00ED713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00ED7199

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 39a03e3dceb8d71b430223212fb0bba5c07049b82f44d7fca10726722d4a88a6
Instruction ID: 63ab2272975657b1216905219d5bc147f1dbcfea0d9bc0d3edfdeacfb7512911
Opcode Fuzzy Hash: 39a03e3dceb8d71b430223212fb0bba5c07049b82f44d7fca10726722d4a88a6
Instruction Fuzzy Hash: 1431D472509349AFD720DF14C849F9BB7E9FF88314F00051AF985AB291DB31EA09CB92

Function 00EB8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EB80C0
Part of subcall function 00EB80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EB80CA
Part of subcall function 00EB80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EB80D9
Part of subcall function 00EB80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EB80E0
Part of subcall function 00EB80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EB80F6

GetLengthSid.ADVAPI32(?,00000000,00EB842F), ref: 00EB88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EB88D6
HeapAlloc.KERNEL32(00000000), ref: 00EB88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EB88F6
GetProcessHeap.KERNEL32(00000000,00000000,00EB842F), ref: 00EB890A
HeapFree.KERNEL32(00000000), ref: 00EB8911

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 4344f74f1ee58922ac856cc1edd8e8efa85ad9d0f281f5bf447c29ccf1844bf3
Instruction ID: ccdbfee0c73a12dd9707a9d2852cbcd6ce62dcc1a8f1bba49425e0907da5bb54
Opcode Fuzzy Hash: 4344f74f1ee58922ac856cc1edd8e8efa85ad9d0f281f5bf447c29ccf1844bf3
Instruction Fuzzy Hash: 9D119D3150120AFFDF159BA5DD49BFF7BACEB85315F508028F849A7251CB329A04DB60

Function 00EB85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EB85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00EB85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EB85F8
CloseHandle.KERNEL32(00000004), ref: 00EB8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EB8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EB8646

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: db56d94b5b9c5911d9c62850300bd8024fcc874529cc8276e241fa47f187bef6
Instruction ID: 7f81b1aff048c5d6141ff8bb0118fe5a11bb7839cccb35e8757a2547d51cac38
Opcode Fuzzy Hash: db56d94b5b9c5911d9c62850300bd8024fcc874529cc8276e241fa47f187bef6
Instruction Fuzzy Hash: 5311387250124DAFDF118FA5ED49BDA7BA9EB48308F045065FE04B6160C6718E64DB60

Function 00EBB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EBB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EBB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EBB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00EBB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EBB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00EBB7FE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 86449ed898609974e45dfd9361a9fb07b9d53307dd2a742c6d09f42708857517
Instruction ID: e5e11f6d24eae78a88a3298da48e73e7d84a552f3192d4566cf1d93fa4985235
Opcode Fuzzy Hash: 86449ed898609974e45dfd9361a9fb07b9d53307dd2a742c6d09f42708857517
Instruction Fuzzy Hash: 6B018875E00259BFEB105BA69C85A5FBFB8EB48351F004076FA04BB291D7709D00CF91

Function 00E80162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E80193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E8019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E801A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E801B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E801B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E801C1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 806e88aeddde022caf2715a687d45b77788d5a833cc90d3b5bed6c088b1a2594
Instruction ID: 6e0e9f535f191a21345adf13f27574f04acf39962b54966c6b72463f9b166e4c
Opcode Fuzzy Hash: 806e88aeddde022caf2715a687d45b77788d5a833cc90d3b5bed6c088b1a2594
Instruction Fuzzy Hash: 39016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BE15C4B941C7F5A868CBE5

Function 00EC53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EC53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EC540F
GetWindowThreadProcessId.USER32(?,?), ref: 00EC541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EC542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EC5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EC543E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 107bd6a71925c81e696c2baaab7df661c5d4f6a3079d7126d0a540a1abb1538c
Instruction ID: f2484c3c5aaac6af8551f8cf3947bd638c0f14632b1a1984a93e0d88ae998d98
Opcode Fuzzy Hash: 107bd6a71925c81e696c2baaab7df661c5d4f6a3079d7126d0a540a1abb1538c
Instruction Fuzzy Hash: 00F06D3224159DBFE7205BA39C4DEAB7B7CEBC6B11F000169FA05E509197A11A0586B5

Function 00EC7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00EC7243
EnterCriticalSection.KERNEL32(?,?,00E70EE4,?,?), ref: 00EC7254
TerminateThread.KERNEL32(00000000,000001F6,?,00E70EE4,?,?), ref: 00EC7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E70EE4,?,?), ref: 00EC726E

Part of subcall function 00EC6C35: CloseHandle.KERNEL32(00000000,?,00EC727B,?,00E70EE4,?,?), ref: 00EC6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00EC7281
LeaveCriticalSection.KERNEL32(?,?,00E70EE4,?,?), ref: 00EC7288

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e3d55a57fa781eadd21654989ef5a3fc9034a288805848afa7154f12b1b31885
Instruction ID: a895d3965aa3139901d221856baaf3cc0e50413437b77d12dbf2b3c010f57f3d
Opcode Fuzzy Hash: e3d55a57fa781eadd21654989ef5a3fc9034a288805848afa7154f12b1b31885
Instruction Fuzzy Hash: A9F0BE36840206EFD7111B64ED8CEEB7729EF08302B010135F203B80B0CB765805CB50

Function 00EB8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EB899D
UnloadUserProfile.USERENV(?,?), ref: 00EB89A9
CloseHandle.KERNEL32(?), ref: 00EB89B2
CloseHandle.KERNEL32(?), ref: 00EB89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00EB89C3
HeapFree.KERNEL32(00000000), ref: 00EB89CA

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f033482b6d2d1ced3a96b0309aade147e16cfb12f9e72974636fe6ac85e31eb6
Instruction ID: 9f13655afbbe11645b736f195f904d8200a116f1b1b88cd8365a8eaffb76ffae
Opcode Fuzzy Hash: f033482b6d2d1ced3a96b0309aade147e16cfb12f9e72974636fe6ac85e31eb6
Instruction Fuzzy Hash: 24E0C236004449FFDA011FE2EC4C90ABB69FB89322B108231F219A90B1CB329468DB50

Function 00EB7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EF2C7C,?), ref: 00EB76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EF2C7C,?), ref: 00EB7702
CLSIDFromProgID.OLE32(?,?,00000000,00EEFB80,000000FF,?,00000000,00000800,00000000,?,00EF2C7C,?), ref: 00EB7727
_memcmp.LIBCMT ref: 00EB7748

Strings

,,, xrefs: 00EB753D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: 34154f04f6fc783037b57e41ae9d13300c1dafd7cc19d25b3f500bf36cb4db9e
Instruction ID: 70be1167585f58baa807a5dd18d19151adb425eed53597d30a39714257baf65a
Opcode Fuzzy Hash: 34154f04f6fc783037b57e41ae9d13300c1dafd7cc19d25b3f500bf36cb4db9e
Instruction Fuzzy Hash: 64810875A00109EFCB04DFA4C984EEEB7B9FF89315F204599E546BB250DB71AE06CB60

Function 00ED85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ED8613
CharUpperBuffW.USER32(?,?), ref: 00ED8722
VariantClear.OLEAUT32(?), ref: 00ED889A

Part of subcall function 00EC7562: VariantInit.OLEAUT32(00000000), ref: 00EC75A2
Part of subcall function 00EC7562: VariantCopy.OLEAUT32(00000000,?), ref: 00EC75AB
Part of subcall function 00EC7562: VariantClear.OLEAUT32(00000000), ref: 00EC75B7

Strings

Incorrect Parameter format, xrefs: 00ED864B, 00ED880D
AUTOIT.ERROR, xrefs: 00ED8728

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f5991ffe84e06eb29bc8748429c117efb29467122f8d084e1ce2ca26cc015927
Instruction ID: edf46a864b22d960ca0faeb2f5d94f484a9b625bf2d513e801d7c8f6c3747db1
Opcode Fuzzy Hash: f5991ffe84e06eb29bc8748429c117efb29467122f8d084e1ce2ca26cc015927
Instruction Fuzzy Hash: 4E91AF75608301DFC704DF24C58095ABBF4EF89754F14992EF89AAB362DB31E906CB92

Function 00EC2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7FC86: _wcscpy.LIBCMT ref: 00E7FCA9

_memset.LIBCMT ref: 00EC2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EC2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EC2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EC2C97

Strings

0, xrefs: 00EC2B73

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: d5e452406db7ca93c320280e063e25266445e7157c34f118028542b0bd7aa7d7
Instruction ID: c48147bd2255f622f25ebf3156118f0d35ddca63fc8589849e97690c49c5028c
Opcode Fuzzy Hash: d5e452406db7ca93c320280e063e25266445e7157c34f118028542b0bd7aa7d7
Instruction Fuzzy Hash: B251CF716083009ED7249E28DA45F6FB7E4AF55318F042A2DFA95F6290DB72CC069752

Function 00E73137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E73277
_memmove.LIBCMT ref: 00E73310
_free.LIBCMT ref: 00E73336
_memmove.LIBCMT ref: 00E733E9

Strings

3c, xrefs: 00E73225
_, xrefs: 00E73322

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c$_
API String ID: 2620147621-4099079164
Opcode ID: 642164b08c187e9cd03b08f408c4889caeb3ce9424808b4bacbebc11cf7bbadc
Instruction ID: bdef7ca69be3b35caa4126f403ad0dabebc2bc87ba183a74dd261314fd088be7
Opcode Fuzzy Hash: 642164b08c187e9cd03b08f408c4889caeb3ce9424808b4bacbebc11cf7bbadc
Instruction Fuzzy Hash: 16516B716047418FDB69CF28C490B6EBBE5BF89314F48982DE99DA7351EB31E901CB42

Function 00E76192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E76248
_memmove.LIBCMT ref: 00E762E4
_memset.LIBCMT ref: 00E76308

Strings

ERCP, xrefs: 00E761B3
3c, xrefs: 00E762AF

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c$ERCP
API String ID: 2532777613-1756721700
Opcode ID: c9f63213255546bf088eb2a453ce1562af84a7a6f5234f5544d0b679c9e4f75a
Instruction ID: 31bdf5aeef8379696d3043c93e41bd9964d94724e4ea3312519da98fe596bb9e
Opcode Fuzzy Hash: c9f63213255546bf088eb2a453ce1562af84a7a6f5234f5544d0b679c9e4f75a
Instruction Fuzzy Hash: 3851AE70900B05DBDB24DF65C9817EBB7F4AF44318F20956EE94EEB291E770AA44CB90

Function 00EC2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EC27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00EC2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F25890,00000000), ref: 00EC286B

Strings

0, xrefs: 00EC27B5

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 2c308eefaf7baeb61e75b81dfbcd4e3600be0f8a1328abb0ff69b55e13cc9784
Instruction ID: 372209f66d997ebc0808b9e134eb3ea295dbbe282601a3642b8c7a048e5fb2ca
Opcode Fuzzy Hash: 2c308eefaf7baeb61e75b81dfbcd4e3600be0f8a1328abb0ff69b55e13cc9784
Instruction Fuzzy Hash: B641B2722043419FDB24DF24D984F5ABBE4EF85314F045A2DFAA5A72D1D731E806CB62

Function 00EDD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EDD7C5

Part of subcall function 00E6784B: _memmove.LIBCMT ref: 00E67899

Strings

winapi, xrefs: 00EDD836
cdecl, xrefs: 00EDD81C
none, xrefs: 00EDD8A0
stdcall, xrefs: 00EDD847

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: e74955b4e3e1794e5e997f0c6cc533fd260de5847e6e699e61863d35d7c36b6e
Instruction ID: 6b2180357e3e1a6ca1abfcd9f8bf6adfe2ebf286a83e2f1134e20c9881954340
Opcode Fuzzy Hash: e74955b4e3e1794e5e997f0c6cc533fd260de5847e6e699e61863d35d7c36b6e
Instruction Fuzzy Hash: 14319F75908615ABCF04EF54CC519EEB3F4FF10324B10966AE869B73D1DB71A906CB80

Function 00EB8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EBAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EB8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EB8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EB8F57

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

Strings

ListBox, xrefs: 00EB8ED3
ComboBox, xrefs: 00EB8E9E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 4f54a333f1aa3f225571e7a593b79b460668231aeb916306213a5846f8d99985
Instruction ID: a467a733f678a054a39abb1b0d6028fa140038f1564c90fac52a34f7a6834676
Opcode Fuzzy Hash: 4f54a333f1aa3f225571e7a593b79b460668231aeb916306213a5846f8d99985
Instruction Fuzzy Hash: 1D212071A40208BFDB14ABA0DC85CFFB7A9DF41364B146529F465B72E0CE394909D620

Function 00ED182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ED184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00ED1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00ED18A2
InternetCloseHandle.WININET(00000000), ref: 00ED18E9

Part of subcall function 00ED2483: GetLastError.KERNEL32(?,?,00ED1817,00000000,00000000,00000001), ref: 00ED2498
Part of subcall function 00ED2483: SetEvent.KERNEL32(?,?,00ED1817,00000000,00000000,00000001), ref: 00ED24AD

Strings

, xrefs: 00ED1893

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b4923578d53ee7fc96f4444f32111af00525c86c149ae9e0e798f4daa45881b7
Instruction ID: ef5a5de19f79f0fdda0d07a5da002f567d0e169c5740ef072c3f3ecfb8e9ca21
Opcode Fuzzy Hash: b4923578d53ee7fc96f4444f32111af00525c86c149ae9e0e798f4daa45881b7
Instruction Fuzzy Hash: C421BEB5500308BFEB11DB61DC85EBF77EDEB88748F10616BF905B6240EA318D06A7A0

Function 00EE63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E61D73
Part of subcall function 00E61D35: GetStockObject.GDI32(00000011), ref: 00E61D87
Part of subcall function 00E61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E61D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EE6461
LoadLibraryW.KERNEL32(?), ref: 00EE6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EE647D
DestroyWindow.USER32(?), ref: 00EE6485

Strings

SysAnimate32, xrefs: 00EE643C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 2d900e9b9b42441b37eeb888118d78462304e2f427bf35f68e1496539c07ee95
Instruction ID: bd744530cf0510f90195a658f0a4ccd0555d04e2f508392dd24452e7721065c2
Opcode Fuzzy Hash: 2d900e9b9b42441b37eeb888118d78462304e2f427bf35f68e1496539c07ee95
Instruction Fuzzy Hash: 05218E7110028DAFEF105F66DC90EBA37A9FB693A8F106629F920A61D0D771DC41A760

Function 00EC6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EC6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EC6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00EC6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00EC6E3B

Strings

nul, xrefs: 00EC6E36

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 95aceda6639b3dbc792976c5537a1c75af3b616f05c2337ec7233d5c637f1c72
Instruction ID: 979daca2e3a17760aebb16e58c783cfbc7cba8b9affca7ab6c457b02024541f7
Opcode Fuzzy Hash: 95aceda6639b3dbc792976c5537a1c75af3b616f05c2337ec7233d5c637f1c72
Instruction Fuzzy Hash: EA219F7460020AAFDB20AF29DA44F9B7BE4EF44724F20462DFDA1E72D0D77299568B50

Function 00EC6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EC6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EC6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00EC6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00EC6F06

Strings

nul, xrefs: 00EC6F01

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7df75b98edaeaa049ea8e4ffc2f955dcf966d8e3c13fa4f6ea8de5a61b880bf8
Instruction ID: 55f2d1291490bac31ea3d564e11d842e139e104d32ec994b9c43c404d1ae9ffa
Opcode Fuzzy Hash: 7df75b98edaeaa049ea8e4ffc2f955dcf966d8e3c13fa4f6ea8de5a61b880bf8
Instruction Fuzzy Hash: 4621A1755003059FDB209F69DA44F9B77E8AF44724F200A1EF9A0F72D0D772A9528710

Function 00ECAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00ECAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00ECACA8
__swprintf.LIBCMT ref: 00ECACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00EEF910), ref: 00ECACFF

Strings

%lu, xrefs: 00ECACBB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 8e0858f9da4ec3c638be78496d8f5d92f2c9bddf89a4bbb3f6d5eb108b44a2de
Instruction ID: 8d10b3cf3f6ab6c9eada8fabe25300481b8a7af10c9804d88a6d991031ebc37d
Opcode Fuzzy Hash: 8e0858f9da4ec3c638be78496d8f5d92f2c9bddf89a4bbb3f6d5eb108b44a2de
Instruction Fuzzy Hash: C3217430A0014DAFCB10DFA5D985EEE77F8EF89714B004469F909BB252DB31EA45CB21

Function 00EC1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EBFCED,?,00EC0D40,?,00008000), ref: 00EC115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00EBFCED,?,00EC0D40,?,00008000), ref: 00EC1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EBFCED,?,00EC0D40,?,00008000), ref: 00EC118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00EBFCED,?,00EC0D40,?,00008000), ref: 00EC11C1

Strings

@, xrefs: 00EC119D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @
API String ID: 2875609808-411606354
Opcode ID: 9878d35ca70a8ff9df66128a31871d4c85e096ef9ddd60a88d14d78915931e4b
Instruction ID: 3a7c75abe86d1dbce12ac81f92aae66791d092b88ec8fcbb7f581e710f9100ca
Opcode Fuzzy Hash: 9878d35ca70a8ff9df66128a31871d4c85e096ef9ddd60a88d14d78915931e4b
Instruction Fuzzy Hash: 4511A031C0262CDBCF009FA5D984BEEBB78FF0A311F044099EA40B6242CB359551CBA1

Function 00EC1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EC1B19

Strings

APPEND, xrefs: 00EC1B52
REMOVE, xrefs: 00EC1B1F
EXISTS, xrefs: 00EC1B41
KEYS, xrefs: 00EC1B30

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 1d8eeb98d3775e5ff97dda838ebaeee7f9eed5e6381bcf6b4668dd4120c4d1b2
Instruction ID: faeafd57c2df97bee92a4d92dce76a775e1193b4c4359f00628047753912834f
Opcode Fuzzy Hash: 1d8eeb98d3775e5ff97dda838ebaeee7f9eed5e6381bcf6b4668dd4120c4d1b2
Instruction Fuzzy Hash: 61117C34900208CFCF04EF54D9529EEB3B4FF26348B1454A8D81877292EB325D0ACF40

Function 00EDEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EDEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EDEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EDED6A
CloseHandle.KERNEL32(?), ref: 00EDEDEB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: e9d359a057a4516a2d0fc3636233a7b6de977e7ef3831acea1f0f7857cd71ef0
Instruction ID: ce64f205e184a2556cc5eb7d34be6566d66988fcd74b45184d40ef3517fa2e10
Opcode Fuzzy Hash: e9d359a057a4516a2d0fc3636233a7b6de977e7ef3831acea1f0f7857cd71ef0
Instruction Fuzzy Hash: 098191B16403009FD724EF28D886F2AB7E9EF54754F04991DF999AB392DA70AC01CB52

Function 00E8541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E8547B
_memcpy_s.LIBCMT ref: 00E854ED
__read_nolock.LIBCMT ref: 00E8554B
__filbuf.LIBCMT ref: 00E8556E
_memset.LIBCMT ref: 00E855B2

Part of subcall function 00E88B28: __getptd_noexit.LIBCMT ref: 00E88B28

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 6fe059903d553704afc8e688cbd30cc156501de846e856276fb6f91bd0132004
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 5251B972A00B05DFDB24AFA9D8405AE77A6AF41325F249729F83EB62D0DF709D508B41

Function 00EE0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EDFDAD,?,?), ref: 00EE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EE00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EE013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EE0183
RegCloseKey.ADVAPI32(?,?), ref: 00EE01AF
RegCloseKey.ADVAPI32(00000000), ref: 00EE01BC

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 39a816243ef62d6cdc13f4384e15563a590c5b994e4fc8cdce42fa1a858c114e
Instruction ID: 52234fd2921a6ae6b08095267557ecc66c989b8a86af84beb575f94e23219881
Opcode Fuzzy Hash: 39a816243ef62d6cdc13f4384e15563a590c5b994e4fc8cdce42fa1a858c114e
Instruction Fuzzy Hash: 96519C71208248AFC704EF58D881EAEB7E8FF84304F00582DF495AB2A2DB71E944CB52

Function 00EDD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EDD927
GetProcAddress.KERNEL32(00000000,?), ref: 00EDD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00EDD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00EDDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EDDA21

Part of subcall function 00E65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EC7896,?,?,00000000), ref: 00E65A2C
Part of subcall function 00E65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EC7896,?,?,00000000,?,?), ref: 00E65A50

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 02db64bf877db8bbd042d8183b11cd5c1b7e6f5e39daf9fc131ddfe24aafe4c9
Instruction ID: 5e0bc25219d81469fdb360f9e008c7d857a5b453ffc83ab785a737de3a3c7ae5
Opcode Fuzzy Hash: 02db64bf877db8bbd042d8183b11cd5c1b7e6f5e39daf9fc131ddfe24aafe4c9
Instruction Fuzzy Hash: 41512435A04209DFCB00EFA8D8949ADB7F4FF59324B04906AE855BB312D731AD46CF90

Function 00ECE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00ECE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00ECE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00ECE687

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00ECE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00ECE6B4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 040ab04caa1bd502183791880730f5c93bf92d551f2df239aaab2d250cdf498d
Instruction ID: 1e47e513fee39caa2ae38a3c4201f73dff065c9c7a790cad28e8ea58e9f90f56
Opcode Fuzzy Hash: 040ab04caa1bd502183791880730f5c93bf92d551f2df239aaab2d250cdf498d
Instruction Fuzzy Hash: 7E512B75A00105DFCB05EF64D981AAEBBF5EF19354B1480A9E809BB362CB31ED15CB50

Function 00EEA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490f4bdf1b65901c1c90adfe15545a675d007b0a54f81b3c032d35ffe067abf8
Instruction ID: 0b154c0d0392eb43be2f87f2f66ee86d2c356a08355316f1528d735a6142d13f
Opcode Fuzzy Hash: 490f4bdf1b65901c1c90adfe15545a675d007b0a54f81b3c032d35ffe067abf8
Instruction Fuzzy Hash: D041D07590528CAFCB20DF29CC88FE9BBA4AB09310F195179F816BB2E0C770BD45DA51

Function 00E62344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E62357
ScreenToClient.USER32(00F257B0,?), ref: 00E62374
GetAsyncKeyState.USER32(00000001), ref: 00E62399
GetAsyncKeyState.USER32(00000002), ref: 00E623A7

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b72011b209b47dd3f202a8633d9e7296e472526989a892236e9c4d3bfb582841
Instruction ID: 13ce71e5824d72e260dd3dd50d5b87cd3689d0feda5148c5d78b2d4b9e052b03
Opcode Fuzzy Hash: b72011b209b47dd3f202a8633d9e7296e472526989a892236e9c4d3bfb582841
Instruction Fuzzy Hash: 1141BE35A4460AFFCF159F68DC44AEDBBB4BB053A4F20531AF828B62A0C7309954DB90

Function 00EB63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00EB6433
TranslateMessage.USER32(?), ref: 00EB645C
DispatchMessageW.USER32(?), ref: 00EB6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EB6475

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ddf16534d2e2e4e43dd6f0b7dba3b77e8afc58b22d037350f660c40017dabc56
Instruction ID: a83ddd1a573290a3d52bf81171ee3ef69b3c48728dfda9fe5af0c2b2f1305b05
Opcode Fuzzy Hash: ddf16534d2e2e4e43dd6f0b7dba3b77e8afc58b22d037350f660c40017dabc56
Instruction Fuzzy Hash: 9231C431900A5AEFDB248FB0DC48BF77BE8BB01714F141175E435E61A1E7799889E7A0

Function 00EB8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EB8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00EB8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EB8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00EB8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EB8AF8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: d2e3e084e74fb1503c05cc453127cddb6d6e9ae406438abb0f6a16c44cb4effa
Instruction ID: fccc74ada9f1cfa7699957566a9b5f2f5d4006cd44f8241f0623e0c335c155e5
Opcode Fuzzy Hash: d2e3e084e74fb1503c05cc453127cddb6d6e9ae406438abb0f6a16c44cb4effa
Instruction Fuzzy Hash: FA31D171500219EFDF14CF68DA8CADE3BB9EB04315F10822AF924FA2D1C7B09914CB91

Function 00EBB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EBB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EBB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EBB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EBB27F
_wcsstr.LIBCMT ref: 00EBB289

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 89b3682d9e71d4e76e033e3b1ef1631bd04c626205e694fa3fbf6ae49652d1af
Instruction ID: 46462f2e8a15972e4d65cfaa3f20b580892cd757be4e5b99607924040cb71cee
Opcode Fuzzy Hash: 89b3682d9e71d4e76e033e3b1ef1631bd04c626205e694fa3fbf6ae49652d1af
Instruction Fuzzy Hash: 2B21F5312042457FEB256B79DC49EBF7B98DF49710F005139F809FA1A1EBA1DC4093A0

Function 00EEB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

GetWindowLongW.USER32(?,000000F0), ref: 00EEB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EEB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EEB1CF
GetSystemMetrics.USER32(00000004), ref: 00EEB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00ED0E90,00000000), ref: 00EEB216

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 167105348a6b9b40015b4806db6a40d19f9e5e05f61a51cc58597314cd25325a
Instruction ID: d38a8a087992cf99ce5753a06f3051ca38e5619f7a8600bf64f8e869190eb50a
Opcode Fuzzy Hash: 167105348a6b9b40015b4806db6a40d19f9e5e05f61a51cc58597314cd25325a
Instruction Fuzzy Hash: C12180719116A9AFCB209F3A9C54A6B37A4FB09775F105738FA32E71E0D7309811DB90

Function 00EB9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EB9320

Part of subcall function 00E67BCC: _memmove.LIBCMT ref: 00E67C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EB9352
__itow.LIBCMT ref: 00EB936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EB9392
__itow.LIBCMT ref: 00EB93A3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: abcff35764a00682f4f06325d2567bb85cd7050e5ecd958ed2b7483774c9eb18
Instruction ID: 9bc4e3f8ec937d8e758f742bf847dd2c7311789e7180ffe0d396d7e11297f8ad
Opcode Fuzzy Hash: abcff35764a00682f4f06325d2567bb85cd7050e5ecd958ed2b7483774c9eb18
Instruction Fuzzy Hash: 9621C231700208BBDB10AA659CC9EEF7BE9EF88714F046025FA49FB2D2D6B0CD459791

Function 00ED5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00ED5A6E
GetForegroundWindow.USER32 ref: 00ED5A85
GetDC.USER32(00000000), ref: 00ED5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00ED5ACD
ReleaseDC.USER32(00000000,00000003), ref: 00ED5B08

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a8c6004e109523b4a2e790069a7e3181534eb0cd2e1de997ed09276d94d72a72
Instruction ID: 2ff814b094786d0ffae1aaaa913cf83e4d162ca1fa45bdb24b8c2f66d5e65de1
Opcode Fuzzy Hash: a8c6004e109523b4a2e790069a7e3181534eb0cd2e1de997ed09276d94d72a72
Instruction Fuzzy Hash: F521C675A00118AFDB04EF65DD84A9ABBE9EF58350F14C079F809EB352CA30AD05CB90

Function 00E612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E6134D
SelectObject.GDI32(?,00000000), ref: 00E6135C
BeginPath.GDI32(?), ref: 00E61373
SelectObject.GDI32(?,00000000), ref: 00E6139C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ead2de570203e636664e976baf4e5525b1fc54dcc42333fa82ce882a9dffa6f1
Instruction ID: fb14ac51b4b5a8c79f74ed32c6631ae22eba86cc805d37e374f768fc19d69e2c
Opcode Fuzzy Hash: ead2de570203e636664e976baf4e5525b1fc54dcc42333fa82ce882a9dffa6f1
Instruction Fuzzy Hash: 0821863088060CDFDB218F25ED497AD7BE8FB00765F194255F411AA2B0D3B19996EF51

Function 00EBBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00EBBCB3
_memcmp.LIBCMT ref: 00EBBCD1
_memcmp.LIBCMT ref: 00EBBCE4
_memcmp.LIBCMT ref: 00EBBCFC
_memcmp.LIBCMT ref: 00EBBD14

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 08d3967745c4ee68c14bfd8ba6973702b6ed3a72809bfd809b4aca127508fb66
Instruction ID: 3dff3286d25eaa29ec3b56be466e02e56cde6c4c1a258f19c300579db5527a4b
Opcode Fuzzy Hash: 08d3967745c4ee68c14bfd8ba6973702b6ed3a72809bfd809b4aca127508fb66
Instruction Fuzzy Hash: 4101B5716012097BD204AB119D42FFBF75CDE50388F086025FF19B6342EB91DE1186E0

Function 00EC4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EC4ABA
__beginthreadex.LIBCMT ref: 00EC4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00EC4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EC4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EC4B0A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 0327a6ae3efbaa44b01e980da59fb05806c3c2f925297a59ce4d02da1ddff73b
Instruction ID: a307d8d346f77e9c860a3eab583e998e206b9a9e87113f20d63e661881e452af
Opcode Fuzzy Hash: 0327a6ae3efbaa44b01e980da59fb05806c3c2f925297a59ce4d02da1ddff73b
Instruction Fuzzy Hash: 331104B690564CBFC7119FA9AC58F9B7FACEB45320F144269F814E32D1D672CD0587A0

Function 00EB8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EB821E
GetLastError.KERNEL32(?,00EB7CE2,?,?,?), ref: 00EB8228
GetProcessHeap.KERNEL32(00000008,?,?,00EB7CE2,?,?,?), ref: 00EB8237
HeapAlloc.KERNEL32(00000000,?,00EB7CE2,?,?,?), ref: 00EB823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EB8255

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e981c91e15f5c474b015721f39bda929f90748a777fa794111450c61d55990d8
Instruction ID: 1bdaa0a1600d54e395273b9a283a4d7755b96f10e69a3c4c6ea5279b183b670b
Opcode Fuzzy Hash: e981c91e15f5c474b015721f39bda929f90748a777fa794111450c61d55990d8
Instruction Fuzzy Hash: 53018171601249FFDB204FA6DD88DAB7FACEF8A754B504429F809E7260DB31CC04CA60

Function 00EB710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?,?,00EB7455), ref: 00EB7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?), ref: 00EB7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?), ref: 00EB7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?), ref: 00EB7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EB7044,80070057,?,?), ref: 00EB716C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8b4bd23c6cf4f89a21442dcd6807223a25afb22b680042c981b377a1eae83d8f
Instruction ID: 3347d47d027cde5da00abc1b0801f3f0c3f8aa2d700e2b5ed8835a8e0b888415
Opcode Fuzzy Hash: 8b4bd23c6cf4f89a21442dcd6807223a25afb22b680042c981b377a1eae83d8f
Instruction Fuzzy Hash: 0D018FB2606208BFDB154F69DC84BEA7BADEF84795F145064FD84F6220DB31DD409BA0

Function 00EC5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EC5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EC526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EC5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EC5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EC52BC

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6bfc9531ee7d41f992b2a31338341140c648cd6b4068225d9d68a04b97b52f6f
Instruction ID: fbda2117d233761ea80d15bd2fea14d146e5d41ecba3f864aa542d1836b5ada2
Opcode Fuzzy Hash: 6bfc9531ee7d41f992b2a31338341140c648cd6b4068225d9d68a04b97b52f6f
Instruction Fuzzy Hash: 83016D32D02A1DDBCF04DFE5ED88AEDBBB8FB0D311F400059E941B6151DB31A5958BA1

Function 00EB810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EB8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EB812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB8157

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: fe54ab41caa1bcb0b7ede29f73d0858dfdd2aa6570fcfd9e03aa71e6076271ec
Instruction ID: 44cb0c855c09fd59e2013c9451ec82209b77dad8bb6c324151d1e41d4b8328f1
Opcode Fuzzy Hash: fe54ab41caa1bcb0b7ede29f73d0858dfdd2aa6570fcfd9e03aa71e6076271ec
Instruction Fuzzy Hash: BCF06871202348AFDB110FA5ECC8EA73BACFF85758F000025F545E6251CB61DD45DA60

Function 00EBC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EBC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EBC20E
MessageBeep.USER32(00000000), ref: 00EBC226
KillTimer.USER32(?,0000040A), ref: 00EBC242
EndDialog.USER32(?,00000001), ref: 00EBC25C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c06401541d4e7708738666436adb518a112a59739f811dcdfdc5b1f340c2e55b
Instruction ID: eebef6bba34e9011f6c78ca89ffa12f5aeb6ee6c4cb2e61886f9e9f719da34bb
Opcode Fuzzy Hash: c06401541d4e7708738666436adb518a112a59739f811dcdfdc5b1f340c2e55b
Instruction Fuzzy Hash: 1C01A230408708ABEB205B61ED8EBD777B8BB00B06F000269F582B54F0DBF0A9488B90

Function 00E613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E613BF
StrokeAndFillPath.GDI32(?,?,00E9B888,00000000,?), ref: 00E613DB
SelectObject.GDI32(?,00000000), ref: 00E613EE
DeleteObject.GDI32 ref: 00E61401
StrokePath.GDI32(?), ref: 00E6141C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e39121c3f03e9938ac6e52d0acaa4537a7b9255e51d39609dcb19cf1ed72134d
Instruction ID: 597bc13ca3f0980391b0817d6de50a6ba877153c9fb9efecc8438a973c81c6e2
Opcode Fuzzy Hash: e39121c3f03e9938ac6e52d0acaa4537a7b9255e51d39609dcb19cf1ed72134d
Instruction Fuzzy Hash: 47F0EC30044B4CEFDB225F66EC8D7A83FA4A701766F0C9265F429691F1C771499AEF50

Function 00ECC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00ECC432
CoCreateInstance.OLE32(00EF2D6C,00000000,00000001,00EF2BDC,?), ref: 00ECC44A

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

CoUninitialize.OLE32 ref: 00ECC6B7

Strings

.lnk, xrefs: 00ECC3C6, 00ECC3EE, 00ECC3F8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 3d1f8da283b56d3b28097609bfc20d28c8d45785f8e26994dce7a064dbe5641b
Instruction ID: 61bd8280da3ab9a075233aeb0dcdbff6b03a9c56ac0d51ec748423be23df6918
Opcode Fuzzy Hash: 3d1f8da283b56d3b28097609bfc20d28c8d45785f8e26994dce7a064dbe5641b
Instruction Fuzzy Hash: BBA15BB1244205AFD304EF54D881EABB7ECFF95394F005A1CF195AB1A2DB71EA09CB52

Function 00E72CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E80DB6: std::exception::exception.LIBCMT ref: 00E80DEC
Part of subcall function 00E80DB6: __CxxThrowException@8.LIBCMT ref: 00E80E01

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00E67A51: _memmove.LIBCMT ref: 00E67AAB

__swprintf.LIBCMT ref: 00E72ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E72D66

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 686b04bc319cfec116e3d3dc4e48ed787c8c884fab581c7a51b2a6bfdee62557
Instruction ID: 73a70362d8694270a0653efced11d7505f037d4e99f4dff25d2358770dbe39ad
Opcode Fuzzy Hash: 686b04bc319cfec116e3d3dc4e48ed787c8c884fab581c7a51b2a6bfdee62557
Instruction Fuzzy Hash: 5B915C721082019FC714EF24D885C6FB7E8EF9A754F04691DF599BB2A1EA30ED44CB62

Function 00ECB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E64743,?,?,00E637AE,?), ref: 00E64770

CoInitialize.OLE32(00000000), ref: 00ECB9BB
CoCreateInstance.OLE32(00EF2D6C,00000000,00000001,00EF2BDC,?), ref: 00ECB9D4
CoUninitialize.OLE32 ref: 00ECB9F1

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

Strings

.lnk, xrefs: 00ECB99D, 00ECB9AB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 7b2c4c0de3160fbeff92d89071b33f45c7d745e79cf36a2cc57b315b2192f277
Instruction ID: 1b1525dc950061bb06830cf31fff2c721944aa0dc00071227ba94c9bf74ad75e
Opcode Fuzzy Hash: 7b2c4c0de3160fbeff92d89071b33f45c7d745e79cf36a2cc57b315b2192f277
Instruction Fuzzy Hash: 34A134756043059FCB04DF14C585E6ABBE5BF89314F048958F899AB3A2CB32EC46CB91

Function 00EBB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00EBB4BE

Strings

%, xrefs: 00EBB561
Container, xrefs: 00EBB43B
AutoIt3GUI, xrefs: 00EBB436

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: a609efaaa04f04b8d1470ee96a8cdd1c28e4c7657f3d5ad435ae705a42441ffd
Instruction ID: c5bc34cddb7d9ad206759cd39b2a6865866fcb81e69b3bd76b484cc3355e6dd2
Opcode Fuzzy Hash: a609efaaa04f04b8d1470ee96a8cdd1c28e4c7657f3d5ad435ae705a42441ffd
Instruction Fuzzy Hash: 76914B706006019FDB24DF64C884AABB7F9FF49710F10956DF94AEB291DBB1E841CB50

Function 00E8501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E850AD

Part of subcall function 00E900F0: __87except.LIBCMT ref: 00E9012B

Strings

pow, xrefs: 00E85085, 00E850A2

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 411cec8f307f6757f0d619854a726b9f8b6fa525baf900a3c4d9f8468af02e27
Instruction ID: be52fce4eeebe95e3900eeac472e6f9c0a26d98155d2cb49c2c2f93f64d3dc11
Opcode Fuzzy Hash: 411cec8f307f6757f0d619854a726b9f8b6fa525baf900a3c4d9f8468af02e27
Instruction Fuzzy Hash: B9515B6290DA018EDF11B725C8053BE7BD49B41704F70AD59E4DDB62AAEF348DC8DB82

Function 00EA8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EA862B
_memmove.LIBCMT ref: 00EA8685

Strings

3c, xrefs: 00EA860C
_, xrefs: 00EA86FF, 00EADFDC, 00EADFF8

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memmove
String ID: 3c$_
API String ID: 4104443479-4099079164
Opcode ID: 09d10ec9fda9c671284d6855ebaef7a462ed8ca30eaa1e622d7157e94a730cb7
Instruction ID: 410f06ef484ff06a413dee2e2bdc42ea1b9a77808402d1d2eebbaed33841f0ca
Opcode Fuzzy Hash: 09d10ec9fda9c671284d6855ebaef7a462ed8ca30eaa1e622d7157e94a730cb7
Instruction Fuzzy Hash: D3515FB0D006099FDF64CF68C984AAEBBF1FF49314F148529E85AEB250EB30A955CF51

Function 00EB97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EC14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EB9296,?,?,00000034,00000800,?,00000034), ref: 00EC14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EB983F

Part of subcall function 00EC1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EB92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00EC14B1

Part of subcall function 00EC13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00EC1409
Part of subcall function 00EC13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EB925A,00000034,?,?,00001004,00000000,00000000), ref: 00EC1419
Part of subcall function 00EC13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EB925A,00000034,?,?,00001004,00000000,00000000), ref: 00EC142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EB98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EB98F9

Strings

@, xrefs: 00EB9911

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9a3fd3cb674f3ec6b4812381217677a6ec33bc1a8d4c101d63f231de5ef253b2
Instruction ID: fb2a557685320dddd924cd63538b08ab6df5ba25dd2a1235b966fb30c89b6047
Opcode Fuzzy Hash: 9a3fd3cb674f3ec6b4812381217677a6ec33bc1a8d4c101d63f231de5ef253b2
Instruction Fuzzy Hash: DF414C7690121CAFDB14DFA4CD85EDEBBB8EB4A300F004099FA55B7192DA716E45CBA0

Function 00EE7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00EEF910,00000000,?,?,?,?), ref: 00EE79DF
GetWindowLongW.USER32 ref: 00EE79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00EE7A0C

Strings

SysTreeView32, xrefs: 00EE79B1

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: a1b1401fc4042a1cf56262c69cedaeed3dde828f4964846f9ab993741bec2070
Instruction ID: 759ff226e98dd24d38418f8aa63927e929723d9bd745efca701c90687053e6e2
Opcode Fuzzy Hash: a1b1401fc4042a1cf56262c69cedaeed3dde828f4964846f9ab993741bec2070
Instruction Fuzzy Hash: 8C31F23124464AAFDB118E35DC41BEA77A9EF44328F205724F8B9B32E1D731ED509750

Function 00EE73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EE7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EE7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EE7499

Strings

SysMonthCal32, xrefs: 00EE742C

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bd8e467ad57dd62b498e9b616097137cfafefe62ebfe533b7fce5f015a4fce27
Instruction ID: 32899f467f54eae88e7b4d135374ea30ba2eddf723bd929c99586d596364c886
Opcode Fuzzy Hash: bd8e467ad57dd62b498e9b616097137cfafefe62ebfe533b7fce5f015a4fce27
Instruction Fuzzy Hash: 5321B13250025CAFDF118E55CC42FEA3BA9EB48724F111214FE657B1D0DA75AC959BA0

Function 00EE7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00EE7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00EE7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00EE7C5F

Strings

msctls_updown32, xrefs: 00EE7BC4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: da44679aa0a6e1a704dd07a8e8f5d23a99b7b49201c00f5c7c21b27a67f453bb
Instruction ID: 6e60617d41aa2c6e7f00e488a1e536380d14a0c2ef127d763afaeef4ef0ce6eb
Opcode Fuzzy Hash: da44679aa0a6e1a704dd07a8e8f5d23a99b7b49201c00f5c7c21b27a67f453bb
Instruction Fuzzy Hash: CB219AB1204249AFDB10DF29DCC1CA677EDEB4A798B140058FA51AB2A1CB71EC019AA0

Function 00EE6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EE6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EE6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EE6D70

Strings

Listbox, xrefs: 00EE6D08

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9c5e91a8a9f7258457c6b2d34a7ea88228ef303f40bda3a37f9e487eaf4bc47d
Instruction ID: 3ebddd00649d9949493023e409032c01dd362cc63dd378c68939c8cf352bd08b
Opcode Fuzzy Hash: 9c5e91a8a9f7258457c6b2d34a7ea88228ef303f40bda3a37f9e487eaf4bc47d
Instruction Fuzzy Hash: DF21F23220015CBFDF118F55CC80FBB3BBAEF997A4F119124F940AB1A0C6719C5187A0

Function 00ED39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00ED3A66

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Strings

, $, xrefs: 00ED3AA6
AUTOITCALLVARIABLE%d, xrefs: 00ED3A58
%, xrefs: 00ED39F4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%
API String ID: 3506404897-3879706725
Opcode ID: c3f053693d4fed2c36ba65387019fa04e76368bf44a081f8246fdadfbe3b03d0
Instruction ID: 94fd84ed2818b2ab56f8b7809c5697454e934be99efbfad0a2f12d4113e1a984
Opcode Fuzzy Hash: c3f053693d4fed2c36ba65387019fa04e76368bf44a081f8246fdadfbe3b03d0
Instruction Fuzzy Hash: FB218131740219AACF10EF64DC82AEEB7F5EF44340F001455E555BB282DB30EA42CB62

Function 00EE770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EE7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EE7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EE7794

Strings

msctls_trackbar32, xrefs: 00EE7749

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 91a0f9fdd523efbc87c7cae4f991fc02931d30785c042c1dd659aa4d1b6a716e
Instruction ID: 5c5c02f5883941ae74a031689da3cb379b4361768e187760935016bb4e8b67f6
Opcode Fuzzy Hash: 91a0f9fdd523efbc87c7cae4f991fc02931d30785c042c1dd659aa4d1b6a716e
Instruction Fuzzy Hash: 0C113A7224424DBFEF205F62CC01FD737A9EF88B55F010119F681B6090C271E851DB10

Function 00E64C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E64B83,?), ref: 00E64C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E64C56

Strings

kernel32.dll, xrefs: 00E64C3F
Wow64RevertWow64FsRedirection, xrefs: 00E64C50

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f3fc7cafebd2b5b3036a8b236b6cf00a7852713e687df647fcb5533380296ae9
Instruction ID: 534d841137e8ed3669a4e43aafa818de78068465fd2ee86420b91fcb17865a58
Opcode Fuzzy Hash: f3fc7cafebd2b5b3036a8b236b6cf00a7852713e687df647fcb5533380296ae9
Instruction Fuzzy Hash: D2D02B70501717CFD7244F32D848206B3D5AF00384B10C83DE491FA2A1E770C4C0C610

Function 00E64C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E64BD0,?,00E64DEF,?,00F252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E64C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E64C23

Strings

kernel32.dll, xrefs: 00E64C0C
Wow64DisableWow64FsRedirection, xrefs: 00E64C1D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f37a0f5b329ed3a7a663ba67b441a629f846a923a01ae9db138663d7cfaf26fe
Instruction ID: 0cf9b9e6ce49b9c8546ae19b27750783bd8373defe8a8e1b007e07491cc38f29
Opcode Fuzzy Hash: f37a0f5b329ed3a7a663ba67b441a629f846a923a01ae9db138663d7cfaf26fe
Instruction Fuzzy Hash: 8BD0C270501717CFD7205F72D848207B6D6EF48385B00CC3DE481EA290E6B0C480C610

Function 00EE0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00EE1039), ref: 00EE0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EE0E07

Strings

RegDeleteKeyExW, xrefs: 00EE0E01
advapi32.dll, xrefs: 00EE0DF0

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ea67aa063765bb1ff47a1baf857c7de0507e465c5b5364989dc17e97e79daa94
Instruction ID: 0d2d12195eb11dc4fddcdebc94e58d24f7692165d3b06d0b5b213321adddfeb3
Opcode Fuzzy Hash: ea67aa063765bb1ff47a1baf857c7de0507e465c5b5364989dc17e97e79daa94
Instruction Fuzzy Hash: 9BD0C73040072ACFCB208FB2C84828272E6AF00342F048C3EE482F6160E6F0D8D0CA82

Function 00ED90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00ED8CF4,?,00EEF910), ref: 00ED90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00ED9100

Strings

kernel32.dll, xrefs: 00ED90E9
GetModuleHandleExW, xrefs: 00ED90FA

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 11c0d28bc2bc315732e080757417c64ae38c6ed8a037a7aba41159e36f9c46a8
Instruction ID: 178b828f36bda4654625dc244a2c3b661b7935db2db192bbcaa84e3dbd1411d7
Opcode Fuzzy Hash: 11c0d28bc2bc315732e080757417c64ae38c6ed8a037a7aba41159e36f9c46a8
Instruction Fuzzy Hash: FCD0173451171BCFDB209F32DC5864676E4AF05395B12D83EE48AEA691EA70C881CA90

Function 00EA1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00EA1718
__swprintf.LIBCMT ref: 00EA1749

Strings

%.3d, xrefs: 00EA1723
WIN_XPe, xrefs: 00EA1788

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 9ecf679b57f52a8fcc55f595fab9d6df1040ea37b83a3fff66682f0693d51255
Instruction ID: b80e6811afa691203cb119009c86fb4ebad9ebecfdd37eb9bd3caa24e873d09f
Opcode Fuzzy Hash: 9ecf679b57f52a8fcc55f595fab9d6df1040ea37b83a3fff66682f0693d51255
Instruction Fuzzy Hash: C0D01275844218FAC7009690D8888F9737CA71F701F143493F506F6040E221AB94E662

Function 00EB717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71587e0d33b6635d578ee9b1f26e2fd72d61b412b14b358815d6a80e6903f12
Instruction ID: 24f655dd26a2351e0f66c55a75bb1c54b123d75927a06fc986bb882484192e27
Opcode Fuzzy Hash: d71587e0d33b6635d578ee9b1f26e2fd72d61b412b14b358815d6a80e6903f12
Instruction Fuzzy Hash: DFC16C74A04216EFCB14CFA4C884AAFBBF5FF88304B149598E895EB651D730ED81DB90

Function 00EDE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00EDE0BE
CharLowerBuffW.USER32(?,?), ref: 00EDE101

Part of subcall function 00EDD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EDD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EDE301
_memmove.LIBCMT ref: 00EDE314

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 57b62811fe1c5dad2c45ab327d069ae457580e904337ab72cb2417adbf3b1f6c
Instruction ID: 8ad560dc3c671ea24d0011b4154e98fbf3c2d8cd5f73cbc4db1b27361d95961b
Opcode Fuzzy Hash: 57b62811fe1c5dad2c45ab327d069ae457580e904337ab72cb2417adbf3b1f6c
Instruction Fuzzy Hash: F4C15971608301DFC704EF28C484A6ABBE4FF89758F04996EF899AB351D731E946CB81

Function 00ED8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00ED80C3
CoUninitialize.OLE32 ref: 00ED80CE

Part of subcall function 00EBD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EBD5D4

VariantInit.OLEAUT32(?), ref: 00ED80D9
VariantClear.OLEAUT32(?), ref: 00ED83AA

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 8d0de51c05eeec58bc355e31ba425cff6368365b804bab8f090ed552e0d81515
Instruction ID: 41747070fd6f2d9bc2a2bf7ca1b462ada9a518bfc619232d35c00ac314cae7fb
Opcode Fuzzy Hash: 8d0de51c05eeec58bc355e31ba425cff6368365b804bab8f090ed552e0d81515
Instruction Fuzzy Hash: A5A156752047019FCB04DF64D981B2AB7E8FF89354F045449F99AAB3A2CB30EC06CB82

Function 00EB687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EB688E
SysAllocString.OLEAUT32(00000000), ref: 00EB6937
VariantCopy.OLEAUT32 ref: 00EB6966
VariantClear.OLEAUT32(?), ref: 00EB698D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 5846a57cdff3c9c257c4309ebe275cb32fd97f0343e983182fe96a47d9878e02
Instruction ID: 2836e08e87dfa582195157300fc86708051732b5ed62d0cb566704c9a6a18601
Opcode Fuzzy Hash: 5846a57cdff3c9c257c4309ebe275cb32fd97f0343e983182fe96a47d9878e02
Instruction Fuzzy Hash: 4A5190747003019ADF24AF65D891ABBB3E9AF45314F20F81FE59AFB291DA78D8448741

Function 00EE97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0103DA78,?), ref: 00EE9863
ScreenToClient.USER32(00000002,00000002), ref: 00EE9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00EE9903

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b4646b7bc101725cb0f4150a02e657720a7287e2fe838ea749488e9dd81e675b
Instruction ID: 63c0142a5811eb621b5f71090665c2e3dc64d9b7fbc4c0f9982c6fe886ae1bf3
Opcode Fuzzy Hash: b4646b7bc101725cb0f4150a02e657720a7287e2fe838ea749488e9dd81e675b
Instruction Fuzzy Hash: 7A516D34A0024DAFCF24CF25D880AAE7BF5FF85364F149169F855AB2A2D731AD41CB90

Function 00EB9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00EB9AD2
__itow.LIBCMT ref: 00EB9B03

Part of subcall function 00EB9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00EB9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00EB9B6C
__itow.LIBCMT ref: 00EB9BC3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 0e97aae64fe69b473b714b1c87b7251ca1dfb53cfcbe1de0b61bd1147f0725ea
Instruction ID: 78b2eb4fbe46dc76c3fdd64922d32cc753fae137d02a911c1af9bd84006f4a84
Opcode Fuzzy Hash: 0e97aae64fe69b473b714b1c87b7251ca1dfb53cfcbe1de0b61bd1147f0725ea
Instruction Fuzzy Hash: 92417070A40208ABDF11EF64D885BEE7BF9EF48754F001069FA55B7292DB709A44CBA1

Function 00ED69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00ED69D1
WSAGetLastError.WSOCK32(00000000), ref: 00ED69E1

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00ED6A45
WSAGetLastError.WSOCK32(00000000), ref: 00ED6A51

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: dbc29e77fef28d1cc2873f5d8a8e22c7a5cd2fe353af5bbbf75bd4d3fd42829c
Instruction ID: 96c94a34b1866f6497b2f250ee36b791a07463c7baca24ffdc5991439909e204
Opcode Fuzzy Hash: dbc29e77fef28d1cc2873f5d8a8e22c7a5cd2fe353af5bbbf75bd4d3fd42829c
Instruction Fuzzy Hash: EC41DF75680200AFEB60AF64DC86F2A37E8DB14B94F049518FA59BF3C3CA708D018791

Function 00ED641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00EEF910), ref: 00ED64A7
_strlen.LIBCMT ref: 00ED64D9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 1184c058abee7ec4a07053f82eef7b5d7f1f153797c097adc8e5812483c4342c
Instruction ID: 25afadf8d93174d5391f566cbd04b4d640887d81d622a374642682d561ddcd37
Opcode Fuzzy Hash: 1184c058abee7ec4a07053f82eef7b5d7f1f153797c097adc8e5812483c4342c
Instruction Fuzzy Hash: 8A41A031600104ABCB14EBA8EC95EEEB7F9EF54314F14955AF819BB392EB30AD45CB50

Function 00ECB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00ECB89E
GetLastError.KERNEL32(?,00000000), ref: 00ECB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00ECB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00ECB915

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 83052831c572e5616dd2c57a6e0c8d03ae7810753c951b8fc4ab375fa95942e0
Instruction ID: cc0dcebaa75733d99516d7206af342ff86b1453c3d851b09b5de1969cb3ac0c7
Opcode Fuzzy Hash: 83052831c572e5616dd2c57a6e0c8d03ae7810753c951b8fc4ab375fa95942e0
Instruction Fuzzy Hash: EA417839600650DFCB14EF55C585A59BBE5EF9A354F088088FC4AAB362CB31FC02CB91

Function 00EE8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EE88DE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 89468703c74f2d80ecc17340ff8f1fa266779ef25774be172d6aafc458e4cbc8
Instruction ID: 7a2daa96fd5232b68080f709ed701dc50a59ec3d602f783080b684992532db18
Opcode Fuzzy Hash: 89468703c74f2d80ecc17340ff8f1fa266779ef25774be172d6aafc458e4cbc8
Instruction Fuzzy Hash: F8311630A4018CAFEB249F5ADE45BB877A0EB45314F901111FA5DF62E2CE32D9409756

Function 00EEAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EEAB60
GetWindowRect.USER32(?,?), ref: 00EEABD6
PtInRect.USER32(?,?,00EEC014), ref: 00EEABE6
MessageBeep.USER32(00000000), ref: 00EEAC57

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 7387fb735726ea63df13611e5d47e885aa6f729c6f7d9cb24e56764c512141d5
Instruction ID: d3dae4102dca46e9a94aae05d53611f3b2d8307ce871184ffa89d9a8e2000438
Opcode Fuzzy Hash: 7387fb735726ea63df13611e5d47e885aa6f729c6f7d9cb24e56764c512141d5
Instruction Fuzzy Hash: 9C41713060059DDFCB21DF5AD884AA9B7F6FB89700F289079E415EF260D730B841DB92

Function 00EC0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00EC0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00EC0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00EC0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00EC0BFB

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b1932cecc3d7b3eff5f96b94341c4b6a6af629d89efd635c15603c3d6f7f81bf
Instruction ID: 64c0adf3f046b2db7c3f9e6a9a17639698880b333752eaeecd12225f4664fcad
Opcode Fuzzy Hash: b1932cecc3d7b3eff5f96b94341c4b6a6af629d89efd635c15603c3d6f7f81bf
Instruction Fuzzy Hash: 50314830A40608EEFF30CB258D05FFABBA9AB4532CF04525EF595721D1C3768D469761

Function 00EC0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00EC0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EC0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EC0CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00EC0D33

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5b8af8b6a99b1860a0b06867d3dddbc225cc1f859dca84bb1be33f8e10d42a25
Instruction ID: 405d4daff50bb1ec1aa3565344e843a23e5676a4bfda1304f4241e0fb892f523
Opcode Fuzzy Hash: 5b8af8b6a99b1860a0b06867d3dddbc225cc1f859dca84bb1be33f8e10d42a25
Instruction Fuzzy Hash: C1311430A00618EEFB208A658904FFABBA6AB45318F04671EE491721D1C33A99468751

Function 00E961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E961FB
__isleadbyte_l.LIBCMT ref: 00E96229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E96257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E9628D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 543f23c7f2f9decb9179814ca48a56fe3fd7cd028e5534367ca941d16cf93d9d
Instruction ID: 56fd6d794ae36ac4382bed85a968e7b654d5243dd5d8f02154ae7f735c900758
Opcode Fuzzy Hash: 543f23c7f2f9decb9179814ca48a56fe3fd7cd028e5534367ca941d16cf93d9d
Instruction Fuzzy Hash: 0031E13060524AAFDF228F75CC44BBA7BB9FF41314F15502AF828AB1A1D730E950DB90

Function 00EE4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EE4F02

Part of subcall function 00EC3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EC365B
Part of subcall function 00EC3641: GetCurrentThreadId.KERNEL32 ref: 00EC3662
Part of subcall function 00EC3641: AttachThreadInput.USER32(00000000,?,00EC5005), ref: 00EC3669

GetCaretPos.USER32(?), ref: 00EE4F13
ClientToScreen.USER32(00000000,?), ref: 00EE4F4E
GetForegroundWindow.USER32 ref: 00EE4F54

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 96199c409d0bccb1944b8115bfd49b9ac9bbf53fcbdfa61773be39bc0c9674fb
Instruction ID: 7ee6e61a097ee4115b83fcf89bab74a0db14015e60fc891bfc101dd1ef5afb33
Opcode Fuzzy Hash: 96199c409d0bccb1944b8115bfd49b9ac9bbf53fcbdfa61773be39bc0c9674fb
Instruction Fuzzy Hash: 9B312CB1E00108AFCB10EFB6D9859EFB7FDEF98300B10506AE415F7242DA719E058BA1

Function 00EC3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EC3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00EC3C88
Process32NextW.KERNEL32(00000000,?), ref: 00EC3CA8
CloseHandle.KERNEL32(00000000), ref: 00EC3D52

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: fd5b233cabd13310bd0ab17524589170edc875ac18c19fb100303fe911614a36
Instruction ID: 4499bfa31209cc359d438448f0f98471231dfea5a8bee507e8bf73bc3e17c2b0
Opcode Fuzzy Hash: fd5b233cabd13310bd0ab17524589170edc875ac18c19fb100303fe911614a36
Instruction Fuzzy Hash: 4531C4711083459FC300EF20D881FAFBBE8EF95354F40182DF4D2A61A1EB719A49CB92

Function 00EEC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

GetCursorPos.USER32(?), ref: 00EEC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E9B9AB,?,?,?,?,?), ref: 00EEC4E7
GetCursorPos.USER32(?), ref: 00EEC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E9B9AB,?,?,?), ref: 00EEC56E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9218281400760b4e1377eb2bd852a7cabcc132328dd0860d5b906a93da99e798
Instruction ID: bc74f0cbdcfe9dfdea8fecba8c9c8d471f67d41cdd0d44d95060987eb18edcbb
Opcode Fuzzy Hash: 9218281400760b4e1377eb2bd852a7cabcc132328dd0860d5b906a93da99e798
Instruction Fuzzy Hash: 9B31F23560049CAFCB21CF5AC898EFE7BB5EB09310F10406AF905AB261C731AD56DFA4

Function 00EB8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EB8121
Part of subcall function 00EB810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EB812B
Part of subcall function 00EB810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB813A
Part of subcall function 00EB810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB8141
Part of subcall function 00EB810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EB8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EB86A3
_memcmp.LIBCMT ref: 00EB86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EB86FC
HeapFree.KERNEL32(00000000), ref: 00EB8703

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: ed1bb069038c257d686babfdbe27487aeb3972e7726bee9913264239b0eb2fc2
Instruction ID: 1ab1213c3936ab34b894c95d3770ec011f76c0cee984faa8c7ed76225bd2175d
Opcode Fuzzy Hash: ed1bb069038c257d686babfdbe27487aeb3972e7726bee9913264239b0eb2fc2
Instruction Fuzzy Hash: 91216971E01109EFDB10DFA8CA49BEEB7B8EF45308F158059E444BB241DB30AE05CB90

Function 00E8098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E809AE

Part of subcall function 00E65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EC7896,?,?,00000000), ref: 00E65A2C
Part of subcall function 00E65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EC7896,?,?,00000000,?,?), ref: 00E65A50

_fprintf.LIBCMT ref: 00E809E5
OutputDebugStringW.KERNEL32(?), ref: 00EB5DBB

Part of subcall function 00E84AAA: _flsall.LIBCMT ref: 00E84AC3

__setmode.LIBCMT ref: 00E80A1A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 71f73bac1e9ca6808b7fc10aa7cdeef78ccb52fa2091d1837b17591988a43c05
Instruction ID: 2a5da78f7ff5db9dca161ca06396c20db7caf2bb6a350324b8efe2d92557fe92
Opcode Fuzzy Hash: 71f73bac1e9ca6808b7fc10aa7cdeef78ccb52fa2091d1837b17591988a43c05
Instruction Fuzzy Hash: 4F116AB2644609AFDB08B3B4AC469FE77E8DF81360F20215AF10C771C2FE31584657A0

Function 00ED1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00ED17A3

Part of subcall function 00ED182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00ED184C
Part of subcall function 00ED182D: InternetCloseHandle.WININET(00000000), ref: 00ED18E9

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: cd7ae356dfd08db48903fed885d97c6d94fe48f65b9c4ba096c17dcd93f2237d
Instruction ID: 1616167f244d6263d2903fd869a1a16760d36fb0ada1be9b35370b0a3197d5f3
Opcode Fuzzy Hash: cd7ae356dfd08db48903fed885d97c6d94fe48f65b9c4ba096c17dcd93f2237d
Instruction Fuzzy Hash: FF219276200605BFEB169F60DC41FBABBE9FF89710F10502FFA11AA750D7719812A7A1

Function 00EC3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00EEFAC0), ref: 00EC3A64
GetLastError.KERNEL32 ref: 00EC3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EC3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00EEFAC0), ref: 00EC3ADF

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: da4b05b673fb5579bd8f66864a3c9cb273850457dacc1f778213b1461fbdc740
Instruction ID: 37c6420cc90866f83635836514ca6362247982afb436d8fd0458ef359880037d
Opcode Fuzzy Hash: da4b05b673fb5579bd8f66864a3c9cb273850457dacc1f778213b1461fbdc740
Instruction Fuzzy Hash: AD21D6745083059F8310DF34D981DAA77E4AF59368F109A2DF4E9E72A1D732DE1ACB82

Function 00EBDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EBF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00EBDCD3,?,?,?,00EBEAC6,00000000,000000EF,00000119,?,?), ref: 00EBF0CB
Part of subcall function 00EBF0BC: lstrcpyW.KERNEL32(00000000,?,?,00EBDCD3,?,?,?,00EBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EBF0F1
Part of subcall function 00EBF0BC: lstrcmpiW.KERNEL32(00000000,?,00EBDCD3,?,?,?,00EBEAC6,00000000,000000EF,00000119,?,?), ref: 00EBF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00EBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EBDCEC
lstrcpyW.KERNEL32(00000000,?,?,00EBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EBDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EBDD46

Strings

cdecl, xrefs: 00EBDD3D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c2ee0b12d2c742e57004627f58c67a3263b2b5f8248ea3664f3f5ae42cf9e51c
Instruction ID: 2408af803757150d89fb6241cb13350d5747f1133d57a9d877acd783746cc38a
Opcode Fuzzy Hash: c2ee0b12d2c742e57004627f58c67a3263b2b5f8248ea3664f3f5ae42cf9e51c
Instruction Fuzzy Hash: BE11BE3A204309EFCB25AF74CC459BB77A8FF45314B40A12AF84ADB2A1FB719840C791

Function 00E950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E95101

Part of subcall function 00E8571C: __FF_MSGBANNER.LIBCMT ref: 00E85733
Part of subcall function 00E8571C: __NMSG_WRITE.LIBCMT ref: 00E8573A
Part of subcall function 00E8571C: RtlAllocateHeap.NTDLL(01020000,00000000,00000001,00000000,?,?,?,00E80DD3,?), ref: 00E8575F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: de8020555137c2311fda1c0cff45748d4753c49e3a5d8c253a83db5cb453d31a
Instruction ID: 9b387ef09d9c5418ba9497d6525fc00f6293e27c37e2470863a0c47c272c9476
Opcode Fuzzy Hash: de8020555137c2311fda1c0cff45748d4753c49e3a5d8c253a83db5cb453d31a
Instruction Fuzzy Hash: 2C11A3B3502E15AECF323F76AC4575E3BD89B54365B10652AF90CBA150DF348D419790

Function 00ED6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EC7896,?,?,00000000), ref: 00E65A2C
Part of subcall function 00E65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EC7896,?,?,00000000,?,?), ref: 00E65A50

gethostbyname.WSOCK32(?,?,?), ref: 00ED6399
WSAGetLastError.WSOCK32(00000000), ref: 00ED63A4
_memmove.LIBCMT ref: 00ED63D1
inet_ntoa.WSOCK32(?), ref: 00ED63DC

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ff9fa8c7f0ff54262b645058bd5738542abb81e64a705267e165b36ff092c342
Instruction ID: 6845bc4d5d7955a38c43f460d1ef657fb5560231bc25d7bd77d0bac1785e7704
Opcode Fuzzy Hash: ff9fa8c7f0ff54262b645058bd5738542abb81e64a705267e165b36ff092c342
Instruction Fuzzy Hash: 8F115B32600109AFCB04FBA4ED86CEEB7F8EF58350B145065F506B7262DB31AE18CB61

Function 00EB8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EB8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EB8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EB8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EB8BA4

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 18552e3a6bc531cb7b981a6af437009dfab0905e0e3a64a13969b91d3aedb3e2
Instruction ID: b755414f25a92d2354a18030e4d2164a0a57fdfbf0d85255adf7f2cb74969f34
Opcode Fuzzy Hash: 18552e3a6bc531cb7b981a6af437009dfab0905e0e3a64a13969b91d3aedb3e2
Instruction Fuzzy Hash: 22110A79901218FFDB11DBA5C985EDEBBB8EB48710F204095E900B7250DA716E11DB94

Function 00E61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E62612: GetWindowLongW.USER32(?,000000EB), ref: 00E62623

DefDlgProcW.USER32(?,00000020,?), ref: 00E612D8
GetClientRect.USER32(?,?), ref: 00E9B5FB
GetCursorPos.USER32(?), ref: 00E9B605
ScreenToClient.USER32(?,?), ref: 00E9B610

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 24e7294ef468e83efb56b4ad915470db95be3103f089f52eb0edd42d62d9a6f0
Instruction ID: eb3b2e07589f1a816645705046e1a3d4ee6694798a355f66cc72eca8e8073d82
Opcode Fuzzy Hash: 24e7294ef468e83efb56b4ad915470db95be3103f089f52eb0edd42d62d9a6f0
Instruction Fuzzy Hash: A511583590005DAFCB01DF99E8999FE77B8EB05340F0004A5FA01F7150C730BA55ABA5

Function 00EBD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00EBD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EBD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EBD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EBD897

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f78812af6b2d6483f05b27b9416ac59755c136d40af55c33cc1f4f49013edc03
Instruction ID: 532d9cf34984cb58d2fc41ce5c8a94368bf6ab70c2509da3632a5008632e87bd
Opcode Fuzzy Hash: f78812af6b2d6483f05b27b9416ac59755c136d40af55c33cc1f4f49013edc03
Instruction Fuzzy Hash: D6116175609704DFE3248F51EC48FD3BBBCEF00B01F108569E556E6090E7B1E9499BA1

Function 00E96FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E96FDB

Part of subcall function 00E976C2: __fltout2.LIBCMT ref: 00E976EB

__cftog_l.LIBCMT ref: 00E97001
__cftoe_l.LIBCMT ref: 00E97033

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b311b40afaecc8472c7598bfd6a2c95f27cd5af81da01924b0aad0e190f28f00
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: A3018C7205814ABBCF125F84CC02CEE3F62BB18354F489415FE9868031C236C9B9AB81

Function 00EEB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EEB2E4
ScreenToClient.USER32(?,?), ref: 00EEB2FC
ScreenToClient.USER32(?,?), ref: 00EEB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EEB33B

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bdea012eef0d34ed6244a4e98bc830da4e81a1311d65f23a5e80c81c1409dd33
Instruction ID: 22aeb9fe4d52f0ef588cf1bd4d116bff6ebd17b10c72ca65afeca733bd09df1f
Opcode Fuzzy Hash: bdea012eef0d34ed6244a4e98bc830da4e81a1311d65f23a5e80c81c1409dd33
Instruction Fuzzy Hash: F2116675D0024EEFDB01CF99C4849EEBBB5FB08310F108166E915E7220D731AA558F90

Function 00EEB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EEB644
_memset.LIBCMT ref: 00EEB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F26F20,00F26F64), ref: 00EEB682
CloseHandle.KERNEL32 ref: 00EEB694

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: a5772a2a57a7058c489a89b6c45b56c3ff4f4ede9dff2703ecedbd672ce219de
Instruction ID: 229506ae5e396fe2453391e271bc115b4e4bca16a817b7d4a8dec6a72e9cfb44
Opcode Fuzzy Hash: a5772a2a57a7058c489a89b6c45b56c3ff4f4ede9dff2703ecedbd672ce219de
Instruction Fuzzy Hash: 82F05EB2540358BFEA202761BD46FBB3A9CEB08395F004020FB0CE9196E7714C0197A8

Function 00EC6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00EC6BE6

Part of subcall function 00EC76C4: _memset.LIBCMT ref: 00EC76F9

_memmove.LIBCMT ref: 00EC6C09
_memset.LIBCMT ref: 00EC6C16
LeaveCriticalSection.KERNEL32(?), ref: 00EC6C26

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c66b187652af84b23c8e97377b2afe3bdca1ed0f92bd1238a584e9eb60ce18eb
Instruction ID: c13d5cc42667b4e658a39cfad7d8d59a3d58e26e9ede1aab578057a00759088d
Opcode Fuzzy Hash: c66b187652af84b23c8e97377b2afe3bdca1ed0f92bd1238a584e9eb60ce18eb
Instruction Fuzzy Hash: A7F03A3A200104ABCF016F55ED85E8ABB69EF49320B048065FE0CAE266D732E915CBB4

Function 00E62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E62231
SetTextColor.GDI32(?,000000FF), ref: 00E6223B
SetBkMode.GDI32(?,00000001), ref: 00E62250
GetStockObject.GDI32(00000005), ref: 00E62258
GetWindowDC.USER32(?,00000000), ref: 00E9BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E9BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00E9BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00E9BEC2
GetPixel.GDI32(00000000,?,?), ref: 00E9BEE2
ReleaseDC.USER32(?,00000000), ref: 00E9BEED

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c162a513d58e48f8b2ef43df24ebea7b7850598ea8ca3aa25772d11c60d872c9
Instruction ID: eb797ec507687803b8ead198a1ea85fc82ff4e8372573356e7c3c53ce53a7d88
Opcode Fuzzy Hash: c162a513d58e48f8b2ef43df24ebea7b7850598ea8ca3aa25772d11c60d872c9
Instruction Fuzzy Hash: FFE03031504188AEEF215FA5FC4D7D83B15EB15336F008366FA696C0E187714988DB11

Function 00EB8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EB871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EB82E6), ref: 00EB8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EB82E6), ref: 00EB872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EB82E6), ref: 00EB8736

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: cb1882e89d5d7a0e7bbb31e1d72be3ccbb5bd671af0e701f391f9c6dff828456
Instruction ID: 71d61547a6b5e3f98ce9a850480368c520b5b927c5c95a825b0bd26ad569b80a
Opcode Fuzzy Hash: cb1882e89d5d7a0e7bbb31e1d72be3ccbb5bd671af0e701f391f9c6dff828456
Instruction Fuzzy Hash: AEE086366122669FD7205FB26D4CB973BACEF54796F158828F245ED050DE348449C750

Function 00E66240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00E6624E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 40180f3d9784aad35ac1bf048ad463a4c046c08d04cf07cb87315dd3d2d34625
Instruction ID: 27d70788f99d2f7529a19f246ee0a10148650cc0a8aabffd4c41acb0f8442eca
Opcode Fuzzy Hash: 40180f3d9784aad35ac1bf048ad463a4c046c08d04cf07cb87315dd3d2d34625
Instruction Fuzzy Hash: FDB1F3719901099BCF14EF94E8859FEBBF8FF44394F106126E952B7291DB30AE81CB91

Function 00ECAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7FC86: _wcscpy.LIBCMT ref: 00E7FCA9

Part of subcall function 00E69837: __itow.LIBCMT ref: 00E69862
Part of subcall function 00E69837: __swprintf.LIBCMT ref: 00E698AC

__wcsnicmp.LIBCMT ref: 00ECB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00ECB0F6

Strings

LPT, xrefs: 00ECB027

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 6a2e91da22507fd1c36e9b49c4a1eae62c0026e23fd9812a9852a1fc940e2d6e
Instruction ID: ba940af357ed4dea31489678f71f537778070958e79e1127a0b160d8d822d404
Opcode Fuzzy Hash: 6a2e91da22507fd1c36e9b49c4a1eae62c0026e23fd9812a9852a1fc940e2d6e
Instruction Fuzzy Hash: 68617A71A00218EFCB18DF94D992EAEB7F8EB08310F04506DF91ABB291D731AE45CB50

Function 00E72957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E72968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E72981

Strings

@, xrefs: 00E72975

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 19c47101ccf8faf0d74319a8077afcc16a11d14a20328915b4d2a5778a6f7869
Instruction ID: 0da66b781c9c5c78dc9c70aed5b22b4e9f2f5cb92bffffd9cd8b6493fca2f2ee
Opcode Fuzzy Hash: 19c47101ccf8faf0d74319a8077afcc16a11d14a20328915b4d2a5778a6f7869
Instruction Fuzzy Hash: 595138714087489BD320EF10EC86BABBBE8FB85384F41895DF2D8510A2DF319529CB66

Function 00EC9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E64F0B: __fread_nolock.LIBCMT ref: 00E64F29

_wcscmp.LIBCMT ref: 00EC9824
_wcscmp.LIBCMT ref: 00EC9837

Strings

FILE, xrefs: 00EC9770

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: eda54f24fe58eff24f1ebf05da7f485b3ed2ffa34f2d1ec9337c354e7240a8e5
Instruction ID: 9f7c9c89b7ba224ac90cd2b6063546d7cf5055811266a6524c217099600c2977
Opcode Fuzzy Hash: eda54f24fe58eff24f1ebf05da7f485b3ed2ffa34f2d1ec9337c354e7240a8e5
Instruction Fuzzy Hash: A241F672A40209BADF219BA0DC4AFEFBBFDDF85714F011469F904B71C1DA729A058B61

Function 00ED258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ED259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00ED25D4

Strings

|, xrefs: 00ED25A5

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 56a8ebf2f603dd69353dad1a8ad23043598dc1bd55fc04a74355b0e994acd360
Instruction ID: 9b8e11aadeddb00c7d180c03f2f78dd4649942b3f033f0343473709c1d298b92
Opcode Fuzzy Hash: 56a8ebf2f603dd69353dad1a8ad23043598dc1bd55fc04a74355b0e994acd360
Instruction Fuzzy Hash: F3311971800219ABCF01EFA0DC85EEEBFB8FF18354F10105AF955B6266EA319956DB60

Function 00EE7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00EE7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EE7B76

Strings

', xrefs: 00EE7ACA

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d2e392ab72494a24e6bf5b4fdb1a6be7db0652ed81eb4a46501f470e4c6594c1
Instruction ID: c095efcd0ef15f578e62d6b4822051a22c618dd6456b9a5343a256eff58dc2ac
Opcode Fuzzy Hash: d2e392ab72494a24e6bf5b4fdb1a6be7db0652ed81eb4a46501f470e4c6594c1
Instruction Fuzzy Hash: 97410874A0524E9FDB14CF65D881BEABBB9FB08304F10116AE948EB351E770A951CF90

Function 00EE6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EE6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EE6B53

Strings

static, xrefs: 00EE6AB3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: c349d3564b1cbe41a50642a8bee969815bd8b882b19cd55e83216a598ecab00f
Instruction ID: 8fe60b1ccd5fbe6ff419ac724e79e897302d09f65c554be7bab8f0bcc2218db1
Opcode Fuzzy Hash: c349d3564b1cbe41a50642a8bee969815bd8b882b19cd55e83216a598ecab00f
Instruction Fuzzy Hash: F431A171100648AEDB109F65DC80BFB77B9FF987A4F10A629F9A9E7190DB31AC41C760

Function 00EC28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EC294C

Strings

0, xrefs: 00EC290A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 8b8597c155caa299f2044f09f32e98987b10ccb8ca023b7dbc60ea81e5255dfb
Instruction ID: f1e09f3631c919b6a8c56bd6e163bb569dc3c7f9c1e7f40f9df1e8f958dca0c2
Opcode Fuzzy Hash: 8b8597c155caa299f2044f09f32e98987b10ccb8ca023b7dbc60ea81e5255dfb
Instruction Fuzzy Hash: C331D131600305DBEB24DE58CA85FAEBBF4EF85354F14202DEA85B61A0D7719946CB11

Function 00EE66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EE6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EE676C

Strings

Combobox, xrefs: 00EE672E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5346b0ad8677152d1489aa55f41fc8bf16b88a494c94f8124d0e131b68792eee
Instruction ID: b294bb9a31092a27bea5e7926410ce4ec2123f26542e240c78329e138acb8af4
Opcode Fuzzy Hash: 5346b0ad8677152d1489aa55f41fc8bf16b88a494c94f8124d0e131b68792eee
Instruction Fuzzy Hash: 7011B27120024DAFEF218F55DC80EEB37AAEB583A8F10112AF914A7290D671DC9187A0

Function 00EE6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E61D73
Part of subcall function 00E61D35: GetStockObject.GDI32(00000011), ref: 00E61D87
Part of subcall function 00E61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E61D91

GetWindowRect.USER32(00000000,?), ref: 00EE6C71
GetSysColor.USER32(00000012), ref: 00EE6C8B

Strings

static, xrefs: 00EE6C4E

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: cc70b8d451c5a88a791c32e1ecb3e8705876b6535aa8b5c00a9d3927ffe46a0b
Instruction ID: 5ddfa2a02b40195ef7ee091e227f2ec12c7574451ca45cabbafef3115a962044
Opcode Fuzzy Hash: cc70b8d451c5a88a791c32e1ecb3e8705876b6535aa8b5c00a9d3927ffe46a0b
Instruction Fuzzy Hash: 1921597251024DAFDF04DFA9CC45AEABBB8FB18354F105628F995E2250E735E850DB60

Function 00EE6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EE69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EE69B1

Strings

edit, xrefs: 00EE6986

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 899d3653977d5387975f8aefc2a29674700ac7cecc3d3bbdfe27b71f18cfd5a6
Instruction ID: 51f1336bcc99ada0cab335c6f190b05e151fc897c574bddd731d6f364811c2d7
Opcode Fuzzy Hash: 899d3653977d5387975f8aefc2a29674700ac7cecc3d3bbdfe27b71f18cfd5a6
Instruction Fuzzy Hash: C8119D7110028CABEB108E669C80AEB37A9EBA53B8F105724F9A4A61E1C732DC549760

Function 00EC29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EC2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00EC2A41

Strings

0, xrefs: 00EC2A18

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 24597cc8b42d255091b4202ac700db9b160644ecdb1821b551ae41a2c56f9a6b
Instruction ID: 09111f8978d0c8f4a8354cd93647085eb28018c15f9acd526211cccebb2ff0db
Opcode Fuzzy Hash: 24597cc8b42d255091b4202ac700db9b160644ecdb1821b551ae41a2c56f9a6b
Instruction Fuzzy Hash: 1C11E932901518ABCB30DB68DD44FEA77B8AB45304F04603DEA55F7290D771AD0BC791

Function 00ED21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00ED222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00ED2255

Strings

<local>, xrefs: 00ED221D

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 435b18e5791113270afe631d83b894efacaf715568e6d943ddab79c2a81b5b32
Instruction ID: 33b601432e8780f7ff4ddd0fe019c7f9445634c3a704dd4dab019ccd6a0b3163
Opcode Fuzzy Hash: 435b18e5791113270afe631d83b894efacaf715568e6d943ddab79c2a81b5b32
Instruction Fuzzy Hash: 01110E70501265BEDB258F118C88EFBFBA8FF26355F10922FFA04A6210E2705986D6F0

Function 00EB8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EBAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EB8E73

Strings

ListBox, xrefs: 00EB8E3D
ComboBox, xrefs: 00EB8E12

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c42afcc82216bc81ad16a1ec34242d9c0d929450f562ba83abc9302d1e0f0379
Instruction ID: 9587e534f763409f3e8f0408e50faca0e81d6567ea739bca5f85bf073b0742da
Opcode Fuzzy Hash: c42afcc82216bc81ad16a1ec34242d9c0d929450f562ba83abc9302d1e0f0379
Instruction Fuzzy Hash: DB01F171641229AB8F15EBA4CD818FF73A8AF02360B141A19F875773E1DE319808D660

Function 00EC8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EC8DAC
__fread_nolock.LIBCMT ref: 00EC8DC1

Strings

EA06, xrefs: 00EC8DF3

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 45135b4bea3da6fd9bd28ac728314ffc2640886aab92bca86393a25b24637315
Instruction ID: a0d26366fc5a33195c20532249812738beade8e0bd80d07407e2c872e53dd528
Opcode Fuzzy Hash: 45135b4bea3da6fd9bd28ac728314ffc2640886aab92bca86393a25b24637315
Instruction Fuzzy Hash: BF01D2728046186EDB28DAA8C916EEABBF89B11311F00419EF556E2181E875A6088BA0

Function 00EB8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EBAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EB8D6B

Strings

ListBox, xrefs: 00EB8D35
ComboBox, xrefs: 00EB8D0A

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 05824e9833a149474c4b461bda5cab37579747a2121249b47e8f5ca201137e5f
Instruction ID: 45b0169be08a58494d505300c63396d8df21049f18e5fc01ecf5195eae87d215
Opcode Fuzzy Hash: 05824e9833a149474c4b461bda5cab37579747a2121249b47e8f5ca201137e5f
Instruction Fuzzy Hash: 2201D471B81209ABCF15EBA0CA92AFF73EC9F15390F14102AB855772D1DE209E08D671

Function 00EB8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E67DE1: _memmove.LIBCMT ref: 00E67E22

Part of subcall function 00EBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EBAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EB8DEE

Strings

ListBox, xrefs: 00EB8DBA
ComboBox, xrefs: 00EB8D8F

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: f339bf11bd45719da5b6c6bfca501facc72c4038fffa0eb109ba0545468cc6a8
Instruction ID: f79f133ad2fc7cb15801808504dd5288880f027a1f9dad8f9111a4a1ed8394ce
Opcode Fuzzy Hash: f339bf11bd45719da5b6c6bfca501facc72c4038fffa0eb109ba0545468cc6a8
Instruction Fuzzy Hash: 9201A771B81209A7DF15E7A4DA82AFF77EC9F11350F141416B85573291DE214E08E671

Function 00EC4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EC4F46
_wcscmp.LIBCMT ref: 00EC4F58

Strings

#32770, xrefs: 00EC4F52

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: ca26fcd117b1c015c619a211789f7c94a569050704bd6804a8c100d15047ed0a
Instruction ID: b4f799274cb011d992744c58772314f0f88e362d6fd738a12c453c791ee399a4
Opcode Fuzzy Hash: ca26fcd117b1c015c619a211789f7c94a569050704bd6804a8c100d15047ed0a
Instruction Fuzzy Hash: 07E09B7260022C2AD72097559C45FE7FBACDB45B70F00115BFD04E6051D5709A4687D1

Function 00E9B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E9B314: _memset.LIBCMT ref: 00E9B321

Part of subcall function 00E80940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E9B2F0,?,?,?,00E6100A), ref: 00E80945

IsDebuggerPresent.KERNEL32(?,?,?,00E6100A), ref: 00E9B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E6100A), ref: 00E9B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E9B2FE

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: f144447536930b57b6cb66d7bfb4bc18b23e55890b6e2fe0cde6b1d0ef42ccd7
Instruction ID: 009d886b051bd8558a283beaadd1fea00ded58ae67bf275344c477a250fbd16f
Opcode Fuzzy Hash: f144447536930b57b6cb66d7bfb4bc18b23e55890b6e2fe0cde6b1d0ef42ccd7
Instruction Fuzzy Hash: 22E09270200750CFDB60DF29E6083427BE4AF44714F00896CE496E7291EBF4D408DBB1

Function 00EB7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EB7C82

Part of subcall function 00E83358: _doexit.LIBCMT ref: 00E83362

Strings

Error allocating memory., xrefs: 00EB7C7B
AutoIt, xrefs: 00EB7C76

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 8aa8556ae1bc3c934fe0250aac61aa2f63740d35680f4fa31870d449f33632cb
Instruction ID: f065f18cce38e2d685b37713e0dabb0081cb2baaf5590718164b32409e4367ff
Opcode Fuzzy Hash: 8aa8556ae1bc3c934fe0250aac61aa2f63740d35680f4fa31870d449f33632cb
Instruction Fuzzy Hash: D9D012323C435C36D15532A5AC06BDA7A884B05B56F041455FB5C7A5D389D1858152E9

Function 00EA1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00EA1775

Part of subcall function 00EDBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00EA195E,?), ref: 00EDBFFE
Part of subcall function 00EDBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EDC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00EA196D

Strings

WIN_XPe, xrefs: 00EA1788

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 69a1942b760fb71fb74a7b1b080e354b7b26351bb9c07f8e643b392242a10636
Instruction ID: 7ac5702f7fcdfdb558dd306ae59d3c30d30debba4569b82d022c54cf5fc07f67
Opcode Fuzzy Hash: 69a1942b760fb71fb74a7b1b080e354b7b26351bb9c07f8e643b392242a10636
Instruction Fuzzy Hash: E6F0A57080110DDFDB15DB91CA84AECBAF8AB1A305F642096F102BA191D7715F89DF60

Function 00EE5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EE59AE
PostMessageW.USER32(00000000), ref: 00EE59B5

Part of subcall function 00EC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EC52BC

Strings

Shell_TrayWnd, xrefs: 00EE59A7

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6b518a0d1a9e05f19efc414d2081c8a642e56dd26cf98e77e62cfc59d559b8c8
Instruction ID: 2ebb9677fc6d339fc91f95ca0c4186c224711045137868e4688b56a280fa0128
Opcode Fuzzy Hash: 6b518a0d1a9e05f19efc414d2081c8a642e56dd26cf98e77e62cfc59d559b8c8
Instruction Fuzzy Hash: 10D0A932380301BBE668AB709C8BFD22A60AB40B50F000828B205BE0E0C9E0A804C694

Function 00EE5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EE596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EE5981

Part of subcall function 00EC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EC52BC

Strings

Shell_TrayWnd, xrefs: 00EE5967

Memory Dump Source

Source File: 00000000.00000002.2188130416.0000000000E61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true

Associated: 00000000.00000002.2188099626.0000000000E60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000EEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188222495.0000000000F14000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188286172.0000000000F1E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2188323545.0000000000F27000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e60000_8BzIVoQT3w.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4ede2d0dc856cf963f11455ef600b6b25dbc9302aea39a22f8fb5b094a61409c
Instruction ID: f73c92880ca4987f7e4d3287d1db31d5a582ef018b8558443a284a3acfe896b4
Opcode Fuzzy Hash: 4ede2d0dc856cf963f11455ef600b6b25dbc9302aea39a22f8fb5b094a61409c
Instruction Fuzzy Hash: D0D0A932380301BBE668AB709C8BFE22A60AB40B50F000828B209BE0E0C9E0A804C690

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8BzIVoQT3w.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut3BC1.tmp

C:\Users\user\AppData\Local\Temp\aut4AB5.tmp

C:\Users\user\AppData\Local\Temp\bothsidedness

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
8BzIVoQT3w.exe

Function 00E63B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00E649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00E64E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00EC9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00E63025 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67
windowregistryCOMMON

Function 00E63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00E6708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E63633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00E63A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00E63766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 010BCCA8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00E639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 010BCA18 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166
fileCOMMON

Function 00E6407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00E6686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre