Edit tour

Windows Analysis Report
Qz8OEUxYuH.exe

Overview

General Information

Sample name:	Qz8OEUxYuH.exe renamed because original name is a hash value
Original sample name:	039ff8d47395774098b22f4d1afec32e447f5fa17923f8502b198e1f01247e8b.exe
Analysis ID:	1588251
MD5:	a1ea7a6740de730204aff6b80caeb17d
SHA1:	e6dd5f129c1e161b29bb743446489fd089878cd3
SHA256:	039ff8d47395774098b22f4d1afec32e447f5fa17923f8502b198e1f01247e8b
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Qz8OEUxYuH.exe (PID: 3364 cmdline: "C:\Users\user\Desktop\Qz8OEUxYuH.exe" MD5: A1EA7A6740DE730204AFF6B80CAEB17D)

svchost.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\Qz8OEUxYuH.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2148041671.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2147298585.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", CommandLine: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", ParentImage: C:\Users\user\Desktop\Qz8OEUxYuH.exe, ParentProcessId: 3364, ParentProcessName: Qz8OEUxYuH.exe, ProcessCommandLine: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", ProcessId: 5856, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", CommandLine: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", ParentImage: C:\Users\user\Desktop\Qz8OEUxYuH.exe, ParentProcessId: 3364, ParentProcessName: Qz8OEUxYuH.exe, ProcessCommandLine: "C:\Users\user\Desktop\Qz8OEUxYuH.exe", ProcessId: 5856, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Qz8OEUxYuH.exe	Virustotal: Detection: 45%			Perma Link
Source: Qz8OEUxYuH.exe	ReversingLabs: Detection: 91%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2148041671.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2147298585.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Qz8OEUxYuH.exe

Joe Sandbox ML: detected

Source: Qz8OEUxYuH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: Qz8OEUxYuH.exe, 00000000.00000003.2100427456.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2097639920.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2104004353.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101647909.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.000000000399E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Qz8OEUxYuH.exe, 00000000.00000003.2100427456.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2097639920.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2104004353.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101647909.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.000000000399E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008E445A
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EC6D1 FindFirstFileW,FindClose,	0_2_008EC6D1
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008EC75C
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EEF95
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EF0F2
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EF3F3
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E37EF
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E3B12
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EBCBC

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008F22EE

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008F4164

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_008F4164

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_008F3F66

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_008E001C

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_0090CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0090CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2148041671.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2147298585.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00883B3A
Source: Qz8OEUxYuH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Qz8OEUxYuH.exe, 00000000.00000000.2087670053.0000000000934000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2d208728-8
Source: Qz8OEUxYuH.exe, 00000000.00000000.2087670053.0000000000934000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_cae78c0c-3
Source: Qz8OEUxYuH.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e1d56901-5
Source: Qz8OEUxYuH.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_d8fa02a8-0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C593 NtClose,	2_2_0042C593
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B60 NtClose,LdrInitializeThunk,	2_2_03872B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03872DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038735C0 NtCreateMutant,LdrInitializeThunk,	2_2_038735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874340 NtSetContextThread,	2_2_03874340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03874650 NtSuspendThread,	2_2_03874650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872B80 NtQueryInformationFile,	2_2_03872B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BA0 NtEnumerateValueKey,	2_2_03872BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BE0 NtQueryValueKey,	2_2_03872BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872BF0 NtAllocateVirtualMemory,	2_2_03872BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AB0 NtWaitForSingleObject,	2_2_03872AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AD0 NtReadFile,	2_2_03872AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872AF0 NtWriteFile,	2_2_03872AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F90 NtProtectVirtualMemory,	2_2_03872F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FA0 NtQuerySection,	2_2_03872FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FB0 NtResumeThread,	2_2_03872FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872FE0 NtCreateFile,	2_2_03872FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F30 NtCreateSection,	2_2_03872F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872F60 NtCreateProcessEx,	2_2_03872F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E80 NtReadVirtualMemory,	2_2_03872E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EA0 NtAdjustPrivilegesToken,	2_2_03872EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872EE0 NtQueueApcThread,	2_2_03872EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872E30 NtWriteVirtualMemory,	2_2_03872E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DB0 NtEnumerateKey,	2_2_03872DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872DD0 NtDelayExecution,	2_2_03872DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D00 NtSetInformationFile,	2_2_03872D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D10 NtMapViewOfSection,	2_2_03872D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872D30 NtUnmapViewOfSection,	2_2_03872D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CA0 NtQueryInformationToken,	2_2_03872CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CC0 NtQueryVirtualMemory,	2_2_03872CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872CF0 NtOpenProcess,	2_2_03872CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C00 NtQueryInformationProcess,	2_2_03872C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C60 NtCreateKey,	2_2_03872C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872C70 NtFreeVirtualMemory,	2_2_03872C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873090 NtSetValueKey,	2_2_03873090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873010 NtOpenDirectoryObject,	2_2_03873010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038739B0 NtGetContextThread,	2_2_038739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D10 NtOpenProcessToken,	2_2_03873D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03873D70 NtOpenThread,	2_2_03873D70

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_008EA1EF

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_008D8310

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_008E51BD

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008AD975	0_2_008AD975
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A21C5	0_2_008A21C5
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008B62D2	0_2_008B62D2
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_009003DA	0_2_009003DA
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008B242E	0_2_008B242E
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A25FA	0_2_008A25FA
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_0088E6A0	0_2_0088E6A0
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008966E1	0_2_008966E1
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008DE616	0_2_008DE616
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008B878F	0_2_008B878F
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E8889	0_2_008E8889
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00898808	0_2_00898808
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00900857	0_2_00900857
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008B6844	0_2_008B6844
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008ACB21	0_2_008ACB21
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008B6DB6	0_2_008B6DB6
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00896F9E	0_2_00896F9E
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00893030	0_2_00893030
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A3187	0_2_008A3187
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008AF1D9	0_2_008AF1D9
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00881287	0_2_00881287
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A1484	0_2_008A1484
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00895520	0_2_00895520
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A7696	0_2_008A7696
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00895760	0_2_00895760
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A1978	0_2_008A1978
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008B9AB5	0_2_008B9AB5
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_0088FCE0	0_2_0088FCE0
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A1D90	0_2_008A1D90
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008ABDA6	0_2_008ABDA6
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00907DDB	0_2_00907DDB
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00893FE0	0_2_00893FE0
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_0088DF00	0_2_0088DF00
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00F424A8	0_2_00F424A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010C0	2_2_004010C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010BE	2_2_004010BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E109	2_2_0040E109
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E113	2_2_0040E113
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401210	2_2_00401210
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EBB3	2_2_0042EBB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FDB3	2_2_0040FDB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402E00	2_2_00402E00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402610	2_2_00402610
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041674F	2_2_0041674F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416753	2_2_00416753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DFC3	2_2_0040DFC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FFD3	2_2_0040FFD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039003E6	2_2_039003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C02C0	2_2_038C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F41A2	2_2_038F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039001AA	2_2_039001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F81CC	2_2_038F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830100	2_2_03830100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864750	2_2_03864750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C6E0	2_2_0385C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03900591	2_2_03900591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EE4F6	2_2_038EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4420	2_2_038E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F2446	2_2_038F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F6BD7	2_2_038F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390A9A6	2_2_0390A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038268B8	2_2_038268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E8F0	2_2_0386E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384A840	2_2_0384A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BEFA0	2_2_038BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832FC8	2_2_03832FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384CFE0	2_2_0384CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03882F28	2_2_03882F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860F30	2_2_03860F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E2F30	2_2_038E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4F40	2_2_038B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852E90	2_2_03852E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FCE93	2_2_038FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEEDB	2_2_038FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FEE26	2_2_038FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840E59	2_2_03840E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03858DBF	2_2_03858DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383ADE0	2_2_0383ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384AD00	2_2_0384AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DCD1F	2_2_038DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0CB5	2_2_038E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830CF2	2_2_03830CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840C00	2_2_03840C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0388739A	2_2_0388739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F132D	2_2_038F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382D34C	2_2_0382D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038452A0	2_2_038452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B2C0	2_2_0385B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E12ED	2_2_038E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384B1B0	2_2_0384B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387516C	2_2_0387516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382F172	2_2_0382F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0390B16B	2_2_0390B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EF0CC	2_2_038EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038470C0	2_2_038470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F70E9	2_2_038F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF0E0	2_2_038FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF7B0	2_2_038FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F16CC	2_2_038F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885630	2_2_03885630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DD5B0	2_2_038DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7571	2_2_038F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FF43F	2_2_038FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03831460	2_2_03831460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FB80	2_2_0385FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B5BF0	2_2_038B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387DBF9	2_2_0387DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFB76	2_2_038FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DDAAC	2_2_038DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03885AA0	2_2_03885AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E1AA3	2_2_038E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EDAC6	2_2_038EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFA49	2_2_038FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7A46	2_2_038F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B3A6C	2_2_038B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D5910	2_2_038D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849950	2_2_03849950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385B950	2_2_0385B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038438E0	2_2_038438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AD800	2_2_038AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03841F92	2_2_03841F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFFB1	2_2_038FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD2	2_2_03803FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03803FD5	2_2_03803FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFF09	2_2_038FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03849EB0	2_2_03849EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385FDC0	2_2_0385FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03843D40	2_2_03843D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F1D5A	2_2_038F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F7D73	2_2_038F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FFCF2	2_2_038FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B9C32	2_2_038B9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03887E54 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0382B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 038BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03875130 appears 58 times
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: String function: 00887DE1 appears 35 times
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: String function: 008A0AE3 appears 70 times
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: String function: 008A8900 appears 42 times

Source: Qz8OEUxYuH.exe, 00000000.00000003.2098475521.0000000003753000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Qz8OEUxYuH.exe
Source: Qz8OEUxYuH.exe, 00000000.00000003.2097327197.00000000038AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Qz8OEUxYuH.exe

Source: Qz8OEUxYuH.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/4@0/0

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008EA06A GetLastError,FormatMessageW,

0_2_008EA06A

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008D81CB AdjustTokenPrivileges,CloseHandle,		0_2_008D81CB
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008D87E1

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008EB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008EB3FB

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_008FEE0D

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008EC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_008EC397

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_00884E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00884E89

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

File created: C:\Users\user\AppData\Local\Temp\autA834.tmp

Jump to behavior

Source: Qz8OEUxYuH.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Qz8OEUxYuH.exe	Virustotal: Detection: 45%
Source: Qz8OEUxYuH.exe	ReversingLabs: Detection: 91%

Source: unknown	Process created: C:\Users\user\Desktop\Qz8OEUxYuH.exe "C:\Users\user\Desktop\Qz8OEUxYuH.exe"
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Qz8OEUxYuH.exe"
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Qz8OEUxYuH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: Qz8OEUxYuH.exe

Static file information: File size 1195520 > 1048576

Source: Qz8OEUxYuH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Qz8OEUxYuH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Qz8OEUxYuH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Qz8OEUxYuH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Qz8OEUxYuH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Qz8OEUxYuH.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Qz8OEUxYuH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: Qz8OEUxYuH.exe, 00000000.00000003.2100427456.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2097639920.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2104004353.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101647909.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.000000000399E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Qz8OEUxYuH.exe, 00000000.00000003.2100427456.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2097639920.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2104004353.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2101647909.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2147656834.000000000399E000.00000040.00001000.00020000.00000000.sdmp

Source: Qz8OEUxYuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Qz8OEUxYuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Qz8OEUxYuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Qz8OEUxYuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Qz8OEUxYuH.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_00884B37 LoadLibraryA,GetProcAddress,

0_2_00884B37

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008A8945 push ecx; ret	0_2_008A8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00419071 push edx; iretd	2_2_00419072
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D0D3 push ss; ret	2_2_0042D17B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403080 push eax; ret	2_2_00403082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412167 push ebx; iretd	2_2_004121AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D2E7 push 156EFA12h; iretd	2_2_0040D2EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411B18 push esi; retf	2_2_00411B25
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00405B38 push eax; ret	2_2_00405B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A4F3 push edi; iretd	2_2_0041A4FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004235A3 push edx; retf	2_2_004235CE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D61F push eax; ret	2_2_0040D621
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D637 push eax; ret	2_2_0040D621
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004156F7 push edx; ret	2_2_00415709
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380225F pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038027FA pushad ; ret	2_2_038027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD push ecx; mov dword ptr [esp], ecx	2_2_038309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380283D push eax; iretd	2_2_03802858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03801368 push eax; iretd	2_2_03801369

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008848D7
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00905376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00905376

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008A3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_008A3187

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

API/Special instruction interceptor: Address: F420CC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Qz8OEUxYuH.exe, 00000000.00000002.2103868012.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: Qz8OEUxYuH.exe, 00000000.00000003.2090356279.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2088429039.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000002.2103748847.0000000000F43000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2090001103.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2090886595.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2089764062.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2089119844.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, Qz8OEUxYuH.exe, 00000000.00000003.2088488246.0000000000F49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXER

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-107376

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6552

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_008E445A
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EC6D1 FindFirstFileW,FindClose,	0_2_008EC6D1
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_008EC75C
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EEF95
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_008EF0F2
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EF3F3
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E37EF
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_008E3B12
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_008EBCBC

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008849A0

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	API call chain: ExitProcess graph end node			graph_0-104698
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	API call chain: ExitProcess graph end node			graph_0-104893

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0387096E rdtsc

2_2_0387096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004176E3 LdrLoadDll,

2_2_004176E3

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008F3F09 BlockInput,

0_2_008F3F09

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00883B3A

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008B5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_008B5A7C

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_00884B37 LoadLibraryA,GetProcAddress,

0_2_00884B37

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00F42398 mov eax, dword ptr fs:[00000030h]	0_2_00F42398
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00F42338 mov eax, dword ptr fs:[00000030h]	0_2_00F42338
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_00F40CF8 mov eax, dword ptr fs:[00000030h]	0_2_00F40CF8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E388 mov eax, dword ptr fs:[00000030h]	2_2_0382E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385438F mov eax, dword ptr fs:[00000030h]	2_2_0385438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828397 mov eax, dword ptr fs:[00000030h]	2_2_03828397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC3CD mov eax, dword ptr fs:[00000030h]	2_2_038EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0383A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038383C0 mov eax, dword ptr fs:[00000030h]	2_2_038383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B63C0 mov eax, dword ptr fs:[00000030h]	2_2_038B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE3DB mov eax, dword ptr fs:[00000030h]	2_2_038DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D43D4 mov eax, dword ptr fs:[00000030h]	2_2_038D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038403E9 mov eax, dword ptr fs:[00000030h]	2_2_038403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0384E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038663FF mov eax, dword ptr fs:[00000030h]	2_2_038663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A30B mov eax, dword ptr fs:[00000030h]	2_2_0386A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C310 mov ecx, dword ptr fs:[00000030h]	2_2_0382C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850310 mov ecx, dword ptr fs:[00000030h]	2_2_03850310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B2349 mov eax, dword ptr fs:[00000030h]	2_2_038B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov ecx, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B035C mov eax, dword ptr fs:[00000030h]	2_2_038B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA352 mov eax, dword ptr fs:[00000030h]	2_2_038FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8350 mov ecx, dword ptr fs:[00000030h]	2_2_038D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D437C mov eax, dword ptr fs:[00000030h]	2_2_038D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E284 mov eax, dword ptr fs:[00000030h]	2_2_0386E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0283 mov eax, dword ptr fs:[00000030h]	2_2_038B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402A0 mov eax, dword ptr fs:[00000030h]	2_2_038402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C62A0 mov eax, dword ptr fs:[00000030h]	2_2_038C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0383A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038402E1 mov eax, dword ptr fs:[00000030h]	2_2_038402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382823B mov eax, dword ptr fs:[00000030h]	2_2_0382823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov eax, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B8243 mov ecx, dword ptr fs:[00000030h]	2_2_038B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A250 mov eax, dword ptr fs:[00000030h]	2_2_0382A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836259 mov eax, dword ptr fs:[00000030h]	2_2_03836259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA250 mov eax, dword ptr fs:[00000030h]	2_2_038EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834260 mov eax, dword ptr fs:[00000030h]	2_2_03834260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382826B mov eax, dword ptr fs:[00000030h]	2_2_0382826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E0274 mov eax, dword ptr fs:[00000030h]	2_2_038E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03870185 mov eax, dword ptr fs:[00000030h]	2_2_03870185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EC188 mov eax, dword ptr fs:[00000030h]	2_2_038EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4180 mov eax, dword ptr fs:[00000030h]	2_2_038D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B019F mov eax, dword ptr fs:[00000030h]	2_2_038B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A197 mov eax, dword ptr fs:[00000030h]	2_2_0382A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F61C3 mov eax, dword ptr fs:[00000030h]	2_2_038F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_038AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039061E5 mov eax, dword ptr fs:[00000030h]	2_2_039061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038601F8 mov eax, dword ptr fs:[00000030h]	2_2_038601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov eax, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DE10E mov ecx, dword ptr fs:[00000030h]	2_2_038DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov ecx, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DA118 mov eax, dword ptr fs:[00000030h]	2_2_038DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F0115 mov eax, dword ptr fs:[00000030h]	2_2_038F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860124 mov eax, dword ptr fs:[00000030h]	2_2_03860124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov ecx, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C4144 mov eax, dword ptr fs:[00000030h]	2_2_038C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C156 mov eax, dword ptr fs:[00000030h]	2_2_0382C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C8158 mov eax, dword ptr fs:[00000030h]	2_2_038C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836154 mov eax, dword ptr fs:[00000030h]	2_2_03836154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904164 mov eax, dword ptr fs:[00000030h]	2_2_03904164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383208A mov eax, dword ptr fs:[00000030h]	2_2_0383208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C80A8 mov eax, dword ptr fs:[00000030h]	2_2_038C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov eax, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_038F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B20DE mov eax, dword ptr fs:[00000030h]	2_2_038B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0382A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038380E9 mov eax, dword ptr fs:[00000030h]	2_2_038380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B60E0 mov eax, dword ptr fs:[00000030h]	2_2_038B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0382C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038720F0 mov ecx, dword ptr fs:[00000030h]	2_2_038720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4000 mov ecx, dword ptr fs:[00000030h]	2_2_038B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D2000 mov eax, dword ptr fs:[00000030h]	2_2_038D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E016 mov eax, dword ptr fs:[00000030h]	2_2_0384E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382A020 mov eax, dword ptr fs:[00000030h]	2_2_0382A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C020 mov eax, dword ptr fs:[00000030h]	2_2_0382C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6030 mov eax, dword ptr fs:[00000030h]	2_2_038C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832050 mov eax, dword ptr fs:[00000030h]	2_2_03832050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6050 mov eax, dword ptr fs:[00000030h]	2_2_038B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385C073 mov eax, dword ptr fs:[00000030h]	2_2_0385C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D678E mov eax, dword ptr fs:[00000030h]	2_2_038D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038307AF mov eax, dword ptr fs:[00000030h]	2_2_038307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E47A0 mov eax, dword ptr fs:[00000030h]	2_2_038E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0383C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B07C3 mov eax, dword ptr fs:[00000030h]	2_2_038B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038527ED mov eax, dword ptr fs:[00000030h]	2_2_038527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_038BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038347FB mov eax, dword ptr fs:[00000030h]	2_2_038347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C700 mov eax, dword ptr fs:[00000030h]	2_2_0386C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830710 mov eax, dword ptr fs:[00000030h]	2_2_03830710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860710 mov eax, dword ptr fs:[00000030h]	2_2_03860710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C720 mov eax, dword ptr fs:[00000030h]	2_2_0386C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov ecx, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386273C mov eax, dword ptr fs:[00000030h]	2_2_0386273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AC730 mov eax, dword ptr fs:[00000030h]	2_2_038AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov esi, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386674D mov eax, dword ptr fs:[00000030h]	2_2_0386674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830750 mov eax, dword ptr fs:[00000030h]	2_2_03830750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE75D mov eax, dword ptr fs:[00000030h]	2_2_038BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872750 mov eax, dword ptr fs:[00000030h]	2_2_03872750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B4755 mov eax, dword ptr fs:[00000030h]	2_2_038B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838770 mov eax, dword ptr fs:[00000030h]	2_2_03838770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840770 mov eax, dword ptr fs:[00000030h]	2_2_03840770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834690 mov eax, dword ptr fs:[00000030h]	2_2_03834690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0386C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038666B0 mov eax, dword ptr fs:[00000030h]	2_2_038666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0386A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_038AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B06F1 mov eax, dword ptr fs:[00000030h]	2_2_038B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE609 mov eax, dword ptr fs:[00000030h]	2_2_038AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384260B mov eax, dword ptr fs:[00000030h]	2_2_0384260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03872619 mov eax, dword ptr fs:[00000030h]	2_2_03872619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384E627 mov eax, dword ptr fs:[00000030h]	2_2_0384E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03866620 mov eax, dword ptr fs:[00000030h]	2_2_03866620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868620 mov eax, dword ptr fs:[00000030h]	2_2_03868620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383262C mov eax, dword ptr fs:[00000030h]	2_2_0383262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0384C640 mov eax, dword ptr fs:[00000030h]	2_2_0384C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F866E mov eax, dword ptr fs:[00000030h]	2_2_038F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A660 mov eax, dword ptr fs:[00000030h]	2_2_0386A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03862674 mov eax, dword ptr fs:[00000030h]	2_2_03862674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov eax, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03832582 mov ecx, dword ptr fs:[00000030h]	2_2_03832582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864588 mov eax, dword ptr fs:[00000030h]	2_2_03864588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E59C mov eax, dword ptr fs:[00000030h]	2_2_0386E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B05A7 mov eax, dword ptr fs:[00000030h]	2_2_038B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038545B1 mov eax, dword ptr fs:[00000030h]	2_2_038545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E5CF mov eax, dword ptr fs:[00000030h]	2_2_0386E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038365D0 mov eax, dword ptr fs:[00000030h]	2_2_038365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0386A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0385E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038325E0 mov eax, dword ptr fs:[00000030h]	2_2_038325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C5ED mov eax, dword ptr fs:[00000030h]	2_2_0386C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6500 mov eax, dword ptr fs:[00000030h]	2_2_038C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904500 mov eax, dword ptr fs:[00000030h]	2_2_03904500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840535 mov eax, dword ptr fs:[00000030h]	2_2_03840535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E53E mov eax, dword ptr fs:[00000030h]	2_2_0385E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838550 mov eax, dword ptr fs:[00000030h]	2_2_03838550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386656A mov eax, dword ptr fs:[00000030h]	2_2_0386656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA49A mov eax, dword ptr fs:[00000030h]	2_2_038EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038364AB mov eax, dword ptr fs:[00000030h]	2_2_038364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038644B0 mov ecx, dword ptr fs:[00000030h]	2_2_038644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_038BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038304E5 mov ecx, dword ptr fs:[00000030h]	2_2_038304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868402 mov eax, dword ptr fs:[00000030h]	2_2_03868402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382E420 mov eax, dword ptr fs:[00000030h]	2_2_0382E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382C427 mov eax, dword ptr fs:[00000030h]	2_2_0382C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B6420 mov eax, dword ptr fs:[00000030h]	2_2_038B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A430 mov eax, dword ptr fs:[00000030h]	2_2_0386A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386E443 mov eax, dword ptr fs:[00000030h]	2_2_0386E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038EA456 mov eax, dword ptr fs:[00000030h]	2_2_038EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382645D mov eax, dword ptr fs:[00000030h]	2_2_0382645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385245A mov eax, dword ptr fs:[00000030h]	2_2_0385245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC460 mov ecx, dword ptr fs:[00000030h]	2_2_038BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385A470 mov eax, dword ptr fs:[00000030h]	2_2_0385A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840BBE mov eax, dword ptr fs:[00000030h]	2_2_03840BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_038E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03850BCB mov eax, dword ptr fs:[00000030h]	2_2_03850BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830BCD mov eax, dword ptr fs:[00000030h]	2_2_03830BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_038DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838BF0 mov eax, dword ptr fs:[00000030h]	2_2_03838BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EBFC mov eax, dword ptr fs:[00000030h]	2_2_0385EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_038BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AEB1D mov eax, dword ptr fs:[00000030h]	2_2_038AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EB20 mov eax, dword ptr fs:[00000030h]	2_2_0385EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038F8B28 mov eax, dword ptr fs:[00000030h]	2_2_038F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038E4B4B mov eax, dword ptr fs:[00000030h]	2_2_038E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03902B57 mov eax, dword ptr fs:[00000030h]	2_2_03902B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C6B40 mov eax, dword ptr fs:[00000030h]	2_2_038C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FAB40 mov eax, dword ptr fs:[00000030h]	2_2_038FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D8B42 mov eax, dword ptr fs:[00000030h]	2_2_038D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEB50 mov eax, dword ptr fs:[00000030h]	2_2_038DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0382CB7E mov eax, dword ptr fs:[00000030h]	2_2_0382CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383EA80 mov eax, dword ptr fs:[00000030h]	2_2_0383EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03904A80 mov eax, dword ptr fs:[00000030h]	2_2_03904A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03868A90 mov edx, dword ptr fs:[00000030h]	2_2_03868A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03838AA0 mov eax, dword ptr fs:[00000030h]	2_2_03838AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886AA4 mov eax, dword ptr fs:[00000030h]	2_2_03886AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03886ACC mov eax, dword ptr fs:[00000030h]	2_2_03886ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830AD0 mov eax, dword ptr fs:[00000030h]	2_2_03830AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03864AD0 mov eax, dword ptr fs:[00000030h]	2_2_03864AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386AAEE mov eax, dword ptr fs:[00000030h]	2_2_0386AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BCA11 mov eax, dword ptr fs:[00000030h]	2_2_038BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA24 mov eax, dword ptr fs:[00000030h]	2_2_0386CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385EA2E mov eax, dword ptr fs:[00000030h]	2_2_0385EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03854A35 mov eax, dword ptr fs:[00000030h]	2_2_03854A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA38 mov eax, dword ptr fs:[00000030h]	2_2_0386CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03836A50 mov eax, dword ptr fs:[00000030h]	2_2_03836A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03840A5B mov eax, dword ptr fs:[00000030h]	2_2_03840A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386CA6F mov eax, dword ptr fs:[00000030h]	2_2_0386CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038DEA60 mov eax, dword ptr fs:[00000030h]	2_2_038DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038ACA72 mov eax, dword ptr fs:[00000030h]	2_2_038ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038429A0 mov eax, dword ptr fs:[00000030h]	2_2_038429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038309AD mov eax, dword ptr fs:[00000030h]	2_2_038309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov esi, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B89B3 mov eax, dword ptr fs:[00000030h]	2_2_038B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C69C0 mov eax, dword ptr fs:[00000030h]	2_2_038C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0383A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0383A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038649D0 mov eax, dword ptr fs:[00000030h]	2_2_038649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_038FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_038BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038629F9 mov eax, dword ptr fs:[00000030h]	2_2_038629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038AE908 mov eax, dword ptr fs:[00000030h]	2_2_038AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC912 mov eax, dword ptr fs:[00000030h]	2_2_038BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03828918 mov eax, dword ptr fs:[00000030h]	2_2_03828918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B892A mov eax, dword ptr fs:[00000030h]	2_2_038B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038C892B mov eax, dword ptr fs:[00000030h]	2_2_038C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038B0946 mov eax, dword ptr fs:[00000030h]	2_2_038B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03856962 mov eax, dword ptr fs:[00000030h]	2_2_03856962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov edx, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0387096E mov eax, dword ptr fs:[00000030h]	2_2_0387096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D4978 mov eax, dword ptr fs:[00000030h]	2_2_038D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC97C mov eax, dword ptr fs:[00000030h]	2_2_038BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03830887 mov eax, dword ptr fs:[00000030h]	2_2_03830887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC89D mov eax, dword ptr fs:[00000030h]	2_2_038BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0385E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0385E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_039008C0 mov eax, dword ptr fs:[00000030h]	2_2_039008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_038FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0386C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BC810 mov eax, dword ptr fs:[00000030h]	2_2_038BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov ecx, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03852835 mov eax, dword ptr fs:[00000030h]	2_2_03852835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0386A830 mov eax, dword ptr fs:[00000030h]	2_2_0386A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D483A mov eax, dword ptr fs:[00000030h]	2_2_038D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038D483A mov eax, dword ptr fs:[00000030h]	2_2_038D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03842840 mov ecx, dword ptr fs:[00000030h]	2_2_03842840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03860854 mov eax, dword ptr fs:[00000030h]	2_2_03860854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834859 mov eax, dword ptr fs:[00000030h]	2_2_03834859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03834859 mov eax, dword ptr fs:[00000030h]	2_2_03834859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038BE872 mov eax, dword ptr fs:[00000030h]	2_2_038BE872

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008D80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_008D80A9

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008AA124 SetUnhandledExceptionFilter,		0_2_008AA124
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_008AA155

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D24008

Jump to behavior

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008D87B1 LogonUserW,

0_2_008D87B1

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_00883B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00883B3A

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_008848D7

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008E4C27 mouse_event,

0_2_008E4C27

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Qz8OEUxYuH.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_008D7CAF

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_008D874B

Source: Qz8OEUxYuH.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Qz8OEUxYuH.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008A862B cpuid

0_2_008A862B

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008B4E87

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008C1E06 GetUserNameW,

0_2_008C1E06

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_008B3F3A

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe

Code function: 0_2_008849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008849A0

Source: Qz8OEUxYuH.exe, 00000000.00000002.2103868012.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2148041671.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2147298585.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Qz8OEUxYuH.exe	Binary or memory string: WIN_81
Source: Qz8OEUxYuH.exe	Binary or memory string: WIN_XP
Source: Qz8OEUxYuH.exe	Binary or memory string: WIN_XPe
Source: Qz8OEUxYuH.exe	Binary or memory string: WIN_VISTA
Source: Qz8OEUxYuH.exe	Binary or memory string: WIN_7
Source: Qz8OEUxYuH.exe	Binary or memory string: WIN_8
Source: Qz8OEUxYuH.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2148041671.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2147298585.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_008F6283
Source: C:\Users\user\Desktop\Qz8OEUxYuH.exe	Code function: 0_2_008F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_008F6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	26 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Qz8OEUxYuH.exe	46%	Virustotal		Browse
Qz8OEUxYuH.exe	91%	ReversingLabs	Win32.Trojan.AutoitInject
Qz8OEUxYuH.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588251
Start date and time:	2025-01-10 23:06:38 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Qz8OEUxYuH.exe renamed because original name is a hash value
Original Sample Name:	039ff8d47395774098b22f4d1afec32e447f5fa17923f8502b198e1f01247e8b.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/4@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 59 Number of non-executed functions: 269
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
17:07:37	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	ztcrKv3zFz.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	3j7f6Bv4FT.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	13.107.246.45
	iRmpdWgpoF.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	7cYDC0HciP.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=	Get hash	malicious	Unknown	Browse	13.107.246.45
	7cYDC0HciP.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\Qz8OEUxYuH.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994451777649668
Encrypted:	true
SSDEEP:	6144:edm22tEzZ7dq/rOfy03L36JIdmPtK1dFfU6F9gwqD2crM8iA4TJ:e72GdC36LKJ7tK1dVNlu3in
MD5:	D12729DABAE49C5D7D2CF7D93CF3A703
SHA1:	2C9732BD3BC6495FD2142ABC57D79BA70B422930
SHA-256:	E07E2AE1685891DC8091B3D0118AEC0BD9B2819305874EB6515A572F11E137C0
SHA-512:	C55512D964200C9C3A02ECD35E896A8325A5A225713A6883434B705B0D549A6AC40ABCC13F46CFC2CA74A8F297B2CB6357BBE27D5D99D83F4301CF42BA77DAC4
Malicious:	false
Reputation:	low
Preview:	.l.HRYDHI53M..O4.ZR6IHQY.HM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQY.HM5=R.WO.@.s.H..x. $F.=86(F(7rU(&?60h/P.??7o]'z.y.h<6 -c8>GnYO4IZR60IX.y(..--.rT..H..k9#.W...v9(.S...u(6..!.].--.O4IZR6IH..DH.42M..SbIZR6IHQY.HO48LAYOfMZR6IHQYDH] 3MJIO4IV6IH.YDXM53OJYI4IZR6IHWYDHM53MJ)K4IXR6IHQYFH..3MZYO$IZR6YHQIDHM53MZYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZ\|B,0%YDH.e7MJIO4I.V6IXQYDHM53MJYO4IZr6I(QYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM5

C:\Users\user\AppData\Local\Temp\autA893.tmp

Download File

Process:	C:\Users\user\Desktop\Qz8OEUxYuH.exe
File Type:	data
Category:	dropped
Size (bytes):	14592
Entropy (8bit):	7.630821064052017
Encrypted:	false
SSDEEP:	384:ITYznwlR6ovC0TD4gjTaJos3+8YGxw079q:IAwlooK0TMgjmJ12
MD5:	8A9156E94E4D4B2A1A437217E5DC04BC
SHA1:	416D75B5386EBF7F8EB378CB488415A85E87BF95
SHA-256:	E6AAAF5D65314EDFF10B28CCD2581B282DEFC69BDCEDEC55FB1AF24F6C8AF70D
SHA-512:	5931DD711B24D42F54A83C5AEBDD2CAE9FD18595F5869710FD48E25885A956DFD5B4C9F5B9E73B0F9D9B7AE09CFABF3DB0F811A79FC8672D614F23634CEBC33D
Malicious:	false
Reputation:	low
Preview:	EA06..0..[.....+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\cunili

Download File

Process:	C:\Users\user\Desktop\Qz8OEUxYuH.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.9928258900071003
Encrypted:	false
SSDEEP:	96:AIXLr4e+F05BLMoQCs0FlRZpA6F3/nEGcud9IvySuE3WrWVjj3qnBaAJZdjurebD:H3BjDRbEGcud9IvySuE3WrWVfqnBaA
MD5:	BBFEB200A6431DC8A4A4C72466660DF8
SHA1:	42D70F022574840498D73FB1B3C044903FABFCF5
SHA-256:	B00C3F9F6D7115BE3378652CF977CD009F134673811E08D3F1160FC7968B0A15
SHA-512:	B9AAF1A752C15E31885C5516C404A9C05FA82E093A119F3F4654412F9AE8B5C4047582FB8B6030120FE282220867AC85FA11116C2380CB0DA7B52C8075C7A640
Malicious:	false
Reputation:	low
Preview:	dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

C:\Users\user\AppData\Local\Temp\trickstress

Download File

Process:	C:\Users\user\Desktop\Qz8OEUxYuH.exe
File Type:	data
Category:	dropped
Size (bytes):	287744
Entropy (8bit):	7.994451777649668
Encrypted:	true
SSDEEP:	6144:edm22tEzZ7dq/rOfy03L36JIdmPtK1dFfU6F9gwqD2crM8iA4TJ:e72GdC36LKJ7tK1dVNlu3in
MD5:	D12729DABAE49C5D7D2CF7D93CF3A703
SHA1:	2C9732BD3BC6495FD2142ABC57D79BA70B422930
SHA-256:	E07E2AE1685891DC8091B3D0118AEC0BD9B2819305874EB6515A572F11E137C0
SHA-512:	C55512D964200C9C3A02ECD35E896A8325A5A225713A6883434B705B0D549A6AC40ABCC13F46CFC2CA74A8F297B2CB6357BBE27D5D99D83F4301CF42BA77DAC4
Malicious:	false
Reputation:	low
Preview:	.l.HRYDHI53M..O4.ZR6IHQY.HM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQY.HM5=R.WO.@.s.H..x. $F.=86(F(7rU(&?60h/P.??7o]'z.y.h<6 -c8>GnYO4IZR60IX.y(..--.rT..H..k9#.W...v9(.S...u(6..!.].--.O4IZR6IH..DH.42M..SbIZR6IHQY.HO48LAYOfMZR6IHQYDH] 3MJIO4IV6IH.YDXM53OJYI4IZR6IHWYDHM53MJ)K4IXR6IHQYFH..3MZYO$IZR6YHQIDHM53MZYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZ\|B,0%YDH.e7MJIO4I.V6IXQYDHM53MJYO4IZr6I(QYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM53MJYO4IZR6IHQYDHM5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.176109229441547
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Qz8OEUxYuH.exe
File size:	1'195'520 bytes
MD5:	a1ea7a6740de730204aff6b80caeb17d
SHA1:	e6dd5f129c1e161b29bb743446489fd089878cd3
SHA256:	039ff8d47395774098b22f4d1afec32e447f5fa17923f8502b198e1f01247e8b
SHA512:	035837eff152c1305a59c34e0e3a6bc91d6abccef71011bce0af615df073b8d0bb45d406e08fb0d80c40865715cc44ef4b3e14c1799a721f5052d035d50ba688
SSDEEP:	24576:4u6J33O0c+JY5UZ+XC0kGso6FaBgdEFQ7n8BctqL6Vw8WY:yu0c++OCvkGs9FaBg7G+HaY
TLSH:	1745CF22B3DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA950161262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67577DBE [Mon Dec 9 23:31:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F01CC804FBAh
jmp 00007F01CC7F7D84h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F01CC7F7F0Ah
cmp edi, eax
jc 00007F01CC7F826Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F01CC7F7F09h
rep movsb
jmp 00007F01CC7F821Ch
cmp ecx, 00000080h
jc 00007F01CC7F80D4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F01CC7F7F10h
bt dword ptr [004BE324h], 01h
jc 00007F01CC7F83E0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F01CC7F80ADh
test edi, 00000003h
jne 00007F01CC7F80BEh
test esi, 00000003h
jne 00007F01CC7F809Dh
bt edi, 02h
jnc 00007F01CC7F7F0Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F01CC7F7F13h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F01CC7F7F65h
bt esi, 03h
jnc 00007F01CC7F7FB8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5b558	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x123000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5b558	0x5b600	e27a13d6d93d836790f75aac14441290	False	0.9282553864569083	data	7.8940791887135475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x123000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5281e	data			1.0003284509542831
RT_GROUP_ICON	0x121fd8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x122050	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x122064	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x122078	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12208c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x122168	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:07:47.586539984 CET	1.1.1.1	192.168.2.5	0x19a9	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:07:47.586539984 CET	1.1.1.1	192.168.2.5	0x19a9	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:07:34
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Qz8OEUxYuH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Qz8OEUxYuH.exe"
Imagebase:	0x880000
File size:	1'195'520 bytes
MD5 hash:	A1EA7A6740DE730204AFF6B80CAEB17D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:07:35
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Qz8OEUxYuH.exe"
Imagebase:	0x7e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2148041671.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2147298585.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	45

Executed Functions

Function 00883B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B68
IsDebuggerPresent.KERNEL32 ref: 00883B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,009452F8,009452E0,?,?), ref: 00883BEB

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

Part of subcall function 0089092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00883C14,009452F8,?,?,?), ref: 0089096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00883C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00937770,00000010), ref: 008BD281
SetCurrentDirectoryW.KERNEL32(?,009452F8,?,?,?), ref: 008BD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00934260,009452F8,?,?,?), ref: 008BD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 008BD346

Part of subcall function 00883A46: GetSysColorBrush.USER32(0000000F), ref: 00883A50
Part of subcall function 00883A46: LoadCursorW.USER32(00000000,00007F00), ref: 00883A5F
Part of subcall function 00883A46: LoadIconW.USER32(00000063), ref: 00883A76
Part of subcall function 00883A46: LoadIconW.USER32(000000A4), ref: 00883A88
Part of subcall function 00883A46: LoadIconW.USER32(000000A2), ref: 00883A9A
Part of subcall function 00883A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AC0
Part of subcall function 00883A46: RegisterClassExW.USER32(?), ref: 00883B16

Part of subcall function 008839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A03
Part of subcall function 008839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A24
Part of subcall function 008839D5: ShowWindow.USER32(00000000,?,?), ref: 00883A38
Part of subcall function 008839D5: ShowWindow.USER32(00000000,?,?), ref: 00883A41

Part of subcall function 0088434A: _memset.LIBCMT ref: 00884370
Part of subcall function 0088434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00884415

Strings

runas, xrefs: 008BD33A
This is a third-party compiled AutoIt script., xrefs: 008BD279

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: f4426c4ccbbcb3c2839075d876c913e8dce9d67aa07ce32c0217ce06390497a6
Instruction ID: 07679c57ec5430635ecad6606c2bd04e030f170048d1e818c1017d3dec4965ec
Opcode Fuzzy Hash: f4426c4ccbbcb3c2839075d876c913e8dce9d67aa07ce32c0217ce06390497a6
Instruction Fuzzy Hash: 2351E575908248AFCB21FBF8DC15DED7B75FB46714F104066F421E2263EAA09605EB22

Function 008849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008849CD

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

GetCurrentProcess.KERNEL32(?,0090FAEC,00000000,00000000,?), ref: 00884A9A
IsWow64Process.KERNEL32(00000000), ref: 00884AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00884AE7
FreeLibrary.KERNEL32(00000000), ref: 00884AF2
GetSystemInfo.KERNEL32(00000000), ref: 00884B23
GetSystemInfo.KERNEL32(00000000), ref: 00884B2F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 9b33499c4cfdfa5f75610b0b1194d55a7645b6a4b30d9932ffd4ebea7d41458a
Instruction ID: 2e6ab7c09a63cca5b59af6e3e3c3a1300f27789f968c9f9b4e23203e67a7a342
Opcode Fuzzy Hash: 9b33499c4cfdfa5f75610b0b1194d55a7645b6a4b30d9932ffd4ebea7d41458a
Instruction Fuzzy Hash: A691C23298D7C5DEC735EB7884501AABFF5FF2A304B44496ED0D6D7B01D220A908D759

Function 00884E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00884D8E,?,?,00000000,00000000), ref: 00884E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00884D8E,?,?,00000000,00000000), ref: 00884EB0
LoadResource.KERNEL32(?,00000000,?,?,00884D8E,?,?,00000000,00000000,?,?,?,?,?,?,00884E2F), ref: 008BD937
SizeofResource.KERNEL32(?,00000000,?,?,00884D8E,?,?,00000000,00000000,?,?,?,?,?,?,00884E2F), ref: 008BD94C
LockResource.KERNEL32(00884D8E,?,?,00884D8E,?,?,00000000,00000000,?,?,?,?,?,?,00884E2F,00000000), ref: 008BD95F

Strings

SCRIPT, xrefs: 00884EA6

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2c309e30286741f2da280b40da954c0db7e02d62160dfa97c6acb6be6dde4c3a
Instruction ID: 84802aae051a2c0c92cca75176950666ec67435e41e385978aaf1b5a62c7941a
Opcode Fuzzy Hash: 2c309e30286741f2da280b40da954c0db7e02d62160dfa97c6acb6be6dde4c3a
Instruction Fuzzy Hash: 0B119E72250701BFD7209B65EC48F677BBAFBC5B21F104268F416C6650EB61E9009660

Function 008E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,008BE398), ref: 008E446A
FindFirstFileW.KERNELBASE(?,?), ref: 008E447B
FindClose.KERNEL32(00000000), ref: 008E448B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
Instruction ID: 035c40c107375fe43d08f181b4be8b1ba8579a373854449777d0a4c152d8f48b
Opcode Fuzzy Hash: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
Instruction Fuzzy Hash: 01E0D8335255456B8220AB38EC0D4E9779CEE06339F100715F939D14D0E7745A00A599

Function 008909D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890A5B
timeGetTime.WINMM ref: 00890D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890E53
Sleep.KERNEL32(0000000A), ref: 00890E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00890EFA
DestroyWindow.USER32 ref: 00890F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00890F20
Sleep.KERNEL32(0000000A,?,?), ref: 008C4E83
TranslateMessage.USER32(?), ref: 008C5C60
DispatchMessageW.USER32(?), ref: 008C5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008C5C82

Strings

@COM_EVENTOBJ, xrefs: 008C54F0
@TRAY_ID, xrefs: 008C578F
@GUI_CTRLID, xrefs: 008C4F3A
@GUI_WINHANDLE, xrefs: 008C4F8F
@GUI_CTRLHANDLE, xrefs: 008C4FE4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: d274be6328c33b711bcba048f3327490b754d99f2a8c896551ccde10ac8b46d8
Instruction ID: 4b1c6c69562fb229c8851470338058dfbc276c788e638da1306389a7a1a9ef67
Opcode Fuzzy Hash: d274be6328c33b711bcba048f3327490b754d99f2a8c896551ccde10ac8b46d8
Instruction Fuzzy Hash: C4B28D70608745DFDB24EB28C894F6AB7F5FB85304F18491DE49AD72A1CB71E884DB82

Function 008E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E8F5F: __time64.LIBCMT ref: 008E8F69

Part of subcall function 00884EE5: _fseek.LIBCMT ref: 00884EFD

__wsplitpath.LIBCMT ref: 008E9234

Part of subcall function 008A40FB: __wsplitpath_helper.LIBCMT ref: 008A413B

_wcscpy.LIBCMT ref: 008E9247
_wcscat.LIBCMT ref: 008E925A
__wsplitpath.LIBCMT ref: 008E927F
_wcscat.LIBCMT ref: 008E9295
_wcscat.LIBCMT ref: 008E92A8

Part of subcall function 008E8FA5: _memmove.LIBCMT ref: 008E8FDE
Part of subcall function 008E8FA5: _memmove.LIBCMT ref: 008E8FED

_wcscmp.LIBCMT ref: 008E91EF

Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9824
Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E9452
_wcsncpy.LIBCMT ref: 008E94C5
DeleteFileW.KERNEL32(?,?), ref: 008E94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008E9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E9534

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: ebb646dd1ac17deab2024c76196c92f345f75e26ef68b784da7f0a8661e9d2f4
Instruction ID: 4b8316a563407b49f1c8061d37685450f904ba7947af9c011fda9682811ec557
Opcode Fuzzy Hash: ebb646dd1ac17deab2024c76196c92f345f75e26ef68b784da7f0a8661e9d2f4
Instruction Fuzzy Hash: E3C13CB1D00219AADF21DF99CC85ADEB7BDFF96310F0040AAF609E7151EB709A448F65

Function 0088301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00883074
RegisterClassExW.USER32(00000030), ref: 0088309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008830AF
InitCommonControlsEx.COMCTL32(?), ref: 008830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008830DC
LoadIconW.USER32(000000A9), ref: 008830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00883101

Strings

TaskbarCreated, xrefs: 008830A4
0, xrefs: 00883056
AutoIt v3 GUI, xrefs: 00883090
+, xrefs: 0088305D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 29dd30c7b3333d89dd7d3312f965dcc232bf51f7ce5f15406ac9c9f0cebc2653
Instruction ID: 0e52b13cd2c5a8864817e735c99d075fc18bda0fbf72e49ba82796ac23810c7b
Opcode Fuzzy Hash: 29dd30c7b3333d89dd7d3312f965dcc232bf51f7ce5f15406ac9c9f0cebc2653
Instruction Fuzzy Hash: D03145B5925209EFDB60CFE4E889AC9BBF4FB09310F10412AF590E62A1D7B50685DF91

Function 00883041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00883074
RegisterClassExW.USER32(00000030), ref: 0088309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008830AF
InitCommonControlsEx.COMCTL32(?), ref: 008830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008830DC
LoadIconW.USER32(000000A9), ref: 008830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00883101

Strings

TaskbarCreated, xrefs: 008830A4
0, xrefs: 00883056
AutoIt v3 GUI, xrefs: 00883090
+, xrefs: 0088305D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a9255330b131cd10c03d8ff0895ed28d9b11dd68e63d1ff694f4bf89059ca3b2
Instruction ID: 00975f1f979b2c31638a8f709d576ab8273f50f2a53b3d05fd37069e8b82a029
Opcode Fuzzy Hash: a9255330b131cd10c03d8ff0895ed28d9b11dd68e63d1ff694f4bf89059ca3b2
Instruction Fuzzy Hash: 2721F7B5925208AFDB10DFE4EC48B9DBBF4FB09700F01412AF510A62A1DBB14644AF91

Function 0088708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00884706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009452F8,?,008837AE,?), ref: 00884724

Part of subcall function 008A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00887165), ref: 008A052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008871A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008BE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008BE909
RegCloseKey.ADVAPI32(?), ref: 008BE947
_wcscat.LIBCMT ref: 008BE9A0

Strings

\Include\, xrefs: 00887165
Software\AutoIt v3\AutoIt, xrefs: 0088719E
\, xrefs: 008BE9C3
Include, xrefs: 008BE8BF, 008BE900

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 5ac43775d107381077f17b6ec3201220fbedaea642c98a9c19ce0553193fd72d
Instruction ID: 6e41bc42fa35b6657c288c071e5e801b1dff11cb0c5b84452cfbd35b2236e0cc
Opcode Fuzzy Hash: 5ac43775d107381077f17b6ec3201220fbedaea642c98a9c19ce0553193fd72d
Instruction Fuzzy Hash: B3715BB5518301AED310EF29E851DABBBF8FF86310B50052EF465C72A1EBB19948DB53

Function 00883A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00883A50
LoadCursorW.USER32(00000000,00007F00), ref: 00883A5F
LoadIconW.USER32(00000063), ref: 00883A76
LoadIconW.USER32(000000A4), ref: 00883A88
LoadIconW.USER32(000000A2), ref: 00883A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AC0
RegisterClassExW.USER32(?), ref: 00883B16

Part of subcall function 00883041: GetSysColorBrush.USER32(0000000F), ref: 00883074
Part of subcall function 00883041: RegisterClassExW.USER32(00000030), ref: 0088309E
Part of subcall function 00883041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008830AF
Part of subcall function 00883041: InitCommonControlsEx.COMCTL32(?), ref: 008830CC
Part of subcall function 00883041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008830DC
Part of subcall function 00883041: LoadIconW.USER32(000000A9), ref: 008830F2
Part of subcall function 00883041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00883101

Strings

AutoIt v3, xrefs: 00883B05
0, xrefs: 00883AF4
#, xrefs: 00883AFB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: bd32b0f7ffd34e47e0fe70232161876fc4c605d3f6fe255c660e239430aee8fd
Instruction ID: cacfe3b3a33fda38b92169fcd8611ebf5b2e979550f472445f5b989857e01d82
Opcode Fuzzy Hash: bd32b0f7ffd34e47e0fe70232161876fc4c605d3f6fe255c660e239430aee8fd
Instruction Fuzzy Hash: 23213779928708AFEB21DFA4EC19F9D7BB4FB09711F01012AE510A62A2D3B55640AF85

Function 00883633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 008836D2
KillTimer.USER32(?,00000001), ref: 008836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0088371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0088372A
CreatePopupMenu.USER32 ref: 0088373E
PostQuitMessage.USER32(00000000), ref: 0088374D

Strings

TaskbarCreated, xrefs: 00883725

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 72113dbb25c8e96e7105bb493b3671bf53796f102c54a938816d6ef2c01ef168
Instruction ID: f9fbe0330233192aaf98c6c84fcecf6dad1c230ed534df1c88066882acab63ff
Opcode Fuzzy Hash: 72113dbb25c8e96e7105bb493b3671bf53796f102c54a938816d6ef2c01ef168
Instruction Fuzzy Hash: 7941F8B2118609BBDF25BFACDC09F7D3794F711700F140535F502D62A2EA619E41B762

Function 00883766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 008838BC
CMDLINERAW, xrefs: 008837FB
/AutoIt3OutputDebug, xrefs: 00883892
CMDLINE, xrefs: 00883822
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 008837AE
/ErrorStdOut, xrefs: 0088387D
/AutoIt3ExecuteLine, xrefs: 008838A7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: aed3247315c1d7945735f628bb8b32149cafe975d97620902d5781d4b1fd56ba
Instruction ID: 8ab1a83b04505b7ee6058d2fc9376944f0dea6db7caef457dc7088a8fc9938b3
Opcode Fuzzy Hash: aed3247315c1d7945735f628bb8b32149cafe975d97620902d5781d4b1fd56ba
Instruction Fuzzy Hash: 12A16D7291021DABCB14FBA8DC51EEEB778FF15714F44042AE416E7192EF749A08CB62

Function 00F41488 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F41559
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F4177F

Memory Dump Source

Source File: 00000000.00000002.2103726956.0000000000F3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3e000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: b06b77b087a48f245783db9c627f42a9db6107a71e7c587b8eedcd1366d57097
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: D6A13975E00208EBDB14CFA4C898BEEBBB5FF48314F248159E915BB280D7759A81DF54

Function 008839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A24
ShowWindow.USER32(00000000,?,?), ref: 00883A38
ShowWindow.USER32(00000000,?,?), ref: 00883A41

Strings

AutoIt v3, xrefs: 008839FB, 00883A00, 00883A01
edit, xrefs: 00883A1E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d94a07d8a0ca690f4292cd194d1246aafc6b8e235466bdf824457231dfc4b232
Instruction ID: fc30085b1451f23279213fd343615261cb12c3aa5020906dfd2e799457c52f9b
Opcode Fuzzy Hash: d94a07d8a0ca690f4292cd194d1246aafc6b8e235466bdf824457231dfc4b232
Instruction Fuzzy Hash: 1BF03A74665690BFEA3167A76C18E2B3E7DE7C7F50B02012AB910A21B1C2A10C00EAB0

Function 0088F76F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A0193
Part of subcall function 008A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 008A019B
Part of subcall function 008A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A01A6
Part of subcall function 008A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A01B1
Part of subcall function 008A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008A01B9
Part of subcall function 008A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008A01C1

Part of subcall function 008960F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0088F930), ref: 00896154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0088F9CD
OleInitialize.OLE32(00000000), ref: 0088FA4A
CloseHandle.KERNEL32(00000000), ref: 008C45C8

Strings

X, xrefs: 0088F930
, xrefs: 0088F8FE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: $X
API String ID: 1986988660-2646445358
Opcode ID: b12982dfa24e40333276af072fca577158e6282878fe73ec1b485c597249c2ca
Instruction ID: 4dcd07a7359faed8c3f98b294f32cf2f0ccebfc407e62cbb45f50d82e3f1d092
Opcode Fuzzy Hash: b12982dfa24e40333276af072fca577158e6282878fe73ec1b485c597249c2ca
Instruction Fuzzy Hash: 0C81CEB8929B40CFC394EFB9A850E187BE5FB5A316756813AE119CB273E7704484EF11

Function 00F41238 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F41128: Sleep.KERNELBASE(000001F4), ref: 00F41139

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F41373

Strings

R6IHQYDHM53MJYO4IZ, xrefs: 00F413D6, 00F413D9

Memory Dump Source

Source File: 00000000.00000002.2103726956.0000000000F3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3e000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateFileSleep
String ID: R6IHQYDHM53MJYO4IZ
API String ID: 2694422964-84491307
Opcode ID: e65465a2ea47bb5f8c245ae883ce6b49e218ee4877176e5293fab5544547bf4b
Instruction ID: 621395ac6725c7fe96dd60b33b3389c8f5a9eaaa8cf2a7e6b386defb4d6d3977
Opcode Fuzzy Hash: e65465a2ea47bb5f8c245ae883ce6b49e218ee4877176e5293fab5544547bf4b
Instruction Fuzzy Hash: 2151B331E04248DBEF11DBE4C854BEEBB79AF19300F004199E608BB2C1D7B91B85DB66

Function 0088407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008BD3D7

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

_memset.LIBCMT ref: 008840FC
_wcscpy.LIBCMT ref: 00884150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00884160

Strings

Line: , xrefs: 008BD400

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c830d3bada9d814323fc7bf3676f03ac77824cc49f0043ff0795045276b8b254
Instruction ID: b36edd8ab939b980b9a28d1c4b60b0d92b2a29d4950c81c7078437adf8d3ca8b
Opcode Fuzzy Hash: c830d3bada9d814323fc7bf3676f03ac77824cc49f0043ff0795045276b8b254
Instruction Fuzzy Hash: 4931AF72018705ABD321FBA4DC45FDB77E8FB45314F20451AF595D21A2EB709648CB93

Function 008A541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A547B
_memcpy_s.LIBCMT ref: 008A54ED
__read_nolock.LIBCMT ref: 008A554B
__filbuf.LIBCMT ref: 008A556E
_memset.LIBCMT ref: 008A55B2

Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: d17f0ece17541749cbd48c8492f7fad816560924eb2de1cc81cbe95baf942190
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 1251D370E01B09DBEB248E69D8806AE77A2FF46334F248729F825D6AD1D770DDD08B45

Function 0088686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00884DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884E0F

_free.LIBCMT ref: 008BE263
_free.LIBCMT ref: 008BE2AA

Part of subcall function 00886A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 008BE039
Bad directive syntax error, xrefs: 008BE292

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: f5d95f872a3357ec7ebda6ce102a76518903857423bd0e31b37f77049bfcaab0
Instruction ID: 3c74f3714d87e985ea68eaff0d881ca8f78ff520f4740bd0f7c64c94916341c0
Opcode Fuzzy Hash: f5d95f872a3357ec7ebda6ce102a76518903857423bd0e31b37f77049bfcaab0
Instruction Fuzzy Hash: F1916C71900219AFCF14EFA8CC919EEB7B8FF19314B10452AF816EB3A1DB70A915CB51

Function 008835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008835A1,SwapMouseButtons,00000004,?), ref: 008835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 008835F5
RegCloseKey.KERNELBASE(00000000,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 00883617

Strings

Control Panel\Mouse, xrefs: 008835D2

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
Instruction ID: fe0bb9443d7d22fa169642dea5373805f737febc28797ecf9303159ab993e237
Opcode Fuzzy Hash: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
Instruction Fuzzy Hash: 12114871514208BFDB21DFA8DC409AEB7BCFF15B40F008469E805E7210E2719F40A760

Function 00F40128 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F408E3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F40979
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F4099B

Memory Dump Source

Source File: 00000000.00000002.2103726956.0000000000F3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3e000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction ID: d1c25752d7abd58b0fedd96ab4275ee45a67ba9278cfd3eb4445516ffd6da40e
Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction Fuzzy Hash: 58620C30A14218DBEB24CBA4C850BDEB771FF58300F1091A9D60DEB391EB799E81DB59

Function 008E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00884EE5: _fseek.LIBCMT ref: 00884EFD

Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9824
Part of subcall function 008E9734: _wcscmp.LIBCMT ref: 008E9837

_free.LIBCMT ref: 008E96A2
_free.LIBCMT ref: 008E96A9
_free.LIBCMT ref: 008E9714

Part of subcall function 008A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9A24), ref: 008A2D69
Part of subcall function 008A2D55: GetLastError.KERNEL32(00000000,?,008A9A24), ref: 008A2D7B

_free.LIBCMT ref: 008E971C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 4325d7b12732718ba17752a8c7502476e4de4ce0aa15ee42fc7320b32d68b765
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: E2515CB1D04259ABDF249F69CC81A9EBBB9FF49300F10049EF649E3252DB715A80CF59

Function 008A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008A47A0
__flush.LIBCMT ref: 008A47C0
__write.LIBCMT ref: 008A47F3
__flsbuf.LIBCMT ref: 008A4821

Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: c06f6d0bbcb8cb81d9b9c5401ff45e0feee9acb21e078ef95811447167fd78c0
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9D41D574A007899BFF188E69D8809AE77A5FFC3364B24913DE815C7E40E7B4DD418B51

Function 00887285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008BEA39
GetOpenFileNameW.COMDLG32(?), ref: 008BEA83

Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770

Part of subcall function 008A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A07B0

Strings

X, xrefs: 008BEA51

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 78f864be753d9af6e036065db72282af5f0b97d215cd7edeeb4888f6f323712f
Instruction ID: 2e51949517c8ef0b4777623152bb82aae4eec6c56c4143743f33bca81b45395a
Opcode Fuzzy Hash: 78f864be753d9af6e036065db72282af5f0b97d215cd7edeeb4888f6f323712f
Instruction Fuzzy Hash: 8521A131A142589BDB51AF98C845AEF7BFDFF49314F10401AE408EB241DBB499898FA2

Function 008E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008E8DAC
__fread_nolock.LIBCMT ref: 008E8DC1

Strings

EA06, xrefs: 008E8DF3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 8f6d9ce481f727261462a97cb37d35e395c92f2398d634edc594258fc9f9a289
Instruction ID: f536f45674bca0d80a777168c9c79451e297ce2bd3f5befcaff20ae01a8c38cc
Opcode Fuzzy Hash: 8f6d9ce481f727261462a97cb37d35e395c92f2398d634edc594258fc9f9a289
Instruction Fuzzy Hash: 76012D71D04258BEEB18CBA8CC16EFE7BF8DB12301F00419FF556D2181E875E6048B60

Function 008E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 008E98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008E990F

Strings

aut, xrefs: 008E9909

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ca7908eb36e60ac775beae31ffa854057beb3a8740970075f605dd3d33efc3ae
Instruction ID: b207bd1cd459db0b05e895820d6928f979690bcc1e825308983de17b2f6d31a9
Opcode Fuzzy Hash: ca7908eb36e60ac775beae31ffa854057beb3a8740970075f605dd3d33efc3ae
Instruction Fuzzy Hash: 51D05E7954430DAFDB60DBA4DC0EF9A773CEB04704F0002B1BAA4D10A1EAB0A6989B91

Function 008FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7762d34e1d8ba5f86d8f87bfc933e8bb38a398f8f7c83812ed3c3bca19409ded
Instruction ID: cfb3629f6525ad7239ce16fcbe5009847ed82bd69f96ba0e436807e53ebb8c1a
Opcode Fuzzy Hash: 7762d34e1d8ba5f86d8f87bfc933e8bb38a398f8f7c83812ed3c3bca19409ded
Instruction Fuzzy Hash: CAF127716083099FC714DF28C580A6ABBE5FF89314F14892EF999DB251DB70EA45CF82

Function 0088434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00884370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00884415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00884432

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a82c5fcd2b9c50ac581a0e7c08b6c137edc2545470da2e88888dca5fa971aca2
Instruction ID: 675c34df21e52efdc832f4bbf556cc1eaa39ab2f4037734c12520f3042352a5e
Opcode Fuzzy Hash: a82c5fcd2b9c50ac581a0e7c08b6c137edc2545470da2e88888dca5fa971aca2
Instruction Fuzzy Hash: E63193715097029FD721EF64D884A9BBBF8FB59308F00092EE59AC2352E7B1A944CB52

Function 008A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 008A5733

Part of subcall function 008AA16B: __NMSG_WRITE.LIBCMT ref: 008AA192
Part of subcall function 008AA16B: __NMSG_WRITE.LIBCMT ref: 008AA19C

__NMSG_WRITE.LIBCMT ref: 008A573A

Part of subcall function 008AA1C8: GetModuleFileNameW.KERNEL32(00000000,009433BA,00000104,?,00000001,00000000), ref: 008AA25A
Part of subcall function 008AA1C8: ___crtMessageBoxW.LIBCMT ref: 008AA308

Part of subcall function 008A309F: ___crtCorExitProcess.LIBCMT ref: 008A30A5
Part of subcall function 008A309F: ExitProcess.KERNEL32 ref: 008A30AE

Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28

RtlAllocateHeap.NTDLL(00EA0000,00000000,00000001,00000000,?,?,?,008A0DD3,?), ref: 008A575F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 558e93bb2c8f939942106138bce7202282ef59983c5c09b90679cac65e3c8d4e
Instruction ID: b43351bbbcd105a1f58b455429e85496e04d2abaa031c1637effdceff59b7dc6
Opcode Fuzzy Hash: 558e93bb2c8f939942106138bce7202282ef59983c5c09b90679cac65e3c8d4e
Instruction Fuzzy Hash: 8501B535244F01EAF615273CEC82A2E7398FB43765F600525F515FAD81DFB09D819672

Function 008E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008E9548,?,?,?,?,?,00000004), ref: 008E98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008E98D1
CloseHandle.KERNEL32(00000000,?,008E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E98D8

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
Instruction ID: de0ff2be360e561849c964aec510c5faef9969bcfbe01a8572e691d68e1ba027
Opcode Fuzzy Hash: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
Instruction Fuzzy Hash: CAE08632144228BBD7311B54EC09FCA7B19EB06B70F104220FB54A94E087B12611A7D8

Function 008E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008E8D1B

Part of subcall function 008A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9A24), ref: 008A2D69
Part of subcall function 008A2D55: GetLastError.KERNEL32(00000000,?,008A9A24), ref: 008A2D7B

_free.LIBCMT ref: 008E8D2C
_free.LIBCMT ref: 008E8D3E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 01499fef40f49d7adec1508163be2a8999069dc41c9b7cfe767f45c7b7b60560
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: A4E012A170264586EB35A57DAD40A9713DCEF5A3527141D1DB40DD7587CE64F8428124

Function 0088A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 008BFC01

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ec660dffe61424c37b39af1968be309040334239819c9f2f0ae4741829c40840
Instruction ID: 6910b13d406f699039b7e32ec556b8527f2972ba60defbe37db1abc186e012b4
Opcode Fuzzy Hash: ec660dffe61424c37b39af1968be309040334239819c9f2f0ae4741829c40840
Instruction Fuzzy Hash: 40225D74508205DFDB28EF18C450A6ABBE1FF85314F14896EE98ADB362D735EC45CB82

Function 00884C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00884CBA

Strings

EA06, xrefs: 008BD8CC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: dacae67cd4c5803275e5c21bd35e707e23ebe7e508b9cefa28913a9b03e4cb16
Instruction ID: b2d7201cb93285fd9395ea982c46d223737644abc3b8f4817fb5b04ba103b7b2
Opcode Fuzzy Hash: dacae67cd4c5803275e5c21bd35e707e23ebe7e508b9cefa28913a9b03e4cb16
Instruction Fuzzy Hash: 47415D23A0425E67DF21BB68C8517BE7FA6FB45304F686475FC82DB282D6345D4483A2

Function 008847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00884834

Part of subcall function 008A336C: __lock.LIBCMT ref: 008A3372
Part of subcall function 008A336C: DecodePointer.KERNEL32(00000001,?,00884849,008D7C74), ref: 008A337E
Part of subcall function 008A336C: EncodePointer.KERNEL32(?,?,00884849,008D7C74), ref: 008A3389

Part of subcall function 008848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00884915
Part of subcall function 008848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0088492A

Part of subcall function 00883B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B68
Part of subcall function 00883B3A: IsDebuggerPresent.KERNEL32 ref: 00883B7A
Part of subcall function 00883B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009452F8,009452E0,?,?), ref: 00883BEB
Part of subcall function 00883B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00883C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00884874

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 6f2430e49bd2ced7a2c30042d9c2ed331f2523eb410446dc7d326e6430ffd12d
Instruction ID: 09eb070b9f8dd28051087d68a215ef562e4ddffaf157532e408c189a3d234f61
Opcode Fuzzy Hash: 6f2430e49bd2ced7a2c30042d9c2ed331f2523eb410446dc7d326e6430ffd12d
Instruction Fuzzy Hash: A1118E719283029FCB00EF68E80591ABFE8FF86750F10452BF051C3272DBB09644DB92

Function 00885C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00885821,?,?,?,?), ref: 00885CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00885821,?,?,?,?), ref: 008BDD73

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8302af61eeaadd893fe93347e1474796ab41d60d214f2bc0d025060ddbf8e5a3
Instruction ID: 704faa042924dcd9f20ffaf27039d5831cab7ef7e75871c52197160e0bd8850e
Opcode Fuzzy Hash: 8302af61eeaadd893fe93347e1474796ab41d60d214f2bc0d025060ddbf8e5a3
Instruction Fuzzy Hash: 74016D70244708BEF6245E24CC8AF663A9CFB01768F108319BAE59A1E1C6B41D488F50

Function 008A0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008A571C: __FF_MSGBANNER.LIBCMT ref: 008A5733
Part of subcall function 008A571C: __NMSG_WRITE.LIBCMT ref: 008A573A
Part of subcall function 008A571C: RtlAllocateHeap.NTDLL(00EA0000,00000000,00000001,00000000,?,?,?,008A0DD3,?), ref: 008A575F

std::exception::exception.LIBCMT ref: 008A0DEC
__CxxThrowException@8.LIBCMT ref: 008A0E01

Part of subcall function 008A859B: RaiseException.KERNEL32(?,?,?,00939E78,00000000,?,?,?,?,008A0E06,?,00939E78,?,00000001), ref: 008A85F0

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8a704fed065e68dfacfec7cd1541fe7377e9cce6069e59ec653a2ba408a32ce6
Instruction ID: 020418589a85a726176028a80eda76abc13d8b14ef94b732df1d6027bca3ddd9
Opcode Fuzzy Hash: 8a704fed065e68dfacfec7cd1541fe7377e9cce6069e59ec653a2ba408a32ce6
Instruction Fuzzy Hash: EAF0D63590431DA6EF20BB98EC015DE77A8FF06310F000415F904E6A81DF709A9099A2

Function 008A55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A562C
__lock_file.LIBCMT ref: 008A564D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: a80c093686bc2db12f19d67e0a47e02d810a9092e6836085a66eecb33b81e77c
Instruction ID: ed180e355e86904c5a51db08803e17c1dfb53dd83d40128cec3ebabddcd02fa7
Opcode Fuzzy Hash: a80c093686bc2db12f19d67e0a47e02d810a9092e6836085a66eecb33b81e77c
Instruction Fuzzy Hash: 0201D471800A08EBEF12AF6CCD0249E7B71FFA3321F444115F8149B591EB318AA1DFA2

Function 008A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28

__lock_file.LIBCMT ref: 008A53EB

Part of subcall function 008A6C11: __lock.LIBCMT ref: 008A6C34

__fclose_nolock.LIBCMT ref: 008A53F6

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f7129c6b4d9e22aeb64323f388bfe36cbd861f46b7e88ba4ce87d0566fc8fc88
Instruction ID: e934067ad5eae2ff363fd58cd1190628272006d0ab84c1fffc69ea622f120d1b
Opcode Fuzzy Hash: f7129c6b4d9e22aeb64323f388bfe36cbd861f46b7e88ba4ce87d0566fc8fc88
Instruction Fuzzy Hash: 99F09671801A04DAFF106B6998057AE7AE0FF83374F248508E464EBAC1DBBC49815B63

Function 00888061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0088542F,?,?,?,?,?), ref: 0088807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0088542F,?,?,?,?,?), ref: 008880AD

Part of subcall function 0088774D: _memmove.LIBCMT ref: 00887789

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: d9ec94a83f7692093a0767fe7cfae0634df062d8bad1f9f9383562ed911d8565
Instruction ID: c4f17df301806d799b36e369e265d2c94057d3bc4be40003bb96e46ce5c3e443
Opcode Fuzzy Hash: d9ec94a83f7692093a0767fe7cfae0634df062d8bad1f9f9383562ed911d8565
Instruction Fuzzy Hash: F101AD32205204BFEB24BA25DC4AF7B3B6DEF8A360F10802AF905CE190DE30D800D662

Function 00F40125 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F408E3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F40979
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F4099B

Memory Dump Source

Source File: 00000000.00000002.2103726956.0000000000F3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3e000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: e06f76270930076ff3e3b64514cd4b1a3c173ec8467085692499f8022ae6b8db
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: F912CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CB5A

Function 00891FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8fe1f5c3c938a847d8995faec0f3d1d65bd6bc310178218eee01426f02ec44
Instruction ID: c6a40023b86bd3e814d9b67855a3a676b98e5a5903739e2f015a6cc51733737b
Opcode Fuzzy Hash: bd8fe1f5c3c938a847d8995faec0f3d1d65bd6bc310178218eee01426f02ec44
Instruction Fuzzy Hash: 60515C35600604ABCF14FB68C991EAE77A6FF49314F188168F806EB392DA30ED01DB52

Function 0088750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008875EA

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 74722da7d578c4de16107547794dad42e9ee7aef0c0b01352df76d0c5bccf52e
Instruction ID: eca84d68106a4b5ae5503a08775380bee83b1e4b43bb94917f69616a97e5498f
Opcode Fuzzy Hash: 74722da7d578c4de16107547794dad42e9ee7aef0c0b01352df76d0c5bccf52e
Instruction Fuzzy Hash: 8831A175208A029FD714EF18C080962F7B0FF09310724C669E98ACB791EB30E891DB85

Function 00885AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00885B96

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d30bfa55b706e40318605ea87ad3f5cc59bc81ec5188a0efe7cca9587cbd7aed
Instruction ID: e9e55793eb1bea33c86a559788b61e25a3feb8866b5cca3d9602bd2213483539
Opcode Fuzzy Hash: d30bfa55b706e40318605ea87ad3f5cc59bc81ec5188a0efe7cca9587cbd7aed
Instruction Fuzzy Hash: F4312A71A00A19AFCB18EF6DC484AADF7B5FF58320F158629E819D7710D770B9A0CB91

Function 008A0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 008A0CB7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 917dd54d1a6275c139c61eb7335d39d8bf878020d41e408aa861bbe2d8991666
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B431D570A001099BE718DF58C484969F7A6FB5A320B6487A5E80ACFB51D731EED1DFC0

Function 008BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 008BFCB7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a324a14367f10a68e705c84c0e3907c63eb38d8e0a38df51cebc3d270ab79697
Instruction ID: 85ef43183849a6ce282b3d58c53f93d9c84848b6103f1fc2bef2cc01e8355677
Opcode Fuzzy Hash: a324a14367f10a68e705c84c0e3907c63eb38d8e0a38df51cebc3d270ab79697
Instruction Fuzzy Hash: 8841D4745043419FEB24DF18C454B1ABBE1FF49318F0988ACE9998B762C736E845CF52

Function 008859B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00885A01

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c4780d2052b24a2cdfb625eb462201bcf45db747600d1c1482c941c00d9438a8
Instruction ID: bd1ceb700471693e86fa8309b4582fc57fc22361d1ba35ba4bb747c6313cbd47
Opcode Fuzzy Hash: c4780d2052b24a2cdfb625eb462201bcf45db747600d1c1482c941c00d9438a8
Instruction Fuzzy Hash: 04210571914B09FBDB14AF55EC847AA7FB8FF04310F21846AE489C6211EBB094E0EB46

Function 00884DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00884BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00884BEF

Part of subcall function 008A525B: __wfsopen.LIBCMT ref: 008A5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884E0F

Part of subcall function 00884B6A: FreeLibrary.KERNEL32(00000000), ref: 00884BA4

Part of subcall function 00884C70: _memmove.LIBCMT ref: 00884CBA

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a7ff77bcbfaed77811547a865bb4c308c56aa463a34db894f0b3e21355a2b778
Instruction ID: 8c2e27a7c33050b24e2e54b11e7a963210a229f8985ebf37cf8d0be224712049
Opcode Fuzzy Hash: a7ff77bcbfaed77811547a865bb4c308c56aa463a34db894f0b3e21355a2b778
Instruction Fuzzy Hash: 3711E733640306ABCF20FFB8C812FAE77A9FF44720F108829F541E7181EA719A009B52

Function 008BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 008BFD91

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: dc3c986cb89c7629d58224a4fa9d8b063f72fb49f2c0f2c46746e8c7367f6f27
Instruction ID: 0d14451919be46a4290438b674279b5a42db6262cfa93b15c59bcfddf2c23ebf
Opcode Fuzzy Hash: dc3c986cb89c7629d58224a4fa9d8b063f72fb49f2c0f2c46746e8c7367f6f27
Instruction Fuzzy Hash: 0A21F374508341DFDB24EF64C444A2ABBE1FF89314F058968F98A97762D731E815CF92

Function 00885BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,008856A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00885C16

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 08e199c7ba5d5ba3c6f331a27474ae4e417439ccb2b1fc180350a71819120327
Instruction ID: c2aa79c7c24cf317feeffa441af1e04d0460d79c75ad7e2c235c9f6146126b85
Opcode Fuzzy Hash: 08e199c7ba5d5ba3c6f331a27474ae4e417439ccb2b1fc180350a71819120327
Instruction Fuzzy Hash: 9B112231204B059FE3209F19C880B62B7E9FF54764F10C92EE9AA8AA51D7B0E944CB60

Function 00885A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008BDD18

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
Instruction ID: 5f0b1744514bc661cd81a6e2a1120ca36b84935c05dc2d3c186c7d27799ef5e9
Opcode Fuzzy Hash: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
Instruction Fuzzy Hash: 830184B5200501AFC305EB2DC451D26F7A9FF86310714456AE429C7702D731FC21CBE1

Function 008A072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A07B0

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 29103d501496fe8fa86c701e03e5f947c9735dafba124bfda064f08d2be8de5a
Instruction ID: 031303c402fd9e76263444b0d9b0b45832b0d0da06afc3fab23f9e3589fbd738
Opcode Fuzzy Hash: 29103d501496fe8fa86c701e03e5f947c9735dafba124bfda064f08d2be8de5a
Instruction Fuzzy Hash: 34016D775040489FC711EB64EC41EE4BBACEFCA360B0401FAEC89CB961E6209A599B91

Function 008A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 008A48A6

Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: dc6d2ab047b0099602d6d159a1825de166305619240a7184a035586e4030379d
Instruction ID: df85e9a7815ca45f302fdf2a11554c28c3d59f66cc96ce66cf7eb28872ec63fd
Opcode Fuzzy Hash: dc6d2ab047b0099602d6d159a1825de166305619240a7184a035586e4030379d
Instruction Fuzzy Hash: 1DF0A431900649EBFF11AF689C0579E3AA0FF42325F155424B414D7992DBFC8951DB62

Function 00884E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884E7E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a837dd9e64a277a05643c377525c5cda11b6b3182e718a4f0258b8ebf12390b9
Instruction ID: 2e3e383939a57f8bcf57c3c0d8789e165c4a76113e6c96331111b5205da68a70
Opcode Fuzzy Hash: a837dd9e64a277a05643c377525c5cda11b6b3182e718a4f0258b8ebf12390b9
Instruction Fuzzy Hash: 7BF03072505712CFCB34AF64D494812B7E1FF55339320993EE1D6C2610C732A840DF40

Function 008A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A07B0

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 7869ef6f29254bf57877fe9214d4d222949e1f708509dfc713f7adefca324349
Instruction ID: 34766cd5d2ba7fa6c61e921843d973f2ca4b8555fcb4667ee72a19a5a6c7aa20
Opcode Fuzzy Hash: 7869ef6f29254bf57877fe9214d4d222949e1f708509dfc713f7adefca324349
Instruction Fuzzy Hash: A3E086369041285BC720A65C9C05FEA77ADEB887A0F0441B5FC08D7205D9609D808691

Function 008E8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 008E8EC1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 7ecc33a1b10509faf0ca27ec67541a2252f87de3361c460be49f4395444d65f4
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: DAE092B0504B409FD7388A24D801BA373E1FB06304F00081DF6AAC3241EB6278418B59

Function 00885C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,008BDD42,?,?,00000000), ref: 00885C5F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 23ccb305067742b1285db303903b9de3d759935453c6a3796ae2c76cbeadb786
Instruction ID: 42362ae14654dc33df8ccccd1dc978e49bc84892af1af551c9b61a8d46ca79e1
Opcode Fuzzy Hash: 23ccb305067742b1285db303903b9de3d759935453c6a3796ae2c76cbeadb786
Instruction Fuzzy Hash: 31D0C77465420CBFE710DB80DC46FA9777CD705710F100194FD0456690D6B27E509795

Function 008A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 008A5266

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: fbad2a94a82745f1a51a3a83aa2d07d8cd6c3153a1e5c4eae0f2d4825a4baa3c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: A2B0927644020C77DE012A86EC02B893B1AAB42B64F408020FB0C18562A673A6A49A8A

Function 008ED07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 008ED1FF

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: a6d0c1b226518042f1c6c5534c280055ddbbbda2c474cb08cec8ded892b557cf
Instruction ID: 47bc9a7a50999ae6445727b900ed50f806eddd4d3bd107de09883b47f47be4d1
Opcode Fuzzy Hash: a6d0c1b226518042f1c6c5534c280055ddbbbda2c474cb08cec8ded892b557cf
Instruction Fuzzy Hash: E6715E342043428FC704EF29D491A6AB7E0FF8A314F14492DF996DB2A2DB30ED09CB52

Function 00F41128 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F41139

Memory Dump Source

Source File: 00000000.00000002.2103726956.0000000000F3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f3e000_Qz8OEUxYuH.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c47edf89a78943b6ee1a9426450d1444ea124fbf337dc4214e4922037dacfea2
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: ABE0E67494010DDFDB00DFB4D5496DD7FB4FF04301F100161FD01D2280D6309D509A62

Non-executed Functions

Function 0090CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0090CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CB95
GetWindowLongW.USER32(?,000000F0), ref: 0090CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090CC00
SendMessageW.USER32 ref: 0090CC29
_wcsncpy.LIBCMT ref: 0090CC95
GetKeyState.USER32(00000011), ref: 0090CCB6
GetKeyState.USER32(00000009), ref: 0090CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CCD9
GetKeyState.USER32(00000010), ref: 0090CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090CD0C
SendMessageW.USER32 ref: 0090CD33
SendMessageW.USER32(?,00001030,?,0090B348), ref: 0090CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0090CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0090CE60
SetCapture.USER32(?), ref: 0090CE69
ClientToScreen.USER32(?,?), ref: 0090CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0090CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0090CEF5
ReleaseCapture.USER32 ref: 0090CF00
GetCursorPos.USER32(?), ref: 0090CF3A
ScreenToClient.USER32(?,?), ref: 0090CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0090CFA3
SendMessageW.USER32 ref: 0090CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D00E
SendMessageW.USER32 ref: 0090D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0090D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0090D06D
GetCursorPos.USER32(?), ref: 0090D08D
ScreenToClient.USER32(?,?), ref: 0090D09A
GetParent.USER32(?), ref: 0090D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0090D123
SendMessageW.USER32 ref: 0090D154
ClientToScreen.USER32(?,?), ref: 0090D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0090D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D20C
SendMessageW.USER32 ref: 0090D22F
ClientToScreen.USER32(?,?), ref: 0090D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0090D2B5

Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC

GetWindowLongW.USER32(?,000000F0), ref: 0090D351

Strings

(, xrefs: 0090CDFF
@GUI_DRAGID, xrefs: 0090CE9C
F, xrefs: 0090D235

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: ($@GUI_DRAGID$F
API String ID: 3977979337-2020741506
Opcode ID: 1b47182814b3f55cacc747838bcebfde17e98f2670e2a17cd314c488c1d7cfac
Instruction ID: 711fb37b491eb9deba0adac05fb5ad82b5189ea6da3158ad33e01729473ed232
Opcode Fuzzy Hash: 1b47182814b3f55cacc747838bcebfde17e98f2670e2a17cd314c488c1d7cfac
Instruction Fuzzy Hash: BE429AB4208241AFDB24DF68D844EAABBE9FF49314F140A29F695C72F1C731D941EB52

Function 00896F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008971C3
_memset.LIBCMT ref: 00897539
_memmove.LIBCMT ref: 008976AC

Strings

[:<:]], xrefs: 00897479
\b(?<=\w), xrefs: 008D3773
DEFINE, xrefs: 008D2103
\b(?=\w), xrefs: 008D3769
[:>:]], xrefs: 00897492
Q\E, xrefs: 00897FCB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: c8a4adbef2d52a288be933f57dd42e6fb4169d71a1c7654a51455ca3bd0af18b
Instruction ID: 8498361f28613d2b2ccb2dcd6252b56d847941138a58b183c210960adb8dd02c
Opcode Fuzzy Hash: c8a4adbef2d52a288be933f57dd42e6fb4169d71a1c7654a51455ca3bd0af18b
Instruction Fuzzy Hash: 2B939071A04219DBDF24DF98D881BADB7B1FF58714F24826AE945EB381E7709E81CB40

Function 008848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 008848DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008BD665
IsIconic.USER32(?), ref: 008BD66E
ShowWindow.USER32(?,00000009), ref: 008BD67B
SetForegroundWindow.USER32(?), ref: 008BD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008BD69B
GetCurrentThreadId.KERNEL32 ref: 008BD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 008BD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 008BD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 008BD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 008BD6CF
SetForegroundWindow.USER32(?), ref: 008BD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD6E7
keybd_event.USER32(00000012,00000000), ref: 008BD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD6FC
keybd_event.USER32(00000012,00000000), ref: 008BD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD70A
keybd_event.USER32(00000012,00000000), ref: 008BD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 008BD719
keybd_event.USER32(00000012,00000000), ref: 008BD71E
SetForegroundWindow.USER32(?), ref: 008BD721
AttachThreadInput.USER32(?,?,00000000), ref: 008BD748

Strings

Shell_TrayWnd, xrefs: 008BD660

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f73d75e8af6dd8a56aa2ecbcb39d559b2fbd5f9bf6ec82a42858494d59763c2c
Instruction ID: 97aa48cf499516cbabbfc81694f3b28d4a46b1727ce33724761c73b43dfdeff4
Opcode Fuzzy Hash: f73d75e8af6dd8a56aa2ecbcb39d559b2fbd5f9bf6ec82a42858494d59763c2c
Instruction Fuzzy Hash: 44316071A9431CBEEB306B619C49FBF7F6CEB44B50F104025FA04EA1D1DAB15A01BBA1

Function 008D8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 008D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D882B
Part of subcall function 008D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8858
Part of subcall function 008D87E1: GetLastError.KERNEL32 ref: 008D8865

_memset.LIBCMT ref: 008D8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008D83A5
CloseHandle.KERNEL32(?), ref: 008D83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008D83CD
GetProcessWindowStation.USER32 ref: 008D83E6
SetProcessWindowStation.USER32(00000000), ref: 008D83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008D840A

Part of subcall function 008D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8309), ref: 008D81E0
Part of subcall function 008D81CB: CloseHandle.KERNEL32(?,?,008D8309), ref: 008D81F2

Strings

default, xrefs: 008D8405
winsta0, xrefs: 008D83C8
, xrefs: 008D8362

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e36c14f5d4a98e2db230dffdc3e401c714c7c2e22057dd57f222a7420d61a76d
Instruction ID: f2ed6043f29f22e0ddfbf62b42400734dec5896baba67b4e82ebe56a7b4bef7f
Opcode Fuzzy Hash: e36c14f5d4a98e2db230dffdc3e401c714c7c2e22057dd57f222a7420d61a76d
Instruction Fuzzy Hash: 81814BB1910209EFDF219FA8DC45AEEBBB9FF04304F14426AF914E6261DB319E15DB21

Function 008EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008EC78D
FindClose.KERNEL32(00000000), ref: 008EC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008EC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008EC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 008EC844
__swprintf.LIBCMT ref: 008EC890
__swprintf.LIBCMT ref: 008EC8D3

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

__swprintf.LIBCMT ref: 008EC927

Part of subcall function 008A3698: __woutput_l.LIBCMT ref: 008A36F1

__swprintf.LIBCMT ref: 008EC975

Part of subcall function 008A3698: __flsbuf.LIBCMT ref: 008A3713
Part of subcall function 008A3698: __flsbuf.LIBCMT ref: 008A372B

__swprintf.LIBCMT ref: 008EC9C4
__swprintf.LIBCMT ref: 008ECA13
__swprintf.LIBCMT ref: 008ECA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 008EC88A
%4d, xrefs: 008EC8CD
%02d, xrefs: 008EC91B, 008EC925, 008EC973, 008EC9C2, 008ECA11, 008ECA60

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: b3d2e461de7c6b1c86fffff333d76a2af551d44e7a75b23fef3dba4beee9f704
Instruction ID: fcd790db4838277b340ec6684ad28c41df5a5b510f843b55f77ffe0f7f5e69cd
Opcode Fuzzy Hash: b3d2e461de7c6b1c86fffff333d76a2af551d44e7a75b23fef3dba4beee9f704
Instruction Fuzzy Hash: 63A109B2408345ABD750FBA8C886DAFB7ECFF95704F440929F595C6191EA30DA09CB63

Function 008EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008EEFB6
_wcscmp.LIBCMT ref: 008EEFCB
_wcscmp.LIBCMT ref: 008EEFE2
GetFileAttributesW.KERNEL32(?), ref: 008EEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 008EF00E
FindNextFileW.KERNEL32(00000000,?), ref: 008EF026
FindClose.KERNEL32(00000000), ref: 008EF031
FindFirstFileW.KERNEL32(*.*,?), ref: 008EF04D
_wcscmp.LIBCMT ref: 008EF074
_wcscmp.LIBCMT ref: 008EF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 008EF09D
SetCurrentDirectoryW.KERNEL32(00938920), ref: 008EF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF0C5
FindClose.KERNEL32(00000000), ref: 008EF0D2
FindClose.KERNEL32(00000000), ref: 008EF0E4

Strings

*.*, xrefs: 008EF048

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1e11911a47d7c787e43b57f39fc63fc907969ebbc71842ada6ed35a94fc47456
Instruction ID: 0e6c6654b9ff3722485bf14010fc182287cc570abc76d71479e97000d058d4da
Opcode Fuzzy Hash: 1e11911a47d7c787e43b57f39fc63fc907969ebbc71842ada6ed35a94fc47456
Instruction Fuzzy Hash: 8731C1325056486FDB24ABA9DC58AEE77ACFF4A360F1001B5F914D2092DB70DB44DF61

Function 00900857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0090F910,00000000,?,00000000,?,?), ref: 009009C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00900A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00900A92
RegCloseKey.ADVAPI32(?), ref: 00900DB2
RegCloseKey.ADVAPI32(00000000), ref: 00900DBF

Strings

REG_DWORD, xrefs: 00900C83
REG_BINARY, xrefs: 00900D4D
REG_MULTI_SZ, xrefs: 00900B7A
REG_SZ, xrefs: 00900AD0
REG_EXPAND_SZ, xrefs: 00900A2F
REG_QWORD, xrefs: 00900D00

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f925a8aa4c30f79923daa0bf7fcbd0edbad4c3fd27119fbc59cc7d7939baa7d7
Instruction ID: 6b6fa6dd0ef667787f2380458bf1e89bf39521fb1580986be1a8ab52c12e5680
Opcode Fuzzy Hash: f925a8aa4c30f79923daa0bf7fcbd0edbad4c3fd27119fbc59cc7d7939baa7d7
Instruction Fuzzy Hash: 5A023A756006129FDB14EF18C851E2AB7E5FF89314F048568F89ADB7A2DB30ED41CB82

Function 008EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 008EF113
_wcscmp.LIBCMT ref: 008EF128
_wcscmp.LIBCMT ref: 008EF13F

Part of subcall function 008E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008E43A0

FindNextFileW.KERNEL32(00000000,?), ref: 008EF16E
FindClose.KERNEL32(00000000), ref: 008EF179
FindFirstFileW.KERNEL32(*.*,?), ref: 008EF195
_wcscmp.LIBCMT ref: 008EF1BC
_wcscmp.LIBCMT ref: 008EF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 008EF1E5
SetCurrentDirectoryW.KERNEL32(00938920), ref: 008EF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF20D
FindClose.KERNEL32(00000000), ref: 008EF21A
FindClose.KERNEL32(00000000), ref: 008EF22C

Strings

*.*, xrefs: 008EF190

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 8685a6ad38df29fd3d1b99963147a33505728d5bf80de1f156eae89f6f279a2e
Instruction ID: 1716d58f2c217f3b6cfb3407314d938c9e79bbb9e8a30c0c329c64b5fd2b8f36
Opcode Fuzzy Hash: 8685a6ad38df29fd3d1b99963147a33505728d5bf80de1f156eae89f6f279a2e
Instruction Fuzzy Hash: 9B31E43650025DAEDB20AB69EC58AEE77ACFF86364F100171FA14E2091DB30DB45CB54

Function 008EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008EA20F
__swprintf.LIBCMT ref: 008EA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 008EA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008EA293
_memset.LIBCMT ref: 008EA2B2
_wcsncpy.LIBCMT ref: 008EA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008EA323
CloseHandle.KERNEL32(00000000), ref: 008EA32E
RemoveDirectoryW.KERNEL32(?), ref: 008EA337
CloseHandle.KERNEL32(00000000), ref: 008EA341

Strings

:, xrefs: 008EA252
\??\%s, xrefs: 008EA22B
\, xrefs: 008EA247

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: dbc3d31dfe4ffe43646c865069569373beb70e7402c139bcc1d9ee2c600bf1dd
Instruction ID: 1689be7c5bc2122f60a1e9ff4c5822792bf4989f3969d74745fb6687119a02f7
Opcode Fuzzy Hash: dbc3d31dfe4ffe43646c865069569373beb70e7402c139bcc1d9ee2c600bf1dd
Instruction Fuzzy Hash: B0319F71504249ABDB20DFA5DC49FEB37BCFF89B41F1040B6F609D2560E670A7448B25

Function 008D7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D821E
Part of subcall function 008D8202: GetLastError.KERNEL32(?,008D7CE2,?,?,?), ref: 008D8228
Part of subcall function 008D8202: GetProcessHeap.KERNEL32(00000008,?,?,008D7CE2,?,?,?), ref: 008D8237
Part of subcall function 008D8202: HeapAlloc.KERNEL32(00000000,?,008D7CE2,?,?,?), ref: 008D823E
Part of subcall function 008D8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D8255

Part of subcall function 008D829F: GetProcessHeap.KERNEL32(00000008,008D7CF8,00000000,00000000,?,008D7CF8,?), ref: 008D82AB
Part of subcall function 008D829F: HeapAlloc.KERNEL32(00000000,?,008D7CF8,?), ref: 008D82B2
Part of subcall function 008D829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008D7CF8,?), ref: 008D82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D7D13
_memset.LIBCMT ref: 008D7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D7D47
GetLengthSid.ADVAPI32(?), ref: 008D7D58
GetAce.ADVAPI32(?,00000000,?), ref: 008D7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D7DB1
GetLengthSid.ADVAPI32(?), ref: 008D7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008D7DDD
HeapAlloc.KERNEL32(00000000), ref: 008D7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D7E05
CopySid.ADVAPI32(00000000), ref: 008D7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D7E77

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
Instruction ID: d21695e271db3f003a5832fad5b16cb9da465d5f8655881c5621ea4eac4499c1
Opcode Fuzzy Hash: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
Instruction Fuzzy Hash: D6615B71904209EFDF11DFA4DC85AEEBB7AFF44710F04826AE815E6391EB319A05DB60

Function 008966E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UTF16), xrefs: 008D10CF
CR), xrefs: 008D1287
BSR_UNICODE), xrefs: 008D1338
BSR_ANYCRLF), xrefs: 008D131E
ANYCRLF), xrefs: 008D12FB
LIMIT_MATCH=, xrefs: 008D1170
NO_AUTO_POSSESS), xrefs: 008D112E
UTF), xrefs: 008D10FA
UCP), xrefs: 008D110D
ANY), xrefs: 008D12DE
CRLF), xrefs: 008D12C1
LIMIT_RECURSION=, xrefs: 008D11FC
NO_START_OPT), xrefs: 008D114F
LF), xrefs: 008D12A4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 420cd0d0cccdbe689b6026c5eedf04e93a4358199f95ec2e5d10ed8a95cea798
Instruction ID: 432a7dfe1441e6a131fbf26d86bd5a1d812e5cce1cf4008f920c2e2b7c273903
Opcode Fuzzy Hash: 420cd0d0cccdbe689b6026c5eedf04e93a4358199f95ec2e5d10ed8a95cea798
Instruction Fuzzy Hash: CF725D71E00219DBDF24DF58D884BAEB7B5FF44314F14816AE849EB390EB749A81CB90

Function 008E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008E0097
SetKeyboardState.USER32(?), ref: 008E0102
GetAsyncKeyState.USER32(000000A0), ref: 008E0122
GetKeyState.USER32(000000A0), ref: 008E0139
GetAsyncKeyState.USER32(000000A1), ref: 008E0168
GetKeyState.USER32(000000A1), ref: 008E0179
GetAsyncKeyState.USER32(00000011), ref: 008E01A5
GetKeyState.USER32(00000011), ref: 008E01B3
GetAsyncKeyState.USER32(00000012), ref: 008E01DC
GetKeyState.USER32(00000012), ref: 008E01EA
GetAsyncKeyState.USER32(0000005B), ref: 008E0213
GetKeyState.USER32(0000005B), ref: 008E0221

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
Instruction ID: fb3fb48a64a0685f0ebfca1026bf04c12baa1195b7d8401f92e3f10d004bc75b
Opcode Fuzzy Hash: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
Instruction Fuzzy Hash: 2D51BA209047C819FB35D7A588547EABFB4EF13380F08499995C59A5C3DAE49BCCCF62

Function 009003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00900E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009004AC

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0090054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009005E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00900822
RegCloseKey.ADVAPI32(00000000), ref: 0090082F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 47103721b70e13da5e7b97da80b58ece1523c7dab745b93afa19353828acfbef
Instruction ID: 50e91338ae8fcc9bd8b1ebbaafe6acb1904802dcee673db4b7337c65f68f9564
Opcode Fuzzy Hash: 47103721b70e13da5e7b97da80b58ece1523c7dab745b93afa19353828acfbef
Instruction Fuzzy Hash: F3E15071204205AFCB14DF28C895E6ABBF9FF89314F04896DF84AD72A1DA31ED05CB52

Function 008F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 008F418B
EmptyClipboard.USER32 ref: 008F4191
GlobalAlloc.KERNEL32(00000002,?), ref: 008F41A6
CloseClipboard.USER32 ref: 008F4245

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9b5db1ecaed148fb7c5de2a48045e78476713637ce081874401381dac28244eb
Instruction ID: 1169f1e2f85aa974027dcc2858ed250b4fd0a8fdcaa757b9785891ec3ed0e180
Opcode Fuzzy Hash: 9b5db1ecaed148fb7c5de2a48045e78476713637ce081874401381dac28244eb
Instruction Fuzzy Hash: 2621B1352042199FDB20AF68EC19B7E7BA8FF05310F048026FA46DB271DB31AD40DB85

Function 008E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770

Part of subcall function 008E4A31: GetFileAttributesW.KERNEL32(?,008E370B), ref: 008E4A32

FindFirstFileW.KERNEL32(?,?), ref: 008E38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008E394B
MoveFileW.KERNEL32(?,?), ref: 008E395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008E397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 008E399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 008E39B9

Strings

\*.*, xrefs: 008E384E, 008E3857, 008E386C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2699d2298d156ea7a3d8b8b0fb92356cb428ae3850246fa1ad4bc89307d786d9
Instruction ID: 5fe99f1f61a9a94ffa989d8d1b63790fedb5b4a23507ef5ad0dee7915abdbcda
Opcode Fuzzy Hash: 2699d2298d156ea7a3d8b8b0fb92356cb428ae3850246fa1ad4bc89307d786d9
Instruction Fuzzy Hash: 2351723180518DAACF11FBA9D9969EDBB79FF16310F600069E406F7192EB316F09CB52

Function 008EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008EF440
Sleep.KERNEL32(0000000A), ref: 008EF470
_wcscmp.LIBCMT ref: 008EF484
_wcscmp.LIBCMT ref: 008EF49F
FindNextFileW.KERNEL32(?,?), ref: 008EF53D
FindClose.KERNEL32(00000000), ref: 008EF553

Strings

*.*, xrefs: 008EF425

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: a92b4245c46d838475c37c4825f9e403500d853c7b20d740ab1ae3c8a8b1befa
Instruction ID: a0914c533e4640ac1dc9a7ec3b849200e22c79f487c9775292fe296405e7b561
Opcode Fuzzy Hash: a92b4245c46d838475c37c4825f9e403500d853c7b20d740ab1ae3c8a8b1befa
Instruction Fuzzy Hash: B1419D7190424A9FCF14EF69DC45AEEBBB4FF16314F104466E915E3292EB309A44CF91

Function 00895760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008958A5
_memmove.LIBCMT ref: 008958F5
_memmove.LIBCMT ref: 0089595B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eb7fbe887a56a1988f6a58fdb4ffd97ebdbbb47571d6d2cdec29c933125f274b
Instruction ID: d7b724969d8bbfd6762fc23ecbeafd4243875b423607abd594ce08b64fd7b2da
Opcode Fuzzy Hash: eb7fbe887a56a1988f6a58fdb4ffd97ebdbbb47571d6d2cdec29c933125f274b
Instruction Fuzzy Hash: 2E128D70A00609DFDF14EFA9D981AAEB7F5FF48314F144629E406E7250EB36A914CF51

Function 008E3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770

Part of subcall function 008E4A31: GetFileAttributesW.KERNEL32(?,008E370B), ref: 008E4A32

FindFirstFileW.KERNEL32(?,?), ref: 008E3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 008E3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 008E3BEA
FindClose.KERNEL32(00000000), ref: 008E3C01
FindClose.KERNEL32(00000000), ref: 008E3C0A

Strings

\*.*, xrefs: 008E3B5B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 84687eb381562b0eed8db1e077a55afca1f75d753d72aea4870c9f8fbe9a4c76
Instruction ID: edc760ca878efbc862081addc61c044238c4027b59b9aed70d88c7a15204b53b
Opcode Fuzzy Hash: 84687eb381562b0eed8db1e077a55afca1f75d753d72aea4870c9f8fbe9a4c76
Instruction Fuzzy Hash: E0313C710183859FC201FB68D8958AFBBA8FE96314F44492DF4A6D3191EB21DA09DB63

Function 008E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D882B
Part of subcall function 008D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8858
Part of subcall function 008D87E1: GetLastError.KERNEL32 ref: 008D8865

ExitWindowsEx.USER32(?,00000000), ref: 008E51F9

Strings

SeShutdownPrivilege, xrefs: 008E51C9
@, xrefs: 008E51EC
, xrefs: 008E51E7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 355835cb9f2854d7aa9956a811b2cef32cc88925a78f1e81e39658a0674f7617
Instruction ID: 934a89aed192ed264bf778021276ce994a85e8974c75c0cf82db6cae8f2e07bb
Opcode Fuzzy Hash: 355835cb9f2854d7aa9956a811b2cef32cc88925a78f1e81e39658a0674f7617
Instruction Fuzzy Hash: AB0176357A56466FFB38226AAC9AFBB7398FB0734CF200421FA13E20C2DA501C008590

Function 008F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008F62DC
WSAGetLastError.WSOCK32(00000000), ref: 008F62EB
bind.WSOCK32(00000000,?,00000010), ref: 008F6307
listen.WSOCK32(00000000,00000005), ref: 008F6316
WSAGetLastError.WSOCK32(00000000), ref: 008F6330
closesocket.WSOCK32(00000000,00000000), ref: 008F6344

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 130e97485f5cc50369a5e2983da1883202046adea52336317c9ea8483c0f0a4c
Instruction ID: 5aabf38ba54b0ee743b3a99078ea75d6cb46f966ac3e4dddd186a4801dc72c26
Opcode Fuzzy Hash: 130e97485f5cc50369a5e2983da1883202046adea52336317c9ea8483c0f0a4c
Instruction Fuzzy Hash: 2621CE316002099FCB10EF68C845A7EB7B9FF48324F248269EA56E7391D770AD15DB52

Function 00895520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01

_memmove.LIBCMT ref: 008D0258
_memmove.LIBCMT ref: 008D036D
_memmove.LIBCMT ref: 008D0414

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: bef9e90c5c9fe0ac6da7126874d01b6ab5658f241b81a7fe42a51b7b1137f995
Instruction ID: c8d101c399b366571abc873b25a0f6e3f44a13dcc3f32a745ab73416fd90418d
Opcode Fuzzy Hash: bef9e90c5c9fe0ac6da7126874d01b6ab5658f241b81a7fe42a51b7b1137f995
Instruction Fuzzy Hash: 6C02B070A00209DBDF05EF68D981AAEBBB5FF44304F54816AE80ADB355EB35DA50CF91

Function 00881287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

DefDlgProcW.USER32(?,?,?,?,?), ref: 008819FA
GetSysColor.USER32(0000000F), ref: 00881A4E
SetBkColor.GDI32(?,00000000), ref: 00881A61

Part of subcall function 00881290: DefDlgProcW.USER32(?,00000020,?), ref: 008812D8

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: ed3bbf5e800fbe527d45bbbcd374faed6a83f607ef21a11728aa60bb7b623c9d
Instruction ID: 4e85de6f5cad35886860a4093d26479d6b31060d914595b65d1cca002197e60f
Opcode Fuzzy Hash: ed3bbf5e800fbe527d45bbbcd374faed6a83f607ef21a11728aa60bb7b623c9d
Instruction Fuzzy Hash: 2FA118B1116568FEDE2CBB28CC4CEBB395DFF42759B14021AF502D62D2DE549D029372

Function 008EBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008EBCE6
_wcscmp.LIBCMT ref: 008EBD16
_wcscmp.LIBCMT ref: 008EBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 008EBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 008EBD6C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 4dd68fef8d934ba3e6304df3d4139c6e8ea4743ef67addd6a30001e02b4e8fbc
Instruction ID: e65107c4dfa091f396df04d46af9671c5388dbb2b93b26a2ff85b4093ca3c164
Opcode Fuzzy Hash: 4dd68fef8d934ba3e6304df3d4139c6e8ea4743ef67addd6a30001e02b4e8fbc
Instruction Fuzzy Hash: B0517C356046429FD714DF69D890EAAB3E8FF4A324F14462DE956C73A1DB30ED04CB92

Function 008F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008F7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008F679E
WSAGetLastError.WSOCK32(00000000), ref: 008F67C7
bind.WSOCK32(00000000,?,00000010), ref: 008F6800
WSAGetLastError.WSOCK32(00000000), ref: 008F680D
closesocket.WSOCK32(00000000,00000000), ref: 008F6821

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5f69e8bd94acf70717cb917250a638d57a8a577d518cdfccbf12c18ba691acab
Instruction ID: de4380ebf01ddcfb4ef4ede5c35dcdd88937a33cd486c5bfdab164a336835cae
Opcode Fuzzy Hash: 5f69e8bd94acf70717cb917250a638d57a8a577d518cdfccbf12c18ba691acab
Instruction Fuzzy Hash: AE41C575640214AFDB50BF288C86F7E77A8FB09714F44856CFA5AEB3C2DA709D009792

Function 00905376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009053C5
IsWindowEnabled.USER32 ref: 009053D3
GetForegroundWindow.USER32(?,?,00000001), ref: 009053E0
IsIconic.USER32 ref: 009053EE
IsZoomed.USER32 ref: 009053FC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 883f8c76d15a10d7e303d448095a31ce265c42e3133c8b32d0d9bf58265e2526
Instruction ID: 2d533eae94bd59bf72f72c47cd6772b20ee3d4555c5206338d27abaebb5c3463
Opcode Fuzzy Hash: 883f8c76d15a10d7e303d448095a31ce265c42e3133c8b32d0d9bf58265e2526
Instruction Fuzzy Hash: 1B11B231300915AFEB316F269C58A6BBB9DFF847A1B464439F846D3291CBB09D018AA5

Function 008D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D80F6

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
Instruction ID: 0f362c944ebbf53d4691500aadc92de2e8b4210b38b620fb05e9690ce489ee18
Opcode Fuzzy Hash: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
Instruction Fuzzy Hash: 66F06231258304EFEB304FA5EC9DE673BBCFF49B55B000126F945C6250CB619D45EA60

Function 008EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008EC432
CoCreateInstance.OLE32(00912D6C,00000000,00000001,00912BDC,?), ref: 008EC44A

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

CoUninitialize.OLE32 ref: 008EC6B7

Strings

.lnk, xrefs: 008EC3C6, 008EC3EE, 008EC3F8

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 3b95cb0a8c3d7fb6302a069ca43794d5d40d24fd1b97814f29786c9131cdd428
Instruction ID: 0a0011339245e6b1af583bfd28cfc57398f5803d6651b8a014c14d5705513cce
Opcode Fuzzy Hash: 3b95cb0a8c3d7fb6302a069ca43794d5d40d24fd1b97814f29786c9131cdd428
Instruction Fuzzy Hash: 36A14C71104205AFD700EF58C881EABB7E8FF95358F04492CF596D71A2DB71EA49CB62

Function 00884B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00884AD0), ref: 00884B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00884B57

Strings

GetNativeSystemInfo, xrefs: 00884B51
kernel32.dll, xrefs: 00884B40

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
Instruction ID: d7a178d9d750f48432833be6aa3a196830e4f1d6180814c45318ae64ddc8ec23
Opcode Fuzzy Hash: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
Instruction Fuzzy Hash: 2AD01235A14713CFD730AF72D838B0676D4FF45355B1188399485D6990E670E580CB54

Function 00893030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: aeabdf65d1ce912a337d1e4420221bcfa50a04e67f687f9911a9c5743ad58287
Instruction ID: ea28380fb00796da80b5f25d1b24dde1061cdb019b9013db87a6ae89dc218868
Opcode Fuzzy Hash: aeabdf65d1ce912a337d1e4420221bcfa50a04e67f687f9911a9c5743ad58287
Instruction Fuzzy Hash: E92247716083019FDB24EF18C881B6AB7E4FB85714F18492DF99AD7291EB71E904CB93

Function 008FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 008FEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 008FEE4B

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Process32NextW.KERNEL32(00000000,?), ref: 008FEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 008FEF1A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: dca0ab4591f75c966f8b3e4ac5cc1920ac0b64f147f51701de409011c0eb1a53
Instruction ID: 8ddacf1af440c6e2e8ab331496cefb582d32d8a1b0b5d3156b8628f67b1baa1f
Opcode Fuzzy Hash: dca0ab4591f75c966f8b3e4ac5cc1920ac0b64f147f51701de409011c0eb1a53
Instruction Fuzzy Hash: D4515B71508715AFD320EF28DC85E6BBBE8FF94710F50482DF595D62A1EB70A908CB92

Function 0088FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: e1bd28da5815d92dafd88eca26e8963f932f72c33dc1e147bf7b173693acc629
Instruction ID: c225d4ace963e5c797eb386d0f9c39a3be5b5172f161c42287e62f52a7ac5370
Opcode Fuzzy Hash: e1bd28da5815d92dafd88eca26e8963f932f72c33dc1e147bf7b173693acc629
Instruction Fuzzy Hash: 879238706083459FDB20EF18C490B2AB7E1FB85314F18896DE99ADB262D771EC45CF92

Function 008DE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008DE628

Strings

|, xrefs: 008DE658
(, xrefs: 008DE66E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 32b31dd04af96ac9e5d6b763ce4a8334c16a4d9c5d3b6f1a07c764055e37a268
Instruction ID: 73302ca820e0a8bb414e234dbb0da7261703471f84c55f381ece2c0b25667ae3
Opcode Fuzzy Hash: 32b31dd04af96ac9e5d6b763ce4a8334c16a4d9c5d3b6f1a07c764055e37a268
Instruction Fuzzy Hash: E1323575A007059FDB28DF19D4819AAB7F0FF58320B15C56EE89ADB3A1E770E941CB40

Function 008F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,008F180A,00000000), ref: 008F23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 008F2418

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 022686a7ad6e5b6220f8f12d5bd0c88ee6c7671de21285fda784d5ef855d0fef
Instruction ID: 25bec455350024ec351f5a7a8530550d35e2dd3003ecd833a75bb4cdf2d25c41
Opcode Fuzzy Hash: 022686a7ad6e5b6220f8f12d5bd0c88ee6c7671de21285fda784d5ef855d0fef
Instruction Fuzzy Hash: 4241C5B190420DBFEB20DEB5DC85EBBB7BCFB40328F10406AF701E6650DAB59E419A55

Function 008EB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008EB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008EB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008EB4B2

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d70a6c1a6276c5d082e594d7c98adbd27b3518932037172dd52a9c971bb46a0d
Instruction ID: c8fce4a3ab97bf3825eaff1446eb64a80bc06176ddac1e00cec5b2a056626943
Opcode Fuzzy Hash: d70a6c1a6276c5d082e594d7c98adbd27b3518932037172dd52a9c971bb46a0d
Instruction Fuzzy Hash: 35217135A10108EFCB00EFA9D884AEEBBB8FF49314F1480A9E945EB351DB319955DB51

Function 008D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8858
GetLastError.KERNEL32 ref: 008D8865

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 8f055fe00d1eea25afa36e21699c4ce3befe8a44a0ffd8cdc8ffd9e20bb07697
Instruction ID: 3ffe46aafecf219ed5c28160484ee25aff6db7c6d23d8837c56b7698d25a27b3
Opcode Fuzzy Hash: 8f055fe00d1eea25afa36e21699c4ce3befe8a44a0ffd8cdc8ffd9e20bb07697
Instruction Fuzzy Hash: 65116DB2814204AFE728EFA8DC85D6BB7BDFB45710B20862EE45597741EA30BC409B60

Function 008D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008D8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008D878B
FreeSid.ADVAPI32(?), ref: 008D879B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
Instruction ID: 0f15454a1f9baefe0dc69e1052b3aa1acff4d23206efafcb67ac788050c62052
Opcode Fuzzy Hash: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
Instruction Fuzzy Hash: 5EF04975A1130CBFDF00DFF4DC99AAEBBBCEF08701F1044A9A901E2681E6716B049B50

Function 008EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008EC6FB
FindClose.KERNEL32(00000000), ref: 008EC72B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b5befe4ba557ff3568d7852351e1503827492077def336a42268e0022c2dacfa
Instruction ID: abea66c6458aa92d35e097baca26d2f393eaf301b899e573cf5584f0d5cd23d5
Opcode Fuzzy Hash: b5befe4ba557ff3568d7852351e1503827492077def336a42268e0022c2dacfa
Instruction Fuzzy Hash: A2118E726002059FDB10EF29D845A2AF7E9FF85324F04852EF9AAC7291DB30A905CB81

Function 008EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008F9468,?,0090FB84,?), ref: 008EA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008F9468,?,0090FB84,?), ref: 008EA0A9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 15818bdf094589c4a102a8316b2031ca2c5dbc50fec88d7b96cdd54278513138
Instruction ID: edefc76eea292231ceab70cab111b9aee16c8a8e42daec6c24b9da00ae2f8510
Opcode Fuzzy Hash: 15818bdf094589c4a102a8316b2031ca2c5dbc50fec88d7b96cdd54278513138
Instruction Fuzzy Hash: 4EF0823511522DABDB21AFA8CC48FEA776CFF09761F004165F919D6181D630AA40CBA2

Function 008D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8309), ref: 008D81E0
CloseHandle.KERNEL32(?,?,008D8309), ref: 008D81F2

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d6b04d4e56b252690f9ea90a0f6c9d0eefbeca4e185e8c3b7c139ee5c7a80469
Instruction ID: ad279494a6b2f5c191bca292e39dd2d274b52e145bbe6b4705099e1dcafbb8e6
Opcode Fuzzy Hash: d6b04d4e56b252690f9ea90a0f6c9d0eefbeca4e185e8c3b7c139ee5c7a80469
Instruction Fuzzy Hash: 9CE0BF71014610AFEB252B64EC05D7777A9FB043507148929B455C4870DB615DA1EB10

Function 008AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,008A8D57,?,?,?,00000001), ref: 008AA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008AA163

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
Instruction ID: 9d347e03e5b74be8134238d89a5eea68c94aab785514f3cc65498f40629212e8
Opcode Fuzzy Hash: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
Instruction Fuzzy Hash: 10B0923106C208AFCA102B91EC19B883FA8EB45BF2F404020F60D84860CB625650AA91

Function 0088E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008C3E62

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 55fa749ea1e1ba99a9d388f8b86ee66d0df361caa71d24e757048ef5a696fa3f
Instruction ID: 1066ff02b769e9fb4025a811366d2b23cd19c3ab32db1e21f44ecbe52c943a6f
Opcode Fuzzy Hash: 55fa749ea1e1ba99a9d388f8b86ee66d0df361caa71d24e757048ef5a696fa3f
Instruction Fuzzy Hash: DBA2AF75A00219CFCB24EF98C480AAEB7B2FF59314F248069E915EB352D775ED42CB91

Function 008AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
Instruction ID: 8f3b23ff751fbacf903e686293dc0226f37bfaa1dc8caabf731c47e4240f7708
Opcode Fuzzy Hash: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
Instruction Fuzzy Hash: 33320321E6DF014DE7239674D822336A659EFB73C4F15D737E82AB5DA6EB28C4839100

Function 008B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
Instruction ID: 9c460e63e6c13706d1e3be28c58541e9e1442563002f94fdc7fa1ffc5ab2a25e
Opcode Fuzzy Hash: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
Instruction Fuzzy Hash: 73B1E020E3AF514DD32396398831336BA5CAFBB2D5F51D71BFC2A74D62EB2189839141

Function 008E8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 008E889B

Part of subcall function 008A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008E8F6E,00000000,?,?,?,?,008E911F,00000000,?), ref: 008A5213
Part of subcall function 008A520A: __aulldiv.LIBCMT ref: 008A5233

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: f6b95af3ad7d76740f13e7a42c6f374815347677d36e3553246b66777733231a
Instruction ID: 0d9afd5857af99b48cf15561a0532a637660d5bd66b251d266a464f75e16b24b
Opcode Fuzzy Hash: f6b95af3ad7d76740f13e7a42c6f374815347677d36e3553246b66777733231a
Instruction Fuzzy Hash: F321D576635510CBC329CF29D441A52B3E1EFA6310B288E6CE4F5CB2C0CA34A945DB54

Function 008E4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008E4C4A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: a5ef24d10b3b4bc5e803ae3ed3d417009531fffef7c4392a7482d27603d327a4
Instruction ID: fc784cacbbb61241a23d8ff9e15a5dd68d2d58e5c0e7c38cbbe5eed198bbb479
Opcode Fuzzy Hash: a5ef24d10b3b4bc5e803ae3ed3d417009531fffef7c4392a7482d27603d327a4
Instruction Fuzzy Hash: 8CD05E9116928D38EC2C07229E1FF7E0148F343796FF0B1897109CB0C1ECA05C406031

Function 008D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008D8389), ref: 008D87D1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
Instruction ID: 5d24131771877721f1f99df45e9c99aaab165559e3e4a7ba93d32db8b102197b
Opcode Fuzzy Hash: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
Instruction Fuzzy Hash: 70D05E3226450EAFEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D935AB60

Function 008AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 008AA12A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
Instruction ID: 3839de2d887679ae65c6d4375d6ab527ffb68ddb97dc360c686ca4555ebd2467
Opcode Fuzzy Hash: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
Instruction Fuzzy Hash: 09A0123001810CABCA001B41EC044447F9CD6002E07004020F40C40421873255105580

Function 00898808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 909bff7c8dc5e2fa141612666afc866cdc3b5c5f60cfc940238df10d34a7295d
Instruction ID: a3108b1c07577f671b4745d628c2dad9c24caf0d98b47701bcbf35d78c5adf65
Opcode Fuzzy Hash: 909bff7c8dc5e2fa141612666afc866cdc3b5c5f60cfc940238df10d34a7295d
Instruction Fuzzy Hash: 2722143060451BCBDF28AA24C49477CBBE1FB46358F3C826BD956CB692DB70DD91CA42

Function 008A21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: c041df5a4fb47c91b9d4f1417c5d54559afcb85ef7ee097883059321a8bae461
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 26C182322050A30AEF6D463D843413EFAA1BFA37B171A075DD8B2DB9D4EE24C965D720

Function 008A25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: ab019f320124dfb35ac268a07ae69c3c1733e274f4e1c60809b3109414c310a1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E6C173322051A30AEF3D463E843453EBAA1BFA37B171A076DD4B2DB9D4EE14C925D720

Function 008A1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: db5ccb8c4af99a4d9752350da73db13cead079a295a5b9b74fc989aa20c866a3
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 7CC170322051A309EF6D4639847813EBAA1EFA37B171A176DD4B2DB9C4EE20D925D720

Function 008F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 008F785B
DeleteObject.GDI32(00000000), ref: 008F786D
DestroyWindow.USER32 ref: 008F787B
GetDesktopWindow.USER32 ref: 008F7895
GetWindowRect.USER32(00000000), ref: 008F789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008F79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008F79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7A35
GetClientRect.USER32(00000000,?), ref: 008F7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008F7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7ABB
GlobalLock.KERNEL32(00000000), ref: 008F7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7AD3
GlobalUnlock.KERNEL32(00000000), ref: 008F7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7AE3
GlobalFree.KERNEL32(00000000), ref: 008F7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00912CAC,00000000), ref: 008F7B16
GlobalFree.KERNEL32(00000000), ref: 008F7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 008F7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 008F7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7D7A

Strings

AutoIt v3, xrefs: 008F7A2D
DISPLAY, xrefs: 008F7BDD
static, xrefs: 008F7A75, 008F7BCC
, xrefs: 008F7D00

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0867d95d4cfcec0a5f2f4a7c686cfe1f2f215aa699649b05ecdc0f9a37167a34
Instruction ID: 4a3d3f5545318d6784f68864aa0cc5eb0a735a633c32fa5047d05664fe4fd8dc
Opcode Fuzzy Hash: 0867d95d4cfcec0a5f2f4a7c686cfe1f2f215aa699649b05ecdc0f9a37167a34
Instruction Fuzzy Hash: 3F028B71A14119EFEB14DFA8CC99EAE7BB9FB48310F148168F915EB2A1C7709D01DB60

Function 0090356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0090F910), ref: 00903627
IsWindowVisible.USER32(?), ref: 0090364B

Strings

SENDCOMMANDID, xrefs: 009039DA
FINDSTRING, xrefs: 00903776
GETCURRENTCOL, xrefs: 00903928
SHOWDROPDOWN, xrefs: 009036E0
GETLINE, xrefs: 0090399B
DELSTRING, xrefs: 00903749
TABLEFT, xrefs: 00903687
GETSELECTED, xrefs: 009038A3
SETCURRENTSELECTION, xrefs: 009037B6
CHECK, xrefs: 0090386D
GETCURRENTSELECTION, xrefs: 009037E3
TABRIGHT, xrefs: 0090369D
ISCHECKED, xrefs: 00903839
GETLINECOUNT, xrefs: 009038C6
HIDEDROPDOWN, xrefs: 00903700
EDITPASTE, xrefs: 0090395F
ISENABLED, xrefs: 0090366B
ADDSTRING, xrefs: 00903716
UNCHECK, xrefs: 00903883
ISVISIBLE, xrefs: 00903637
GETCURRENTLINE, xrefs: 009038ED
SELECTSTRING, xrefs: 00903806
CURRENTTAB, xrefs: 009036BD

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 1c005592d0b3791bb91a012bcbe7314843e7e49a07d0b1745de93525c35938af
Instruction ID: e0cc7fe3bb9580859ee742f3d5c487ef60b50de9f959b69a7afd1e09ae5f0472
Opcode Fuzzy Hash: 1c005592d0b3791bb91a012bcbe7314843e7e49a07d0b1745de93525c35938af
Instruction Fuzzy Hash: 55D17E302043119FCB14EF14C456A6E77E9FF95354F188868F8869B7E2DB61EE4ACB42

Function 0090A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0090A630
GetSysColorBrush.USER32(0000000F), ref: 0090A661
GetSysColor.USER32(0000000F), ref: 0090A66D
SetBkColor.GDI32(?,000000FF), ref: 0090A687
SelectObject.GDI32(?,00000000), ref: 0090A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0090A6C1
GetSysColor.USER32(00000010), ref: 0090A6C9
CreateSolidBrush.GDI32(00000000), ref: 0090A6D0
FrameRect.USER32(?,?,00000000), ref: 0090A6DF
DeleteObject.GDI32(00000000), ref: 0090A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0090A731
FillRect.USER32(?,?,00000000), ref: 0090A763
GetWindowLongW.USER32(?,000000F0), ref: 0090A78E

Part of subcall function 0090A8CA: GetSysColor.USER32(00000012), ref: 0090A903
Part of subcall function 0090A8CA: SetTextColor.GDI32(?,?), ref: 0090A907
Part of subcall function 0090A8CA: GetSysColorBrush.USER32(0000000F), ref: 0090A91D
Part of subcall function 0090A8CA: GetSysColor.USER32(0000000F), ref: 0090A928
Part of subcall function 0090A8CA: GetSysColor.USER32(00000011), ref: 0090A945
Part of subcall function 0090A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090A953
Part of subcall function 0090A8CA: SelectObject.GDI32(?,00000000), ref: 0090A964
Part of subcall function 0090A8CA: SetBkColor.GDI32(?,00000000), ref: 0090A96D
Part of subcall function 0090A8CA: SelectObject.GDI32(?,?), ref: 0090A97A
Part of subcall function 0090A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0090A999
Part of subcall function 0090A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090A9B0
Part of subcall function 0090A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0090A9C5
Part of subcall function 0090A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090A9ED

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 6eff8e7c917dc94585caf91ba79144c726aa11f6baedc701ff6ca1d8e0cb99bb
Instruction ID: 19f97fb699172462cb13221db2514c6449c50e514e853f5d75be8bfef04a57ac
Opcode Fuzzy Hash: 6eff8e7c917dc94585caf91ba79144c726aa11f6baedc701ff6ca1d8e0cb99bb
Instruction Fuzzy Hash: 4D918D72418301EFDB609F64DC08A6B7BB9FF89321F104B29F962961E0D771DA44DB92

Function 00882C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00882CA2
DeleteObject.GDI32(00000000), ref: 00882CE8
DeleteObject.GDI32(00000000), ref: 00882CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00882CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00882D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 008BC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008BC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008BC89D

Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00882036,?,00000000,?,?,?,?,008816CB,00000000,?), ref: 00881B9A

SendMessageW.USER32(?,00001053), ref: 008BC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008BC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008BC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008BC912

Strings

0, xrefs: 008BC731

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: aaba3be898757e42d0c472bf963a7051c1fef512e394254d5f1cc619fbace6bc
Instruction ID: 80a4c2c3eef13fd9367f9ce48684c8463131a532868afafc7757b3e71b3ce7d0
Opcode Fuzzy Hash: aaba3be898757e42d0c472bf963a7051c1fef512e394254d5f1cc619fbace6bc
Instruction Fuzzy Hash: B3129D30604201EFDB21DF28C994BB9BBE5FF05304F5445A9F896CB662CB31E942DBA1

Function 008F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008F74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008F759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008F75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008F75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008F7633
GetClientRect.USER32(00000000,?), ref: 008F763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008F7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008F7692
GetStockObject.GDI32(00000011), ref: 008F76A2
SelectObject.GDI32(00000000,00000000), ref: 008F76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008F76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F76BF
DeleteDC.GDI32(00000000), ref: 008F76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008F76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 008F770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008F7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008F775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 008F776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008F779B
GetStockObject.GDI32(00000011), ref: 008F77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008F77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008F77BB

Strings

msctls_progress32, xrefs: 008F773C
AutoIt v3, xrefs: 008F762B
DISPLAY, xrefs: 008F7688
static, xrefs: 008F767D, 008F7795

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 82ebd26c7c23b370dc4ae5efe9a62651ad25f3593949179dd5593c50ca28aec4
Instruction ID: 614c9d8ff2dcc2503910ca9b3cddfaf809d1fefed3cde460ea8e054804044808
Opcode Fuzzy Hash: 82ebd26c7c23b370dc4ae5efe9a62651ad25f3593949179dd5593c50ca28aec4
Instruction Fuzzy Hash: B2A17F71A54619BFEB14DBA8DC4AFAE7BB9FB09710F004115FA14E72E1D6B0AD00DB60

Function 008EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008EAD1E
GetDriveTypeW.KERNEL32(?,0090FAC0,?,\\.\,0090F910), ref: 008EADFB
SetErrorMode.KERNEL32(00000000,0090FAC0,?,\\.\,0090F910), ref: 008EAF59

Strings

Fixed, xrefs: 008EAE43
SATA, xrefs: 008EAF0C
CDROM, xrefs: 008EAE2F
1394, xrefs: 008EAEDB
SAS, xrefs: 008EAF05
SSA, xrefs: 008EAEE2
RAID, xrefs: 008EAEF7
Removable, xrefs: 008EAE4D
Network, xrefs: 008EAE39
ATAPI, xrefs: 008EAECD
USB, xrefs: 008EAEF0
\\.\, xrefs: 008EAD70
SSD, xrefs: 008EAE86
iSCSI, xrefs: 008EAEFE
RAMDisk, xrefs: 008EAE25
SCSI, xrefs: 008EAEC6
Unknown, xrefs: 008EAE1B, 008EAEBF
Virtual, xrefs: 008EAF21
Fibre, xrefs: 008EAEE9
ATA, xrefs: 008EAED4
FileBackedVirtual, xrefs: 008EAF28
MMC, xrefs: 008EAF1A
PhysicalDrive, xrefs: 008EADA7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7723a81acdde63b17d864807c15d18b7c7b36523c13ac427eab3f131a9bdf99e
Instruction ID: e8eb6160bfc1f4d72e011551ea7d27d6bdd07a8f26693125b65dfec5e045a7bc
Opcode Fuzzy Hash: 7723a81acdde63b17d864807c15d18b7c7b36523c13ac427eab3f131a9bdf99e
Instruction Fuzzy Hash: 485187B064424A9BCB18EB16D952C7E73B1FF8AB08B204156F407E7291DE71BD41DB53

Function 008868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00886931
__wcsnicmp.LIBCMT ref: 00886949
__wcsnicmp.LIBCMT ref: 00886961
__wcsnicmp.LIBCMT ref: 00886979
__wcsnicmp.LIBCMT ref: 00886991
__wcsnicmp.LIBCMT ref: 008869A9
__wcsnicmp.LIBCMT ref: 008869C1
__wcsnicmp.LIBCMT ref: 008869D5
__wcsnicmp.LIBCMT ref: 00886A16
__wcsnicmp.LIBCMT ref: 00886A2A
__wcsnicmp.LIBCMT ref: 00886A3E
__wcsnicmp.LIBCMT ref: 00886A52

Strings

Cannot parse #include, xrefs: 008BE3F0
Unterminated group of comments, xrefs: 008BE403
#requireadmin, xrefs: 0088695B
Bad directive syntax error, xrefs: 008BE31A
#ce, xrefs: 00886A4C
#cs, xrefs: 008869CF, 00886A24
#pragma compile, xrefs: 0088692B
#OnAutoItStartRegister, xrefs: 00886973
#include-once, xrefs: 0088698B
#notrayicon, xrefs: 00886943
#include, xrefs: 008869A3
#comments-start, xrefs: 008869BB, 00886A10
#comments-end, xrefs: 00886A38

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a821e735d9993334a410b9bc14426417e4c157262e22fc0bc08d91b36b332520
Instruction ID: 448f9e762dfe6a9a3a33628bc30e0677e11b57c19c0f7bdbb84a7162015acdee
Opcode Fuzzy Hash: a821e735d9993334a410b9bc14426417e4c157262e22fc0bc08d91b36b332520
Instruction Fuzzy Hash: F38105B06002196BDB21BB68EC43FEB37A8FF15704F040025F905EA6D2FB60DA61D762

Function 00909A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00909AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00909B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00909BA7

Strings

0, xrefs: 00909BE4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: a3fbe203588cac98b35f7dd962ab693f112e79673622fa4a3f8242db31d2d7cc
Instruction ID: 13565c320324ffb77e8ff17de608b8f6c6578b2c6de67ed7ffc25127b97c3364
Opcode Fuzzy Hash: a3fbe203588cac98b35f7dd962ab693f112e79673622fa4a3f8242db31d2d7cc
Instruction Fuzzy Hash: 1802AC71108201AFE725CF14C858BAABBE9FF8A314F04892DF999D62E2C735DD44DB52

Function 0090A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0090A903
SetTextColor.GDI32(?,?), ref: 0090A907
GetSysColorBrush.USER32(0000000F), ref: 0090A91D
GetSysColor.USER32(0000000F), ref: 0090A928
CreateSolidBrush.GDI32(?), ref: 0090A92D
GetSysColor.USER32(00000011), ref: 0090A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090A953
SelectObject.GDI32(?,00000000), ref: 0090A964
SetBkColor.GDI32(?,00000000), ref: 0090A96D
SelectObject.GDI32(?,?), ref: 0090A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0090A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0090A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0090AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0090AA32
DrawFocusRect.USER32(?,?), ref: 0090AA3D
GetSysColor.USER32(00000011), ref: 0090AA4B
SetTextColor.GDI32(?,00000000), ref: 0090AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0090AA67
SelectObject.GDI32(?,0090A5FA), ref: 0090AA7E
DeleteObject.GDI32(?), ref: 0090AA89
SelectObject.GDI32(?,?), ref: 0090AA8F
DeleteObject.GDI32(?), ref: 0090AA94
SetTextColor.GDI32(?,?), ref: 0090AA9A
SetBkColor.GDI32(?,?), ref: 0090AAA4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 703f7f9495144505f34f8344e3a58ba263c2afc4f2009785ba56ec000c286a0c
Instruction ID: c6e85e54003e13b8d98f4b95df6bb603714eda8bec4563db68190d6f676869ba
Opcode Fuzzy Hash: 703f7f9495144505f34f8344e3a58ba263c2afc4f2009785ba56ec000c286a0c
Instruction Fuzzy Hash: F8513B71914208EFDF209FA4DC48EAE7BB9EF09320F114625F911AB2A1D7759A40EF90

Function 009089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00908AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908AD2
CharNextW.USER32(0000014E), ref: 00908B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00908B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00908B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00908B86
SetWindowTextW.USER32(?,0000014E), ref: 00908BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00908BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00908C1F
_memset.LIBCMT ref: 00908C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00908C8D
_memset.LIBCMT ref: 00908CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00908D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00908D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00908E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00908E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00908E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00908EB4
DrawMenuBar.USER32(?), ref: 00908EC3
SetWindowTextW.USER32(?,0000014E), ref: 00908EEB

Strings

0, xrefs: 00908E55

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: cdeaeb15f24b4cdae644994c029806ebfc981ce3ffd1b5debb7bb287e0512386
Instruction ID: 253cc38bf1e2563293b17b88dc7196e5e9889e90f2999908ec0ffb1ac93c93b9
Opcode Fuzzy Hash: cdeaeb15f24b4cdae644994c029806ebfc981ce3ffd1b5debb7bb287e0512386
Instruction Fuzzy Hash: 69E18D71A04219AFDF209F64CC84EEF7BB9EF09710F008156F995AA2D1DB748A81DF60

Function 0090488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 009049CA
GetDesktopWindow.USER32 ref: 009049DF
GetWindowRect.USER32(00000000), ref: 009049E6
GetWindowLongW.USER32(?,000000F0), ref: 00904A48
DestroyWindow.USER32(?), ref: 00904A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00904A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00904ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00904AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00904AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00904B09
IsWindowVisible.USER32(?), ref: 00904B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00904B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00904B58
GetWindowRect.USER32(?,?), ref: 00904B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00904B96
GetMonitorInfoW.USER32(00000000,?), ref: 00904BB0
CopyRect.USER32(?,?), ref: 00904BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00904C32

Strings

0, xrefs: 00904975
(, xrefs: 00904BA3
tooltips_class32, xrefs: 00904A96

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 134ee38f7a549c33acbac206714524b63084921e23b80197021aab303458f999
Instruction ID: 3a9ce9c2896134cda94d8aedf43a4f3fd1b234f335471a076b4cc8a07490c939
Opcode Fuzzy Hash: 134ee38f7a549c33acbac206714524b63084921e23b80197021aab303458f999
Instruction Fuzzy Hash: 2BB19DB1608341AFDB04DF64C844B6ABBE8FF88714F008A1CF6999B2A1D771ED05CB56

Function 008E449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 008E44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008E44D2
_wcscpy.LIBCMT ref: 008E4500
_wcscmp.LIBCMT ref: 008E450B
_wcscat.LIBCMT ref: 008E4521
_wcsstr.LIBCMT ref: 008E452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 008E4548
_wcscat.LIBCMT ref: 008E4591
_wcscat.LIBCMT ref: 008E4598
_wcsncpy.LIBCMT ref: 008E45C3

Strings

StringFileInfo\, xrefs: 008E451B
\VarFileInfo\Translation, xrefs: 008E4540
DefaultLangCodepage, xrefs: 008E45AB
04090000, xrefs: 008E457E
%u.%u.%u.%u, xrefs: 008E4626

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 6351900776a1e7a96457ae46fa31f45364555e28d6dd029362903a3f7e40298c
Instruction ID: f7ac8d4393b935a1c9a3d24e48bc6c116bfa9019d903654386c6cd696196f0ad
Opcode Fuzzy Hash: 6351900776a1e7a96457ae46fa31f45364555e28d6dd029362903a3f7e40298c
Instruction Fuzzy Hash: 2D41E9316003047BEB20AB798C47EBF77ACFF87714F040465F905E6582EA74DA0196A6

Function 008827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828BC
GetSystemMetrics.USER32(00000007), ref: 008828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828EF
GetSystemMetrics.USER32(00000008), ref: 008828F7
GetSystemMetrics.USER32(00000004), ref: 0088291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00882939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00882949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0088297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00882990
GetClientRect.USER32(00000000,000000FF), ref: 008829AE
GetStockObject.GDI32(00000011), ref: 008829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 008829D5

Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
Part of subcall function 00882344: ScreenToClient.USER32(009457B0,?), ref: 00882374
Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7

SetTimer.USER32(00000000,00000000,00000028,00881256), ref: 008829FC

Strings

AutoIt v3 GUI, xrefs: 00882974

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 85575c56eb46c8686461e9cfb3862081092b26e59b26993589a7c49010662b59
Instruction ID: 7426e4c51f01db3961219d706ea1734e0a65bb5031d0cbc49150d47a206e8561
Opcode Fuzzy Hash: 85575c56eb46c8686461e9cfb3862081092b26e59b26993589a7c49010662b59
Instruction Fuzzy Hash: 1DB19E71A1020AEFDB24EFA8DC55FAE7BB4FB08314F104129FA15E72A0DB74A941DB50

Function 008DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008DA47A
__swprintf.LIBCMT ref: 008DA51B
_wcscmp.LIBCMT ref: 008DA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008DA583
_wcscmp.LIBCMT ref: 008DA5BF
GetClassNameW.USER32(?,?,00000400), ref: 008DA5F6
GetDlgCtrlID.USER32(?), ref: 008DA648
GetWindowRect.USER32(?,?), ref: 008DA67E
GetParent.USER32(?), ref: 008DA69C
ScreenToClient.USER32(00000000), ref: 008DA6A3
GetClassNameW.USER32(?,?,00000100), ref: 008DA71D
_wcscmp.LIBCMT ref: 008DA731
GetWindowTextW.USER32(?,?,00000400), ref: 008DA757
_wcscmp.LIBCMT ref: 008DA76B

Part of subcall function 008A362C: _iswctype.LIBCMT ref: 008A3634

Strings

%s%u, xrefs: 008DA515

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 3cdcbd975abb06ea132cdb081efbc383f8e3dbbd864d47b3efa165958c9fd8db
Instruction ID: d2d3f330db191583d9bbb630c708bc69d45f8f3e49d32ed93fe67c1af36856e3
Opcode Fuzzy Hash: 3cdcbd975abb06ea132cdb081efbc383f8e3dbbd864d47b3efa165958c9fd8db
Instruction Fuzzy Hash: C1A1D771204706EFD718DF64C884FAAB7E8FF54314F24462AF999D2250DB30EA55CB92

Function 008DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 008DAF18
_wcscmp.LIBCMT ref: 008DAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 008DAF51
CharUpperBuffW.USER32(?,00000000), ref: 008DAF6E
_wcscmp.LIBCMT ref: 008DAF8C
_wcsstr.LIBCMT ref: 008DAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 008DAFD5
_wcscmp.LIBCMT ref: 008DAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 008DB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 008DB055
_wcscmp.LIBCMT ref: 008DB065
GetClassNameW.USER32(00000010,?,00000400), ref: 008DB08D
GetWindowRect.USER32(00000004,?), ref: 008DB0F6

Strings

ThumbnailClass, xrefs: 008DAFE0, 008DB060
@, xrefs: 008DAEF9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ac6604442bc23ac1b8083f91372370568156afcfcbc55689e953e06c409c2f65
Instruction ID: 7eff77c6b8a1e5d7aa26d448c356ed7ffdc5a7e752c0b9976367d97aaaeee118
Opcode Fuzzy Hash: ac6604442bc23ac1b8083f91372370568156afcfcbc55689e953e06c409c2f65
Instruction Fuzzy Hash: D6819E71108209DFDB15DF14C881BAABBE8FF44714F14866AFD85CA296DB30DE49CB62

Function 008DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 008DAC33

Strings

[ACTIVE, xrefs: 008DAC20
[ALL, xrefs: 008DACD9
CLASSNAME=, xrefs: 008DAC70
[LAST, xrefs: 008DACE0
ALL, xrefs: 008DACC7
ACTIVE, xrefs: 008DAC0E
REGEXP=, xrefs: 008DAC48
LAST, xrefs: 008DABF8
[CLASS:, xrefs: 008DAC83
HANDLE=, xrefs: 008DAC2C
[HANDLE:, xrefs: 008DAC3F
[REGEXPTITLE:, xrefs: 008DAC5B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 0d855d40c7d224703413a0fd9563fd4adb4d0fbe4ed437a510685b3da0b47d0a
Instruction ID: 904f8a728d73d73c607da2f945c296b8c170bfd2b7a9b01d1a732f92a0dd5589
Opcode Fuzzy Hash: 0d855d40c7d224703413a0fd9563fd4adb4d0fbe4ed437a510685b3da0b47d0a
Instruction Fuzzy Hash: 31319271548209A7DA24FA98DE03EAEB7A4FB10724F700526F441F15D1EB51AF04DA53

Function 008F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 008F5013
LoadCursorW.USER32(00000000,00007F00), ref: 008F501E
LoadCursorW.USER32(00000000,00007F03), ref: 008F5029
LoadCursorW.USER32(00000000,00007F8B), ref: 008F5034
LoadCursorW.USER32(00000000,00007F01), ref: 008F503F
LoadCursorW.USER32(00000000,00007F81), ref: 008F504A
LoadCursorW.USER32(00000000,00007F88), ref: 008F5055
LoadCursorW.USER32(00000000,00007F80), ref: 008F5060
LoadCursorW.USER32(00000000,00007F86), ref: 008F506B
LoadCursorW.USER32(00000000,00007F83), ref: 008F5076
LoadCursorW.USER32(00000000,00007F85), ref: 008F5081
LoadCursorW.USER32(00000000,00007F82), ref: 008F508C
LoadCursorW.USER32(00000000,00007F84), ref: 008F5097
LoadCursorW.USER32(00000000,00007F04), ref: 008F50A2
LoadCursorW.USER32(00000000,00007F02), ref: 008F50AD
LoadCursorW.USER32(00000000,00007F89), ref: 008F50B8
GetCursorInfo.USER32(?), ref: 008F50C8

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: c06f23f4bb1283ad98d6300956c72d2c8bc9250ab19f009ae8d31c26e4e81b9d
Instruction ID: 69db20e77a00e4baaea8fae246bb8f752ee91303f7051353fbc124f1068886de
Opcode Fuzzy Hash: c06f23f4bb1283ad98d6300956c72d2c8bc9250ab19f009ae8d31c26e4e81b9d
Instruction Fuzzy Hash: D831F2B1D4871E6ADF109FB68C8996EBFE8FF04754F50453AE60DE7280DA78A5008F91

Function 0090A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0090A259
DestroyWindow.USER32(?,?), ref: 0090A2D3

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0090A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0090A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A382
DestroyWindow.USER32(00000000), ref: 0090A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00880000,00000000), ref: 0090A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A3F4
GetDesktopWindow.USER32 ref: 0090A40D
GetWindowRect.USER32(00000000), ref: 0090A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0090A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0090A444

Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC

Strings

tooltips_class32, xrefs: 0090A346, 0090A3D4
0, xrefs: 0090A26F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: e4ff21166e15ad14e11c0dc7a2a62c767ee4c650eae9c39608ce1c41f27b12da
Instruction ID: ed553b17ff516f2310aca8e462fc591c2b35133363f133818cb6eac0d96b6786
Opcode Fuzzy Hash: e4ff21166e15ad14e11c0dc7a2a62c767ee4c650eae9c39608ce1c41f27b12da
Instruction Fuzzy Hash: 8D716675154304AFD721CF28C849F6A7BEAFB89704F04492DF9858B2B1DB71E902DB92

Function 0090C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

DragQueryPoint.SHELL32(?,?), ref: 0090C627

Part of subcall function 0090AB37: ClientToScreen.USER32(?,?), ref: 0090AB60
Part of subcall function 0090AB37: GetWindowRect.USER32(?,?), ref: 0090ABD6
Part of subcall function 0090AB37: PtInRect.USER32(?,?,0090C014), ref: 0090ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0090C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0090C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0090C6BE
_wcscat.LIBCMT ref: 0090C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0090C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0090C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0090C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0090C757
DragFinish.SHELL32(?), ref: 0090C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0090C851

Strings

@GUI_DRAGID, xrefs: 0090C7C9
@GUI_DRAGFILE, xrefs: 0090C800
@GUI_DROPID, xrefs: 0090C77E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 246e7c6474dc58627147be85c70be530b6df1c0b87ec81d4c135def194ce6848
Instruction ID: a3ca32a1fe249b0faa4623b436ff612c4e45bc00d1c490c1b540d8c6cdde179a
Opcode Fuzzy Hash: 246e7c6474dc58627147be85c70be530b6df1c0b87ec81d4c135def194ce6848
Instruction Fuzzy Hash: 64616A72108301AFC711EF64DC85EAFBBE8FF89714F400A2EF595921A1DB719A49CB52

Function 00904392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00904424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0090446F

Strings

ISCHECKED, xrefs: 009045F2
EXPAND, xrefs: 00904521
SELECT, xrefs: 00904620
GETSELECTED, xrefs: 0090457F
EXISTS, xrefs: 009044D8
CHECK, xrefs: 0090448F
GETTEXT, xrefs: 009045C2
GETITEMCOUNT, xrefs: 00904551
UNCHECK, xrefs: 0090464B
COLLAPSE, xrefs: 009044B5
GETTOTALCOUNT, xrefs: 00904456

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 69343487f5cc7c13baefb854387a4af61070accbc4c60452bba276c940f575c7
Instruction ID: da16d2b2d47c295dde32e9b7c8e33aa715981e1edd864cfcd822ed6a8aa6f629
Opcode Fuzzy Hash: 69343487f5cc7c13baefb854387a4af61070accbc4c60452bba276c940f575c7
Instruction Fuzzy Hash: A8918C702043119FCB14EF18C851A6EB7E5FF95354F088868F8969B7A2DB35ED49CB82

Function 0090B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0090B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009091C2), ref: 0090B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0090B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090B9C3
FreeLibrary.KERNEL32(?), ref: 0090B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090B9DF
DestroyIcon.USER32(?,?,?,?,?,009091C2), ref: 0090B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0090BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0090BA17

Part of subcall function 008A2EFD: __wcsicmp_l.LIBCMT ref: 008A2F86

Strings

.dll, xrefs: 0090B86D
.icl, xrefs: 0090B82A
.exe, xrefs: 0090B84A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 26e8963aa014cea074f54fc8b61b4acf42838fb41036e216b29748bf4c14b7cc
Instruction ID: de2b61adf5d8cd86d6df9671f02228f5f574c7963f9d6ebeea392a3afec247b9
Opcode Fuzzy Hash: 26e8963aa014cea074f54fc8b61b4acf42838fb41036e216b29748bf4c14b7cc
Instruction Fuzzy Hash: 7261BE71500219BEEB24DF68CC41FBE77ACFB08724F104515F925D61D1DBB4AA90DBA0

Function 008EDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008EDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 008EDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 008EDCF8
__wsplitpath.LIBCMT ref: 008EDD56
_wcscat.LIBCMT ref: 008EDD6E
_wcscat.LIBCMT ref: 008EDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008EDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 008EDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 008EDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 008EDDFC
_wcscpy.LIBCMT ref: 008EDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008EDE47

Strings

*.*, xrefs: 008EDE02

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: f74081e6be8256b47d2ff04a5d9fbaf6fded5696e88bdddc0d0a2883f9511086
Instruction ID: ae966e7937258b83f8a71affba0437d20981f63dea7ef4442616068ed74b6bd5
Opcode Fuzzy Hash: f74081e6be8256b47d2ff04a5d9fbaf6fded5696e88bdddc0d0a2883f9511086
Instruction Fuzzy Hash: E9615B765043469FCB10EF69C8449AEB3E8FF8A314F04492DF999C7251DB31EA49CB92

Function 008EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

CharLowerBuffW.USER32(?,?), ref: 008EA3CB
GetDriveTypeW.KERNEL32 ref: 008EA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA4C5

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

Strings

close, xrefs: 008EA3D1
close cd wait, xrefs: 008EA4B0
open , xrefs: 008EA427
type cdaudio alias cd wait, xrefs: 008EA443
set cd door , xrefs: 008EA466
closed, xrefs: 008EA3DF, 008EA3E8
wait, xrefs: 008EA482
open, xrefs: 008EA3F2

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: aca2cb1caa0a6d77b2d97b4c801b05cfa43c894233303e49f295cfdc78b6e590
Instruction ID: 296da313601b60c31e1dd293bf2026c79826bbd7f39af9a8daff849be111b8f9
Opcode Fuzzy Hash: aca2cb1caa0a6d77b2d97b4c801b05cfa43c894233303e49f295cfdc78b6e590
Instruction Fuzzy Hash: 995149751083059FC704EF15C89196AB7F4FF89718F14886DF89A972A1DB31EE09CB42

Function 008DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,008BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 008DF8DF
LoadStringW.USER32(00000000,?,008BE029,00000001), ref: 008DF8E8

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

GetModuleHandleW.KERNEL32(00000000,00945310,?,00000FFF,?,?,008BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 008DF90A
LoadStringW.USER32(00000000,?,008BE029,00000001), ref: 008DF90D
__swprintf.LIBCMT ref: 008DF95D
__swprintf.LIBCMT ref: 008DF96E
_wprintf.LIBCMT ref: 008DFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008DFA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008DFA12
^ ERROR, xrefs: 008DF9C3
Line %d (File "%s"):, xrefs: 008DF957
Line %d:, xrefs: 008DF968
Error: , xrefs: 008DF9E5

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a079b344bb3b4c98e696118ef8b4f407b7f474578e0214502312a61bb035d559
Instruction ID: d978eee5da0b13fe4a3ed8fd024fbf464406b44eac73bde577913aca09d73278
Opcode Fuzzy Hash: a079b344bb3b4c98e696118ef8b4f407b7f474578e0214502312a61bb035d559
Instruction Fuzzy Hash: 65415072804219AACB04FBE8DD56DEEB779FF14314F600065F606F2192EA316F09DB62

Function 0090BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00909207,?,?), ref: 0090BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00909207,?,?,00000000,?), ref: 0090BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00909207,?,?,00000000,?), ref: 0090BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00909207,?,?,00000000,?), ref: 0090BA85
GlobalLock.KERNEL32(00000000), ref: 0090BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00909207,?,?,00000000,?), ref: 0090BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0090BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00909207,?,?,00000000,?), ref: 0090BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00909207,?,?,00000000,?), ref: 0090BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00912CAC,?), ref: 0090BAD7
GlobalFree.KERNEL32(00000000), ref: 0090BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0090BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0090BB36
DeleteObject.GDI32(00000000), ref: 0090BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0090BB74

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 0bc8bca8dcbcd5cb97913e64aefb7c2cd4cc9122bdf2105efcb270f0533e4b65
Instruction ID: d4407989d0e86340685c8f9ba5f7802713750e1fbb41cedd8950d611179eed0a
Opcode Fuzzy Hash: 0bc8bca8dcbcd5cb97913e64aefb7c2cd4cc9122bdf2105efcb270f0533e4b65
Instruction Fuzzy Hash: A4412775604208EFDB219F69DC98EAABBB8EB89B11F104068F905D72A0D7309E41DB60

Function 008ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 008EDA10
_wcscat.LIBCMT ref: 008EDA28
_wcscat.LIBCMT ref: 008EDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008EDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 008EDA63
GetFileAttributesW.KERNEL32(?), ref: 008EDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 008EDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 008EDAA7

Strings

*.*, xrefs: 008EDAE6

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 25705b80bcb958a56cdb62cf30149f4c5ac98d8f412f018bcdcd1b78bdf4f078
Instruction ID: 88c42351a68394bbd75c63a999521c194a8586f432aa3555d8806dcf805737db
Opcode Fuzzy Hash: 25705b80bcb958a56cdb62cf30149f4c5ac98d8f412f018bcdcd1b78bdf4f078
Instruction Fuzzy Hash: 8D8177715043859FCB64EF59C84496ABBE4FF8A714F18882EF889CB251E630DD49CB52

Function 0090C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0090C1FC
GetFocus.USER32 ref: 0090C20C
GetDlgCtrlID.USER32(00000000), ref: 0090C217
_memset.LIBCMT ref: 0090C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0090C36D
GetMenuItemCount.USER32(?), ref: 0090C38D
GetMenuItemID.USER32(?,00000000), ref: 0090C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0090C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0090C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0090C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0090C489

Strings

0, xrefs: 0090C33A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 83ae850d6f86d3a6114d2a56921a8e44bc2f6603ac47256d7598f6841e869f13
Instruction ID: 1b46974b52430e2995105b23c6b48701f31785fccdfe13df8fc2bad9f897325d
Opcode Fuzzy Hash: 83ae850d6f86d3a6114d2a56921a8e44bc2f6603ac47256d7598f6841e869f13
Instruction Fuzzy Hash: 38817DB16183019FD720DF58C894A7BBBE9FB88714F004A2EF995D72A1D730D905DB92

Function 008F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008F738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008F739B
CreateCompatibleDC.GDI32(?), ref: 008F73A7
SelectObject.GDI32(00000000,?), ref: 008F73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008F7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008F7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008F7468
SelectObject.GDI32(00000006,?), ref: 008F7470
DeleteObject.GDI32(?), ref: 008F7479
DeleteDC.GDI32(00000006), ref: 008F7480
ReleaseDC.USER32(00000000,?), ref: 008F748B

Strings

(, xrefs: 008F7410

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: feb22e3f292d5db521ec2cf217f99c7f47888d02f708971e47fa69ba73dea3a0
Instruction ID: 51b12b633837465dfbae9bc648ab030ca5e68a306e9b5c6a544e230d94fcd20a
Opcode Fuzzy Hash: feb22e3f292d5db521ec2cf217f99c7f47888d02f708971e47fa69ba73dea3a0
Instruction Fuzzy Hash: 4E513775904209EFDB24CFA8CC85EAEBBB9FF48310F14852DFA5AD7611C771A9409B50

Function 00886A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 008A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00886B0C,?,00008000), ref: 008A0973

Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00886CFA

Part of subcall function 0088586D: _wcscpy.LIBCMT ref: 008858A5

Part of subcall function 008A363D: _iswctype.LIBCMT ref: 008A3645

Strings

EA06, xrefs: 008BE452
>>>AUTOIT SCRIPT<<<, xrefs: 008BE496
Error opening the file, xrefs: 008BE43D, 008BE4B8
Bad directive syntax error, xrefs: 008BE79D
Unterminated string, xrefs: 008BE7E4
AU3!, xrefs: 00886B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 008BE421

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 2dd395ca727ee80fa4dc7015263de0e5f1e2f677bf9821cecbf55e1bd1b9664e
Instruction ID: 7448d5150a6c63ba04c9fc6f49abd2db67a13cb0b5531409cefea661cda5b68a
Opcode Fuzzy Hash: 2dd395ca727ee80fa4dc7015263de0e5f1e2f677bf9821cecbf55e1bd1b9664e
Instruction Fuzzy Hash: 760246711083419FC724EF28C8819AEBBE5FF99314F14492DF49AD72A2EA30D949CB53

Function 008E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 008E2DDD
GetMenuItemCount.USER32(00945890), ref: 008E2E66
DeleteMenu.USER32(00945890,00000005,00000000,000000F5,?,?), ref: 008E2EF6
DeleteMenu.USER32(00945890,00000004,00000000), ref: 008E2EFE
DeleteMenu.USER32(00945890,00000006,00000000), ref: 008E2F06
DeleteMenu.USER32(00945890,00000003,00000000), ref: 008E2F0E
GetMenuItemCount.USER32(00945890), ref: 008E2F16
SetMenuItemInfoW.USER32(00945890,00000004,00000000,00000030), ref: 008E2F4C
GetCursorPos.USER32(?), ref: 008E2F56
SetForegroundWindow.USER32(00000000), ref: 008E2F5F
TrackPopupMenuEx.USER32(00945890,00000000,?,00000000,00000000,00000000), ref: 008E2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008E2F7E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: ba0762c5da5387396b4f4857b21b11655cbd76714155bca40e59c902b857a4a2
Instruction ID: b303a2fbcb1d92a0f0677ebe89320c024a5811d96148ea30ccf9c5db486b1577
Opcode Fuzzy Hash: ba0762c5da5387396b4f4857b21b11655cbd76714155bca40e59c902b857a4a2
Instruction Fuzzy Hash: B871D37160429ABEEB318F5ADC45FAABF6CFB06324F100216F625E61E1CBB15C10D791

Function 008D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

_memset.LIBCMT ref: 008D786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008D78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008D78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008D78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 008D7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 008D792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 008D793A

Strings

\CLSID, xrefs: 008D7822
\IPC$, xrefs: 008D7882
SOFTWARE\Classes\, xrefs: 008D780C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 56672be9f892c4196c92ddc660d82eff6c7706c225c880da02c86d37ed6d3d8c
Instruction ID: 9d6836795aced9da806d493c38cf241987dff56541e480bc330b6ccded5b43b0
Opcode Fuzzy Hash: 56672be9f892c4196c92ddc660d82eff6c7706c225c880da02c86d37ed6d3d8c
Instruction Fuzzy Hash: 23410872C1422DABCF21EBA8DC95DEDBB78FF14314F44452AE905E3261EA309E05DB91

Function 00900E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 00900EEE
HKCC, xrefs: 00900EFF
HKU, xrefs: 00900F43
HKCR, xrefs: 00900ED9
HKLM, xrefs: 00900EAF
HKEY_CLASSES_ROOT, xrefs: 00900EC4
HKEY_CURRENT_USER, xrefs: 00900F10
HKCU, xrefs: 00900F21
HKEY_LOCAL_MACHINE, xrefs: 00900E9A
HKEY_USERS, xrefs: 00900F32

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 278876a83dd9c5518b8db4a308be6abb0cdf06640f56f7bb805c48d002fbc6ab
Instruction ID: ae6369d6440c087b64310bd589dae73d87f8cfe4a82a28d5663e40c2d520e258
Opcode Fuzzy Hash: 278876a83dd9c5518b8db4a308be6abb0cdf06640f56f7bb805c48d002fbc6ab
Instruction Fuzzy Hash: 3D419C3210032A8FDF20EF14D856BEE37A4FF52300F140424FD559B692EB74A91ADB61

Function 008DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008BE2A0,00000010,?,Bad directive syntax error,0090F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 008DF7C2
LoadStringW.USER32(00000000,?,008BE2A0,00000010), ref: 008DF7C9

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

_wprintf.LIBCMT ref: 008DF7FC
__swprintf.LIBCMT ref: 008DF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 008DF88D

Strings

Error: , xrefs: 008DF85B
., xrefs: 008DF873
%s (%d) : ==> %s.: %s %s, xrefs: 008DF7F7
Line %d (File "%s"):, xrefs: 008DF833
Line %d:, xrefs: 008DF818

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 830a330ecf934b5735b575a57c0f37bee5f8beb0c86ad32a22bc4e4017977158
Instruction ID: 9cfba07962b95eaf6477a6edb5be8129d35ce1ebf686d2b67bb90eb73e895b6d
Opcode Fuzzy Hash: 830a330ecf934b5735b575a57c0f37bee5f8beb0c86ad32a22bc4e4017977158
Instruction Fuzzy Hash: C5216F3290421EEFCF11EF94CC5AEEE7B39FF14304F040466F515A61A2DA719618EB52

Function 008E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

Part of subcall function 00887924: _memmove.LIBCMT ref: 008879AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008E5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008E5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008E5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008E537A

Strings

alias PlayMe, xrefs: 008E5309
open , xrefs: 008E52DF
close PlayMe, xrefs: 008E5341, 008E536E
play PlayMe wait, xrefs: 008E5364
play PlayMe, xrefs: 008E5375
status PlayMe mode, xrefs: 008E532B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 76c6d1f374e6ed610edc9ee57f2e2bd2cdc91240a856b307a9b08249f8ebb108
Instruction ID: f862b61870a10f52a44db00aefecc867b21ee86342ef58783be76c9e916c80c4
Opcode Fuzzy Hash: 76c6d1f374e6ed610edc9ee57f2e2bd2cdc91240a856b307a9b08249f8ebb108
Instruction Fuzzy Hash: A4118261A5026979D720B666CC4ADFFBB7CFBD2B4CF100429B812E21D1EEA05D04CAA1

Function 008E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008E46D2
gethostname.WSOCK32(?,00000100), ref: 008E46EC
gethostbyname.WSOCK32(?), ref: 008E46F9
_wcscpy.LIBCMT ref: 008E4721
_memmove.LIBCMT ref: 008E4734
inet_ntoa.WSOCK32(?), ref: 008E473F
_strcat.LIBCMT ref: 008E474D
_wcscpy.LIBCMT ref: 008E4764
WSACleanup.WSOCK32 ref: 008E4772
_wcscpy.LIBCMT ref: 008E4780

Strings

0.0.0.0, xrefs: 008E471B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 39088bc041fecb04186d1824e50b33d50dcc5098b8b0483f7df9d2e419f64716
Instruction ID: a4383375c0bfee802da4fd16cd86ae109c182864a4aee16f8bfd3dde3d8f593a
Opcode Fuzzy Hash: 39088bc041fecb04186d1824e50b33d50dcc5098b8b0483f7df9d2e419f64716
Instruction Fuzzy Hash: 7611273150411CAFDB20AB399C4AEDA77BCFF43315F0041B6F84AD6491EF718A819A92

Function 008E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 008E4F7A

Part of subcall function 008A049F: timeGetTime.WINMM(?,75A8B400,00890E7B), ref: 008A04A3

Sleep.KERNEL32(0000000A), ref: 008E4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 008E4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008E4FEC
SetActiveWindow.USER32 ref: 008E500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008E5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 008E5038
Sleep.KERNEL32(000000FA), ref: 008E5043
IsWindow.USER32 ref: 008E504F
EndDialog.USER32(00000000), ref: 008E5060

Strings

BUTTON, xrefs: 008E4FDE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8be531eee528d0c4b709ec810eef9d0acc4d0b0301ef891de59d1b1aa2caeb99
Instruction ID: 85c45bc21eac727ca51499beb1387088ede8d38e562bdd19f31dda5b9f7fefaa
Opcode Fuzzy Hash: 8be531eee528d0c4b709ec810eef9d0acc4d0b0301ef891de59d1b1aa2caeb99
Instruction Fuzzy Hash: 33219FB862CB44AFE7209F61EC98E663B69FB47749F041024F115C25B1CBA18E50FA62

Function 008ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

CoInitialize.OLE32(00000000), ref: 008ED5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008ED67D
SHGetDesktopFolder.SHELL32(?), ref: 008ED691
CoCreateInstance.OLE32(00912D7C,00000000,00000001,00938C1C,?), ref: 008ED6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008ED74C
CoTaskMemFree.OLE32(?,?), ref: 008ED7A4
_memset.LIBCMT ref: 008ED7E1
SHBrowseForFolderW.SHELL32(?), ref: 008ED81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008ED840
CoTaskMemFree.OLE32(00000000), ref: 008ED847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008ED87E
CoUninitialize.OLE32(00000001,00000000), ref: 008ED880

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 5ab65cf50c25e7acf9fa7d8c77b1bf9c35dab7ca347f38d5dc1173c23d6ee81d
Instruction ID: 4bf6fd2d3f7b920b5831339ec0155302da003739d0e939ec3406573ccc22f499
Opcode Fuzzy Hash: 5ab65cf50c25e7acf9fa7d8c77b1bf9c35dab7ca347f38d5dc1173c23d6ee81d
Instruction Fuzzy Hash: 06B12D75A00219AFDB14DFA9C884DAEBBB9FF49314F048469F809DB261DB30ED45CB51

Function 008DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 008DC283
GetWindowRect.USER32(00000000,?), ref: 008DC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008DC2F3
GetDlgItem.USER32(?,00000002), ref: 008DC2FE
GetWindowRect.USER32(00000000,?), ref: 008DC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008DC364
GetDlgItem.USER32(?,000003E9), ref: 008DC372
GetWindowRect.USER32(00000000,?), ref: 008DC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008DC3C6
GetDlgItem.USER32(?,000003EA), ref: 008DC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008DC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 008DC3FE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
Instruction ID: a75a6eb7e8f3dc62cb28702568a3cbf1315846267be3e317152e4838159b5411
Opcode Fuzzy Hash: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
Instruction Fuzzy Hash: FF511171B10205AFDB18CFA9DD99A6EBBBAFB88711F148129F515D7390D7719D00CB10

Function 0088201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00882036,?,00000000,?,?,?,?,008816CB,00000000,?), ref: 00881B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008820D3
KillTimer.USER32(-00000001,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 0088216E
DestroyAcceleratorTable.USER32(00000000), ref: 008BBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 008BBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 008BBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 008BBD0A
DeleteObject.GDI32(00000000), ref: 008BBD1C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d6906b5e0d01ad118390ff246ee56c0beaa0ab32ed656fe24dcda8346d32dedd
Instruction ID: eef0d4c45add6ead09c89cfaf3f6d61a5d4742c6dfc61b8a4e22cbfcce084888
Opcode Fuzzy Hash: d6906b5e0d01ad118390ff246ee56c0beaa0ab32ed656fe24dcda8346d32dedd
Instruction Fuzzy Hash: 2F61DE39124A04DFCB35AF54D958B29B7F1FF41316F208428E042CBA71CBB4A881EF91

Function 008821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC

GetSysColor.USER32(0000000F), ref: 008821D3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 964ef2f3df1e8a7174e29ca859034de9e398f0068e0d78f3133488a4afb42f9a
Instruction ID: 1d7b2d95b9b7ea8e14f1e1b6b75b056132589bf71112be61e1d6ab69ed8ff79d
Opcode Fuzzy Hash: 964ef2f3df1e8a7174e29ca859034de9e398f0068e0d78f3133488a4afb42f9a
Instruction Fuzzy Hash: 05419F31008144EFDB21AF28DC98BB97B66FB06331F144265FE65CA2E2C7718D42EB61

Function 008EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0090F910), ref: 008EA90B
GetDriveTypeW.KERNEL32(00000061,009389A0,00000061), ref: 008EA9D5
_wcscpy.LIBCMT ref: 008EA9FF

Strings

network, xrefs: 008EA969
cdrom, xrefs: 008EA927
fixed, xrefs: 008EA953
unknown, xrefs: 008EA996
ramdisk, xrefs: 008EA97F
all, xrefs: 008EA911
removable, xrefs: 008EA93D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 2f4997f2db61a43504a35e3d1fd8330650e82e7121c4fa1764f280afd2e573ab
Instruction ID: aebfb1f0e651c882fdc49741dbb6ba8ce9fb65afce4016880d673bb07762f0a9
Opcode Fuzzy Hash: 2f4997f2db61a43504a35e3d1fd8330650e82e7121c4fa1764f280afd2e573ab
Instruction Fuzzy Hash: 15517C311183519FC314EF19C892AAFBBA5FF86704F154829F4A6D72A2DB31A909CB53

Function 00889837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00889862
__swprintf.LIBCMT ref: 008898AC
__i64tow.LIBCMT ref: 008BF5E6

Strings

0x%p, xrefs: 008BF5C8
True, xrefs: 008BF5A7
%.15g, xrefs: 008898A6
False, xrefs: 008BF5AE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 19e36dbbedd5b9442cce9a88e33d7660025287d8f0f68b9bb1ad438bddcdcd67
Instruction ID: e7874aafe9297661df683d2a0e84c9d1981163acf67b25b0a8f5c1e2100e0d28
Opcode Fuzzy Hash: 19e36dbbedd5b9442cce9a88e33d7660025287d8f0f68b9bb1ad438bddcdcd67
Instruction Fuzzy Hash: FB41D771500609AFEB34EF78DC46EB677E8FF46304F24447EE589D7292EA31A9418B11

Function 00907152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0090716A
CreateMenu.USER32 ref: 00907185
SetMenu.USER32(?,00000000), ref: 00907194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00907221
IsMenu.USER32(?), ref: 00907237
CreatePopupMenu.USER32 ref: 00907241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0090726E
DrawMenuBar.USER32 ref: 00907276

Strings

0, xrefs: 00907160
F, xrefs: 00907262

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: f4f0e2a64ea53c1db32448b5f0c139f06698e7d6e6edfa004ac9fc5ab05afc1e
Instruction ID: b38650001109e2a85aa62be1917b54977854e0eaf38468b42516d86b14389d3f
Opcode Fuzzy Hash: f4f0e2a64ea53c1db32448b5f0c139f06698e7d6e6edfa004ac9fc5ab05afc1e
Instruction Fuzzy Hash: B1416C75A15209EFDB20DFA8D844EAABBF9FF49320F140029F955973A1D731A910DF90

Function 009074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0090755E
CreateCompatibleDC.GDI32(00000000), ref: 00907565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00907578
SelectObject.GDI32(00000000,00000000), ref: 00907580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0090758B
DeleteDC.GDI32(00000000), ref: 00907594
GetWindowLongW.USER32(?,000000EC), ref: 0090759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001,?,?,?,?,008BCA95,?,?,?,?,?,?,?), ref: 009075B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009075BE

Strings

static, xrefs: 009074F6

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: df509a839a640353e867cee6876fe940a1ace02ab5b5cfeb98fb57da29a6126d
Instruction ID: 9f4c3fc1dd0c89a95a781ce69817b404ea9e965a0259081a0a7dedd820c4447f
Opcode Fuzzy Hash: df509a839a640353e867cee6876fe940a1ace02ab5b5cfeb98fb57da29a6126d
Instruction Fuzzy Hash: F6316A72518219AFDF219FA4DC09FEA7B6DFF09720F114224FA15A60E0C735E911EBA4

Function 008A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008A6E3E

Part of subcall function 008A8B28: __getptd_noexit.LIBCMT ref: 008A8B28

__gmtime64_s.LIBCMT ref: 008A6ED7
__gmtime64_s.LIBCMT ref: 008A6F0D
__gmtime64_s.LIBCMT ref: 008A6F2A
__allrem.LIBCMT ref: 008A6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A6F9C
__allrem.LIBCMT ref: 008A6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A6FD1
__allrem.LIBCMT ref: 008A6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A7006
__invoke_watson.LIBCMT ref: 008A7077

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 6c1ecb5556fc9f7088ae5bee78f15442f18378e8ea2e24b94b07cc76c78310b7
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 4771E776A00B16ABF714AE7CDC42B9AB7A4FF06724F244229F514D7A81F770D9208BD1

Function 008E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E2542
GetMenuItemInfoW.USER32(00945890,000000FF,00000000,00000030), ref: 008E25A3
SetMenuItemInfoW.USER32(00945890,00000004,00000000,00000030), ref: 008E25D9
Sleep.KERNEL32(000001F4), ref: 008E25EB
GetMenuItemCount.USER32(?), ref: 008E262F
GetMenuItemID.USER32(?,00000000), ref: 008E264B
GetMenuItemID.USER32(?,-00000001), ref: 008E2675
GetMenuItemID.USER32(?,?), ref: 008E26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008E2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2735

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 667ed9ec35ce2701354b0ca5cfa1cf2877ae397d6b3d55b21c5ed187213edca6
Instruction ID: 4217a2b5277b1e1a3eac63677fd659337dfea2ee6fe15a1e44c25a7774c21583
Opcode Fuzzy Hash: 667ed9ec35ce2701354b0ca5cfa1cf2877ae397d6b3d55b21c5ed187213edca6
Instruction Fuzzy Hash: 45619F70914289AFDB21CFA5CC94DBE7BBCFB02304F140169E842E7261D771AE05DB21

Function 00906F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00906FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00906FA8
GetWindowLongW.USER32(?,000000F0), ref: 00906FCC
_memset.LIBCMT ref: 00906FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00906FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00907067

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 0d45ef372960736dbbe6970f7c5db4f8a919d60d863f0fabaa2decd192309bf9
Instruction ID: 842a4fe2d0c5ef0bf8ca471fd4dd480350d9c9abf8dae882e8361a4aa3511717
Opcode Fuzzy Hash: 0d45ef372960736dbbe6970f7c5db4f8a919d60d863f0fabaa2decd192309bf9
Instruction Fuzzy Hash: 35614975904208AFDB11DFA8CC81EEEB7B8EF09710F104159FA14EB2E2C775A951DBA0

Function 008D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008D6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 008D6C18
VariantInit.OLEAUT32(?), ref: 008D6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 008D6C4A
VariantCopy.OLEAUT32(?,?), ref: 008D6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 008D6CB1
VariantClear.OLEAUT32(?), ref: 008D6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 008D6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D6CDC
VariantClear.OLEAUT32(?), ref: 008D6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D6CF9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5de218236320982e62f01a088dc3aac0d37fd531c46f4a16d544ecb05350f612
Instruction ID: ae3beae9800358915fd01478fcf6fe68c6b5235cbf945517786ff963c36e2565
Opcode Fuzzy Hash: 5de218236320982e62f01a088dc3aac0d37fd531c46f4a16d544ecb05350f612
Instruction Fuzzy Hash: 33418231A1021D9FCF10DF68D8989AEBBB9FF08314F00816AE955E7361DB30AA45DF90

Function 008F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

CoInitialize.OLE32 ref: 008F8403
CoUninitialize.OLE32 ref: 008F840E
CoCreateInstance.OLE32(?,00000000,00000017,00912BEC,?), ref: 008F846E
IIDFromString.OLE32(?,?), ref: 008F84E1
VariantInit.OLEAUT32(?), ref: 008F857B
VariantClear.OLEAUT32(?), ref: 008F85DC

Strings

NULL Pointer assignment, xrefs: 008F84B3
Invalid parameter, xrefs: 008F84FA
Failed to create object, xrefs: 008F8479, 008F852F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: abbf346c0daae07fdb5578947c2055452cef568d4654d03445a35491ead6ff7f
Instruction ID: be29f696820a07b2ba42db8be2096d186c6ad8a3ea67362501f45975f07dc5f4
Opcode Fuzzy Hash: abbf346c0daae07fdb5578947c2055452cef568d4654d03445a35491ead6ff7f
Instruction Fuzzy Hash: 19618B7060871ADFC710DF24C848A6AB7E8FF49758F044519FA86DB291CB70EE44CB92

Function 008F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008F5793
inet_addr.WSOCK32(?,?,?), ref: 008F57D8
gethostbyname.WSOCK32(?), ref: 008F57E4
IcmpCreateFile.IPHLPAPI ref: 008F57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 008F58ED
WSACleanup.WSOCK32 ref: 008F58F3

Strings

Ping, xrefs: 008F5816

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d66f9926c2a3beb5339b1e9c70e684c34ca2fafbf131f1ea3aeb955ec09a3b3a
Instruction ID: 6c3b2942bb506647fd56f0e722d62f419c7a268c6c5d1bb935ca58d668046056
Opcode Fuzzy Hash: d66f9926c2a3beb5339b1e9c70e684c34ca2fafbf131f1ea3aeb955ec09a3b3a
Instruction Fuzzy Hash: 51518C31614604EFD720AF28DC45B3ABBE4FB48760F044529FA96DB2A1DB30E900DB42

Function 008EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008EB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008EB546
GetLastError.KERNEL32 ref: 008EB550
SetErrorMode.KERNEL32(00000000,READY), ref: 008EB5BD

Strings

READONLY, xrefs: 008EB588
INVALID, xrefs: 008EB58F
READY, xrefs: 008EB596
NOTREADY, xrefs: 008EB57C
UNKNOWN, xrefs: 008EB575

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ef768e72d55f95555eb041102c1b4a6fb0ffa72b1cef73029c3a8a9842d9a6a3
Instruction ID: 97fe9c6d1cf438ce9fad91af74cd70073c2f020e260e4308b7d0fa5c520e7dc8
Opcode Fuzzy Hash: ef768e72d55f95555eb041102c1b4a6fb0ffa72b1cef73029c3a8a9842d9a6a3
Instruction Fuzzy Hash: 73318E35A00249EFCB10EB69D885ABFBBB4FF4A314F144126F515E7291DB709A42CB91

Function 008D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008D9014
GetDlgCtrlID.USER32 ref: 008D901F
GetParent.USER32 ref: 008D903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 008D903E
GetDlgCtrlID.USER32(?), ref: 008D9047
GetParent.USER32(?), ref: 008D9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 008D9066

Strings

ListBox, xrefs: 008D8FD1
ComboBox, xrefs: 008D8F9C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5285de666221c6949bba277649a1d582328cdc08c21c219968c4f5c267e1cf84
Instruction ID: cda98fcb31732f5d05b53fdc8643dbd619d4666fe641fc92118e0726f9256694
Opcode Fuzzy Hash: 5285de666221c6949bba277649a1d582328cdc08c21c219968c4f5c267e1cf84
Instruction Fuzzy Hash: D621FF75A00108BFDF14ABA4CC95EFEBB74FF49310F10021AF961972A1DB368919EB21

Function 008D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008D90FD
GetDlgCtrlID.USER32 ref: 008D9108
GetParent.USER32 ref: 008D9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 008D9127
GetDlgCtrlID.USER32(?), ref: 008D9130
GetParent.USER32(?), ref: 008D914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 008D914F

Strings

ListBox, xrefs: 008D90BC
ComboBox, xrefs: 008D9087

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: fe78e1078ba2f686ee35a1eef6e04331a99f3a3ae6ba0a1e3214a5951058167f
Instruction ID: 73e6018414c56c261f96d39b87af38fee6d9383d46f587d33314806817093306
Opcode Fuzzy Hash: fe78e1078ba2f686ee35a1eef6e04331a99f3a3ae6ba0a1e3214a5951058167f
Instruction Fuzzy Hash: BE21B075A00108BBDF10ABA4CC85AFEBB74FB48300F100216F951972A1DA758919EB21

Function 008D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008D916F
GetClassNameW.USER32(00000000,?,00000100), ref: 008D9184
_wcscmp.LIBCMT ref: 008D9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008D9211

Strings

largeicons, xrefs: 008D91A5
SHELLDLL_DefView, xrefs: 008D9190
smallicons, xrefs: 008D91D9
details, xrefs: 008D91BF
list, xrefs: 008D91F3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: a6989115e358bffdd968ddce3f420c244f6a5cec52c735e49d09b250f72b6e74
Instruction ID: 57e202f85c07e651ae0928027d805be1dad96e949a762dfd3c840953c86877c3
Opcode Fuzzy Hash: a6989115e358bffdd968ddce3f420c244f6a5cec52c735e49d09b250f72b6e74
Instruction Fuzzy Hash: E6113A7624C30BB9FA302628DC06EA7779CFB12324F200267F910E19D2FEA1A8616951

Function 008F88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F88D7
CoInitialize.OLE32(00000000), ref: 008F8904
CoUninitialize.OLE32 ref: 008F890E
GetRunningObjectTable.OLE32(00000000,?), ref: 008F8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 008F8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00912C0C), ref: 008F8B6F
CoGetObject.OLE32(?,00000000,00912C0C,?), ref: 008F8B92
SetErrorMode.KERNEL32(00000000), ref: 008F8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008F8C25
VariantClear.OLEAUT32(?), ref: 008F8C35

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: ee2a7cb7d5a2645ca725fef062082ffa7cc37795fc4d5f29a68460a32332090a
Instruction ID: 3b2b74716df53bf5d0014b493ef7d9a85a208201f41c84cb602873773bab852b
Opcode Fuzzy Hash: ee2a7cb7d5a2645ca725fef062082ffa7cc37795fc4d5f29a68460a32332090a
Instruction Fuzzy Hash: E3C102B16083099FC700EF68C88496AB7E9FF89748F00495DFA8ADB251DB71ED05CB52

Function 008E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 008E7A6C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 5225ca3c41aeb8ca881850c648899bbf3a815508fa121b9f85f4b751bb95461f
Instruction ID: 4cae241cfe73e8f0844cf10bcd5266ea575e484b71fd2854f3aed7c62509106e
Opcode Fuzzy Hash: 5225ca3c41aeb8ca881850c648899bbf3a815508fa121b9f85f4b751bb95461f
Instruction Fuzzy Hash: 60B1F67190825A9FDB10DFA9C884BBEB7F8FF4A324F240429EA11E7251D734E941CB91

Function 008E11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008E11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E1204
GetWindowThreadProcessId.USER32(00000000), ref: 008E120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0268,?,00000001), ref: 008E121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 008E122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0268,?,00000001), ref: 008E1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0268,?,00000001), ref: 008E1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008E0268,?,00000001), ref: 008E12BC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7afae62cd9d76ef4d30d1dcccc73278eeb515f85edf78579c170b02c4f964a90
Instruction ID: 9aa906932198c64c3d17d6c68bc195d01b1ef1c1256a0c016d3e0c90ddab7571
Opcode Fuzzy Hash: 7afae62cd9d76ef4d30d1dcccc73278eeb515f85edf78579c170b02c4f964a90
Instruction Fuzzy Hash: 8D31ACB9628208AFDF20DF55EC88FA937A9FB57715F104165FA00C71A0D7709E44AB61

Function 0088FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0088FAA6
OleUninitialize.OLE32(?,00000000), ref: 0088FB45
UnregisterHotKey.USER32(?), ref: 0088FC9C
DestroyWindow.USER32(?), ref: 008C45D6
FreeLibrary.KERNEL32(?), ref: 008C463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 008C4668

Strings

close all, xrefs: 0088FAA1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c4229b718b3e56a3a9037a3a26c087fd81699e889f5dc60d5edde3b9d9055323
Instruction ID: 5b921a0f63454d273fa223c1ee8133de51d4fe5e6b4597179a2b9027c88d837e
Opcode Fuzzy Hash: c4229b718b3e56a3a9037a3a26c087fd81699e889f5dc60d5edde3b9d9055323
Instruction Fuzzy Hash: C0A147303012268FDB29EB18C9A4F69B764FF15714F1442ADE90AEB262DB30ED56CF51

Function 008DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,008DA439), ref: 008DA377

Strings

NAME, xrefs: 008DA1A9
TEXT, xrefs: 008DA2AE
INSTANCE, xrefs: 008DA285
CLASS, xrefs: 008DA0F6
REGEXPCLASS, xrefs: 008DA13C
CLASSNN, xrefs: 008DA119

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: a495779f49b09f13e2596b5205b9278708760bb1631d534686c55c099d0d2f70
Instruction ID: 915b6bf8bb6ad2f5f227f69110a2eebca4f63cd09ed449706b423f0c2d9c0ef9
Opcode Fuzzy Hash: a495779f49b09f13e2596b5205b9278708760bb1631d534686c55c099d0d2f70
Instruction Fuzzy Hash: 2991B630900605AADB1CEFA4C441BEDFBB5FF05314F64821AE45AE7341DF31AA99DB92

Function 00882E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00882EAE

Part of subcall function 00881DB3: GetClientRect.USER32(?,?), ref: 00881DDC
Part of subcall function 00881DB3: GetWindowRect.USER32(?,?), ref: 00881E1D
Part of subcall function 00881DB3: ScreenToClient.USER32(?,?), ref: 00881E45

GetDC.USER32 ref: 008BCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008BCD45
SelectObject.GDI32(00000000,00000000), ref: 008BCD53
SelectObject.GDI32(00000000,00000000), ref: 008BCD68
ReleaseDC.USER32(?,00000000), ref: 008BCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008BCDFB

Strings

U, xrefs: 008BCCD0

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c00bc7382754fef83fbca39360f538ed3a2fdf3ab67feca2938d16615b6ad9f5
Instruction ID: 96a823d29119b7a776833d5914277834699c9cbeae3a6a773cc5729beb874c72
Opcode Fuzzy Hash: c00bc7382754fef83fbca39360f538ed3a2fdf3ab67feca2938d16615b6ad9f5
Instruction Fuzzy Hash: 4671DC35500209EFCF219F64C894AEA7FB5FF49324F18427AED55DA2A6C7318C81EB60

Function 008F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008F1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 008F1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 008F1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 008F1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008F1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 008F1B10
InternetCloseHandle.WININET(00000000), ref: 008F1B57

Part of subcall function 008F2483: GetLastError.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F2498
Part of subcall function 008F2483: SetEvent.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F24AD

Strings

, xrefs: 008F1B01

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: aa05f79c57a8a318e9b30ed35f81abfd610e06d37428cdb2135e22eb13e16ae0
Instruction ID: 26bdf3cea8d82e169e7bf87b5bf0f45666414ad3058faed7f18efa6716fc6522
Opcode Fuzzy Hash: aa05f79c57a8a318e9b30ed35f81abfd610e06d37428cdb2135e22eb13e16ae0
Instruction Fuzzy Hash: 40417BB1505218FEEB118F60CC99FBA7BACFB08354F00412AFA05DA141E7B09E449BA1

Function 008F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0090F910), ref: 008F8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0090F910), ref: 008F8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008F8ED6
SysFreeString.OLEAUT32(?), ref: 008F8F00

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 23acb6788037940a7c94625a0adcd33b2eceb4e94a7339ea98bdb4438b502ee1
Instruction ID: d6fed224b27382a2b37d4263499c2d496f2121651a16977f2f76ec0332c532f3
Opcode Fuzzy Hash: 23acb6788037940a7c94625a0adcd33b2eceb4e94a7339ea98bdb4438b502ee1
Instruction Fuzzy Hash: 09F10571A00209EFCB14DFA4C884EBEB7B9FF89314F148498EA55EB251DB31AE45CB51

Function 008FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008FF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008FFA7C
CloseHandle.KERNEL32(?), ref: 008FFAAB
CloseHandle.KERNEL32(?), ref: 008FFB22

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 6bba71718fe8181c767bf4917a8a57931bb6edc0c1d9870f84132341be402d73
Instruction ID: fd4a93490d8c2bea269de3ce9ef8b67e2186dcb64fb4b26a50335bdcb55a113c
Opcode Fuzzy Hash: 6bba71718fe8181c767bf4917a8a57931bb6edc0c1d9870f84132341be402d73
Instruction Fuzzy Hash: A0E1AE312042559FCB14EF38C891A6ABBE1FF85354F18856DFA99CB2A2DB70DC41CB52

Function 008E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E3697,?), ref: 008E468B

Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E3697,?), ref: 008E46A4

Part of subcall function 008E4A31: GetFileAttributesW.KERNEL32(?,008E370B), ref: 008E4A32

lstrcmpiW.KERNEL32(?,?), ref: 008E4D40
_wcscmp.LIBCMT ref: 008E4D5A
MoveFileW.KERNEL32(?,?), ref: 008E4D75

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 048ad536870fe29776831c01fc957b4da3feef39ec3903ada8a677c471ca18bc
Instruction ID: 14a3dba870b75ffba9c1178d3be92c3dc05517866aad7aa30d5e0ad4e4dfb193
Opcode Fuzzy Hash: 048ad536870fe29776831c01fc957b4da3feef39ec3903ada8a677c471ca18bc
Instruction Fuzzy Hash: 075151B21083859BD624EB64DC819DB73ECFF86350F00192EF589D3152EE70A688C766

Function 00908645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009086FF

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0eb289eecee876c385921adac6f50b2c11f5114d98cc395b460f4c57c67fa551
Instruction ID: a3829940fd1bd415353eedacfeec32090bf9940c0bdc4cbfb41ca922ede8e156
Opcode Fuzzy Hash: 0eb289eecee876c385921adac6f50b2c11f5114d98cc395b460f4c57c67fa551
Instruction Fuzzy Hash: 3451B430714244BFDF209B28CC89FAE7BA9FB05724F604615F990E61E1CF76AA90DB51

Function 008D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 008DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 008DA84C
Part of subcall function 008DA82C: GetCurrentThreadId.KERNEL32 ref: 008DA853
Part of subcall function 008DA82C: AttachThreadInput.USER32(00000000,?,008D9683,?,00000001), ref: 008DA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 008D968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008D96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008D96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 008D96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008D96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008D96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 008D96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008D96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008D96FB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6a64a619d4d7457ad3cdf316d5e5093193593cccfa54e656a467a73936dcd649
Instruction ID: 82b787bee3e20566f2b26fe2045aec86a267887f822155270077ecac2660eab2
Opcode Fuzzy Hash: 6a64a619d4d7457ad3cdf316d5e5093193593cccfa54e656a467a73936dcd649
Instruction Fuzzy Hash: 3E1121B1964208BEF7202F24DC89F6A3F2DEB0C751F200026F644AB1A0C9F35D40EAE4

Function 008D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008D853C,00000B00,?,?), ref: 008D892A
HeapAlloc.KERNEL32(00000000,?,008D853C,00000B00,?,?), ref: 008D8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D853C,00000B00,?,?), ref: 008D8946
GetCurrentProcess.KERNEL32(?,00000000,?,008D853C,00000B00,?,?), ref: 008D894E
DuplicateHandle.KERNEL32(00000000,?,008D853C,00000B00,?,?), ref: 008D8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008D853C,00000B00,?,?), ref: 008D8961
GetCurrentProcess.KERNEL32(008D853C,00000000,?,008D853C,00000B00,?,?), ref: 008D8969
DuplicateHandle.KERNEL32(00000000,?,008D853C,00000B00,?,?), ref: 008D896C
CreateThread.KERNEL32(00000000,00000000,008D8992,00000000,00000000,00000000), ref: 008D8986

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0c08a619e1327b1ef6e532f2897bc947290fb689c68756131701d5095f561d0b
Instruction ID: c873623f190b0d98c1924b6f2df4a15cb3ed383dd707f9c507735c1ab5fbb568
Opcode Fuzzy Hash: 0c08a619e1327b1ef6e532f2897bc947290fb689c68756131701d5095f561d0b
Instruction Fuzzy Hash: 2601BF75254304FFE760EBA5DC5DF673B6CEB89B11F404421FA05DB691CA749900DB20

Function 008F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 008F9BA4, 008F9EC8
Not an Object type, xrefs: 008F9B7B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f43526152cf0812edd5df88310d8834aea2c3d2f9a41dda7e7be811e0e03f9b0
Instruction ID: cf26c009ca133013ae227f0f7349c27364ce9f02406d5fcf542df790a650bb49
Opcode Fuzzy Hash: f43526152cf0812edd5df88310d8834aea2c3d2f9a41dda7e7be811e0e03f9b0
Instruction Fuzzy Hash: C8C18E71A0021E9BDF10DFA8D884BBEB7F5FB48314F158569EA45EB280E770AD45CB90

Function 008F9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F9167
VariantInit.OLEAUT32(?), ref: 008F9238
VariantInit.OLEAUT32(?), ref: 008F9339
VariantClear.OLEAUT32(?), ref: 008F9343
VariantClear.OLEAUT32(?), ref: 008F93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008F91C8, 008F92F6, 008F93AE
Incorrect Object type in FOR..IN loop, xrefs: 008F931C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 77f01aae47b90fada5b5285bc5c9c6a7e7a8b8f530fce71e08fb4a1ae7834761
Instruction ID: 9734928b59954253afbfd7191d19730329180a8f6289c3cce1f276200ad3a1a4
Opcode Fuzzy Hash: 77f01aae47b90fada5b5285bc5c9c6a7e7a8b8f530fce71e08fb4a1ae7834761
Instruction Fuzzy Hash: 92919C31A00219ABDF24DFA5C848FAEBBB8FF85714F108159FA55EB280D7709941CFA0

Function 008F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 008D710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?,?,008D7455), ref: 008D7127
Part of subcall function 008D710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D7142
Part of subcall function 008D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D7150
Part of subcall function 008D710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?), ref: 008D7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 008F9806
_memset.LIBCMT ref: 008F9813
_memset.LIBCMT ref: 008F9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 008F9982
CoTaskMemFree.OLE32(?), ref: 008F998D

Strings

NULL Pointer assignment, xrefs: 008F99DB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 390fd2fde019e5f65619e9f1c0ed438b7ce3a4e9097134b2dbd42ca4e4e2f0cd
Instruction ID: 1ff2657351866c6cf25d3b0f368b3d758454809d0dfc0a10cca5e2975ee98cca
Opcode Fuzzy Hash: 390fd2fde019e5f65619e9f1c0ed438b7ce3a4e9097134b2dbd42ca4e4e2f0cd
Instruction Fuzzy Hash: C291077190022DEBDB10EFA5DC45AEEBBB9FF08310F20415AE519E7251EB719A44CFA1

Function 00906D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00906E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00906E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?,?,008BCC6D,?,?,?,?), ref: 00906E52
_wcscat.LIBCMT ref: 00906EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00906EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00906EF2

Strings

SysListView32, xrefs: 00906DF6

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 9222dddb911122623f21fecd6e9e91351e29ca2a6ba62d70e426089afcc74aee
Instruction ID: e6b6f11ce3321ac49e8d44ca20621ab425acf6dbe77e6a707b4163e3cf9f5150
Opcode Fuzzy Hash: 9222dddb911122623f21fecd6e9e91351e29ca2a6ba62d70e426089afcc74aee
Instruction Fuzzy Hash: 48419E71A00349AFEB219FA8CC85BEA77ECEF08354F10052AF584E72D1D7729D958B60

Function 008FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 008E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 008E3C7A
Part of subcall function 008E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 008E3C88
Part of subcall function 008E3C55: CloseHandle.KERNEL32(00000000), ref: 008E3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FE9A4
GetLastError.KERNEL32 ref: 008FE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 008FEA63
GetLastError.KERNEL32(00000000), ref: 008FEA6E
CloseHandle.KERNEL32(00000000), ref: 008FEAA3

Strings

SeDebugPrivilege, xrefs: 008FE9C2

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0a6944da31f5c339c5044cba490598265e045641d17b03e33ca5cc085d3aa820
Instruction ID: 2be5d21f8b34986b737efaa28283e19b6aab188e587e2202754e0c2fbf9bd293
Opcode Fuzzy Hash: 0a6944da31f5c339c5044cba490598265e045641d17b03e33ca5cc085d3aa820
Instruction Fuzzy Hash: 634179712042059FDB24EF28CCA5F79B7A5FF54314F188419FA42DB2D2DB74A944CB92

Function 008E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008E3033

Strings

info, xrefs: 008E2FD4
blank, xrefs: 008E2FB5
stop, xrefs: 008E3004
warning, xrefs: 008E301C
question, xrefs: 008E2FEC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c99ff7bfb5dace223d491681c501ad412b39b990442ee96564f35cfc08ae5953
Instruction ID: 23879b0515ea595385b64f32ddca98c549ac6fecdce46f3d9a5358ec71a1ab7c
Opcode Fuzzy Hash: c99ff7bfb5dace223d491681c501ad412b39b990442ee96564f35cfc08ae5953
Instruction Fuzzy Hash: DC1108313487C6BEE7259A1ADC46C6B779CFF17324F10006AF900E7582DAA09F4059A1

Function 008E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008E4312
LoadStringW.USER32(00000000), ref: 008E4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008E432F
LoadStringW.USER32(00000000), ref: 008E4336
_wprintf.LIBCMT ref: 008E435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008E437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 008E4357

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 5292ea87dfe831a577b8997a12b94da87eaa39e0981ccf430ebb9ca3c2a06b35
Instruction ID: abc2cfd65754d82e2e6177d93dc2940a2748f8b9c8e53cd60dce4851babacced
Opcode Fuzzy Hash: 5292ea87dfe831a577b8997a12b94da87eaa39e0981ccf430ebb9ca3c2a06b35
Instruction Fuzzy Hash: E90128F290420CBFE761ABA49D89EEB766CEB08300F0005A1BB49E2451EA759F855B71

Function 0090D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

GetSystemMetrics.USER32(0000000F), ref: 0090D47C
GetSystemMetrics.USER32(0000000F), ref: 0090D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0090D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0090D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0090D716
ShowWindow.USER32(00000003,00000000), ref: 0090D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0090D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0090D77D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: a0ff8df44aab5eecd69f578f93a4c4c275c20fd40b0c6a2406982e78141a87af
Instruction ID: e41675a3fd75d4cdc4710c11cfb7571959463273173470103ae4978ca4174cbb
Opcode Fuzzy Hash: a0ff8df44aab5eecd69f578f93a4c4c275c20fd40b0c6a2406982e78141a87af
Instruction Fuzzy Hash: E6B1AA75601229EFDF14CFA8C9C5BAD7BB5FF04701F088069EC489B299D735AA90CB90

Function 00882A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000), ref: 00882ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00882B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000), ref: 008BC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008BC1C7,00000004,00000000,00000000,00000000), ref: 008BC286

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e9e6740535e5d15d790959f1a697e8b4ebb18f1d79d531606a37232ed26050cd
Instruction ID: 3708ad55503a3355ed7474b0447cd264dc8e2e572a7d1ad18316094ec2558d6f
Opcode Fuzzy Hash: e9e6740535e5d15d790959f1a697e8b4ebb18f1d79d531606a37232ed26050cd
Instruction Fuzzy Hash: D8411634218694EFC73DAB28CC98BAF7B96FF85314F148829E057C6A61C631A841D711

Function 008E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 008E70DD

Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008E7114
EnterCriticalSection.KERNEL32(?), ref: 008E7130
_memmove.LIBCMT ref: 008E717E
_memmove.LIBCMT ref: 008E719B
LeaveCriticalSection.KERNEL32(?), ref: 008E71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008E71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 008E71DE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 573d8400a12c1e208b2ddd3de04d26941cd7e42c69de2973212647c144b327f0
Instruction ID: f061fe66ba1888f39f46589423558dfb9a001f2d6187aa3ed6573f742df7d7ba
Opcode Fuzzy Hash: 573d8400a12c1e208b2ddd3de04d26941cd7e42c69de2973212647c144b327f0
Instruction Fuzzy Hash: 96315E32904205EFDF10EFA9DC85AAAB7B8FF46710F1441A5E904EB256DB709A10DB61

Function 009061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009061EB
GetDC.USER32(00000000), ref: 009061F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009061FE
ReleaseDC.USER32(00000000,00000000), ref: 0090620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00906246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00906257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0090902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00906291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009062B1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 40aaa623055ffbafb55da7038544bb66a572fc2851f088660390f7eb043c8ff9
Instruction ID: baee54af6f3a81cc944aec14bd5c0fc8a26289daface0f04077a39844e3822a8
Opcode Fuzzy Hash: 40aaa623055ffbafb55da7038544bb66a572fc2851f088660390f7eb043c8ff9
Instruction Fuzzy Hash: 0F317A72214214BFEF208F14CC8AFAA3BADEF4A765F044065FE08DA291C7759951CBA0

Function 008DBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 008DBBC4
_memcmp.LIBCMT ref: 008DBBE6
_memcmp.LIBCMT ref: 008DBBFE
_memcmp.LIBCMT ref: 008DBC11
_memcmp.LIBCMT ref: 008DBC2B
_memcmp.LIBCMT ref: 008DBC3E
_memcmp.LIBCMT ref: 008DBC56
_memcmp.LIBCMT ref: 008DBC71

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 503316875de1510b59ca7aeddad7f3bf1171db50915a06a9239db53110a22f53
Instruction ID: 1e10bf157240f10f3b0986fdc7ea64614528d58ad572cc1de3449335ca244d13
Opcode Fuzzy Hash: 503316875de1510b59ca7aeddad7f3bf1171db50915a06a9239db53110a22f53
Instruction Fuzzy Hash: EF21BD61702209AAAA0476299D42FFB735DFF5535CF054122FD05D6B43EB24DE2083A6

Function 008EEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9

_wcstok.LIBCMT ref: 008EEC94
_wcscpy.LIBCMT ref: 008EED23
_memset.LIBCMT ref: 008EED56

Strings

X, xrefs: 008EED93

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: df50c09399b009d01a0deadea0d3682a4b475f723b1873585220a06598f0e19f
Instruction ID: cfa481e2cdb10322f27b16d7832a1f301f81ef19e7aa9ca680037f827257471e
Opcode Fuzzy Hash: df50c09399b009d01a0deadea0d3682a4b475f723b1873585220a06598f0e19f
Instruction Fuzzy Hash: 22C13A715083519FC764EF28D881A6AB7E4FF86314F14492DF899DB2A2DB30ED45CB82

Function 008F6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 008F6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 008F6C21
WSAGetLastError.WSOCK32(00000000), ref: 008F6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 008F6CEA
inet_ntoa.WSOCK32(?), ref: 008F6CA7

Part of subcall function 008DA7E9: _strlen.LIBCMT ref: 008DA7F3
Part of subcall function 008DA7E9: _memmove.LIBCMT ref: 008DA815

_strlen.LIBCMT ref: 008F6D44
_memmove.LIBCMT ref: 008F6DAD

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: df68d1a6b69ba1d75dc2fb6588d2572910d49cc61806960166550e9da09751b9
Instruction ID: fc3f570526b65332a30042c0228e193ca162728f172ea0293b0b4e128232bf3a
Opcode Fuzzy Hash: df68d1a6b69ba1d75dc2fb6588d2572910d49cc61806960166550e9da09751b9
Instruction Fuzzy Hash: 0B81AE71204204ABD710FB28DC82E7AB7A8FF84724F544A19FA55DB292EA71AD05CB52

Function 00881424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3306f1c2689daed92d67a9ee12de313c5d125dca2f665366a92fecdb0e2ea4
Instruction ID: b7bb1d6028a0746a4fda0701b8f079ab50524a39d32294f9fa5b5529fb5d93f3
Opcode Fuzzy Hash: 8a3306f1c2689daed92d67a9ee12de313c5d125dca2f665366a92fecdb0e2ea4
Instruction Fuzzy Hash: D5717C30904109EFCF14DF98CC48ABEBB79FF85314F148159F915EA251CB34AA52CBA8

Function 0090B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00EB5C90), ref: 0090B3EB
IsWindowEnabled.USER32(00EB5C90), ref: 0090B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0090B4DB
SendMessageW.USER32(00EB5C90,000000B0,?,?), ref: 0090B512
IsDlgButtonChecked.USER32(?,?), ref: 0090B54F
GetWindowLongW.USER32(00EB5C90,000000EC), ref: 0090B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0090B589

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 275061fd40e149717cf88b647b7065d1bafde1b648d15a52d97c4106b10dde72
Instruction ID: ec9e909ef6d55a922f363f2cbaa06a4247a331dff847f6fc240669daa5642719
Opcode Fuzzy Hash: 275061fd40e149717cf88b647b7065d1bafde1b648d15a52d97c4106b10dde72
Instruction Fuzzy Hash: C6718D34605204EFDB209F54C8A4FBABBBAEF49300F144569FA55972E2C732AA41DB50

Function 008FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008FF448
_memset.LIBCMT ref: 008FF511
ShellExecuteExW.SHELL32(?), ref: 008FF556

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9

GetProcessId.KERNEL32(00000000), ref: 008FF5CD
CloseHandle.KERNEL32(00000000), ref: 008FF5FC

Strings

@, xrefs: 008FF525

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 35e1ff4a8062fb2096ba4ba25c5c63443f4380b7235b8c854f17510effd872b1
Instruction ID: 816ead354416cbdafaad82a72fa32d4dedb17ad5a98c03cfbb8cb2fc47a8d69b
Opcode Fuzzy Hash: 35e1ff4a8062fb2096ba4ba25c5c63443f4380b7235b8c854f17510effd872b1
Instruction Fuzzy Hash: 3061AE75A006199FCF14EF68C4819AEBBF5FF49314F148069E95AEB752CB30AD41CB81

Function 008E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 008E0F8C
GetKeyboardState.USER32(?), ref: 008E0FA1
SetKeyboardState.USER32(?), ref: 008E1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 008E1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 008E104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 008E1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008E10B8

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
Instruction ID: a6266d93ab8678861d7c548ad40ae68681831c163210e16f7988730c2ac91a29
Opcode Fuzzy Hash: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
Instruction Fuzzy Hash: 1251C170618AD53DFF3642358C19BB6BEA9BB07304F084989E1D5C58C3C6E5D8D8DB51

Function 008E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008E0DA5
GetKeyboardState.USER32(?), ref: 008E0DBA
SetKeyboardState.USER32(?), ref: 008E0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008E0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008E0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008E0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008E0EC9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
Instruction ID: 87037d3479e6f8e272551f2bd5c3c9a9e73e50da9a9c314b346689b72a63b2cb
Opcode Fuzzy Hash: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
Instruction Fuzzy Hash: 7D51D5A05087D63DFB3282658C55B7A7EA9FB07300F084D99E1D4D68C2C7D5ACD8EB51

Function 008E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008E560A
_wcsncpy.LIBCMT ref: 008E563F
_wcsncpy.LIBCMT ref: 008E5671
_wcsncpy.LIBCMT ref: 008E56A4
_wcsncpy.LIBCMT ref: 008E56E6
_wcsncpy.LIBCMT ref: 008E5720
_wcsncpy.LIBCMT ref: 008E574F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 602206b19cf8dc603487fa7dc6eaeb6e7d4908eec8f3c84f44b53526518710fb
Instruction ID: 64b0d5c537ba2825a043b269c038f8b4989fa7d522ce64efa4ad6a3e1ff92015
Opcode Fuzzy Hash: 602206b19cf8dc603487fa7dc6eaeb6e7d4908eec8f3c84f44b53526518710fb
Instruction Fuzzy Hash: EE41B365C10618B6DB11EBBC8C46ACFB3B8FF06310F508856F558E3621EA34E256C7A7

Function 008E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E3697,?), ref: 008E468B

Part of subcall function 008E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E3697,?), ref: 008E46A4

lstrcmpiW.KERNEL32(?,?), ref: 008E36B7
_wcscmp.LIBCMT ref: 008E36D3
MoveFileW.KERNEL32(?,?), ref: 008E36EB
_wcscat.LIBCMT ref: 008E3733
SHFileOperationW.SHELL32(?), ref: 008E379F

Strings

\*.*, xrefs: 008E372D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 90ac9f26ee2f35e4be1e83d9958b57a8c4e338af871c1d8192bc606d2fdac19f
Instruction ID: 2a1c213a72a0b06423e43020fe907704c1da7335884ab7f90e37191f991818ec
Opcode Fuzzy Hash: 90ac9f26ee2f35e4be1e83d9958b57a8c4e338af871c1d8192bc606d2fdac19f
Instruction Fuzzy Hash: 6541817150C384AED751EF69C4459DF77E8FF8A390F00182EB49AC3261EA34D689C752

Function 00907291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009072AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00907351
IsMenu.USER32(?), ref: 00907369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009073B1
DrawMenuBar.USER32 ref: 009073C4

Strings

0, xrefs: 0090729E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 0a1de555eb658759ce3b1eeb5c0a51f30a42af7dd60a40fc132db336b477ecf4
Instruction ID: 75edf1561300b166e472fcec8df677d32eb7485a0931b6bf78cf1f3639c6a081
Opcode Fuzzy Hash: 0a1de555eb658759ce3b1eeb5c0a51f30a42af7dd60a40fc132db336b477ecf4
Instruction Fuzzy Hash: 5A412975A04208EFEB20DF94E884EAABBF9FB05320F148529FD5597290D730AD50EF50

Function 00900FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00900FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00900FFE
FreeLibrary.KERNEL32(00000000), ref: 009010B5

Part of subcall function 00900FA5: RegCloseKey.ADVAPI32(?), ref: 0090101B
Part of subcall function 00900FA5: FreeLibrary.KERNEL32(?), ref: 0090106D
Part of subcall function 00900FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00901090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00901058

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 5d6bca475eccd23b6856839f67e96b0f372a703550fe3d878007691722010a6f
Instruction ID: ce846032c8108e4ba62bc800cf8fc43f3c2fe51d9fcb34734553dd7e4241ec1f
Opcode Fuzzy Hash: 5d6bca475eccd23b6856839f67e96b0f372a703550fe3d878007691722010a6f
Instruction Fuzzy Hash: 69310D71915109BFEB259F90DC99EFFB7BCEF09300F000169E541E2191EB749F859AA0

Function 009062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009062EC
GetWindowLongW.USER32(00EB5C90,000000F0), ref: 0090631F
GetWindowLongW.USER32(00EB5C90,000000F0), ref: 00906354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00906386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009063B0
GetWindowLongW.USER32(00000000,000000F0), ref: 009063C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009063DB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 3e166dd75f8f61b29bdc1cc3d37d15cdf73040d7b4ba048ea040c73ec1a95b56
Instruction ID: 7008d97bb4ccb34a9c8163803faf2e27103e17ed0344feabb19f7854ad8989af
Opcode Fuzzy Hash: 3e166dd75f8f61b29bdc1cc3d37d15cdf73040d7b4ba048ea040c73ec1a95b56
Instruction Fuzzy Hash: 61311F35608255AFDB20CF58DC88F593BE9FB4A714F1901A8F5009F2F2CB72A950EB90

Function 008DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDB54
SysAllocString.OLEAUT32(00000000), ref: 008DDB57
SysAllocString.OLEAUT32(?), ref: 008DDB75
SysFreeString.OLEAUT32(?), ref: 008DDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 008DDBA3
SysAllocString.OLEAUT32(?), ref: 008DDBB1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7e29e3be35b73e6a13c14351af017a69d6670b239c542aea238f19f0f256a2c4
Instruction ID: 74dfcb49ea165da60093475433204b43d9851cf354b439c5d572f7246bc060b7
Opcode Fuzzy Hash: 7e29e3be35b73e6a13c14351af017a69d6670b239c542aea238f19f0f256a2c4
Instruction Fuzzy Hash: 56216B36604319AFDB10AFA8DC88CBB73ACFB09364B018626FD14DB2A0D6709D419B60

Function 008F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008F7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008F7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008F61C6
WSAGetLastError.WSOCK32(00000000), ref: 008F61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008F620E
connect.WSOCK32(00000000,?,00000010), ref: 008F6217
WSAGetLastError.WSOCK32 ref: 008F6221
closesocket.WSOCK32(00000000), ref: 008F624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008F6263

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 65686214e21971ff80e5e72c3bc1935c81de1600ef98df4385123c0879ce57b6
Instruction ID: 3fbfccd453376590c80935f43e0cfd1c3cb66ce6fdb8a2cd881620f889a4be5a
Opcode Fuzzy Hash: 65686214e21971ff80e5e72c3bc1935c81de1600ef98df4385123c0879ce57b6
Instruction Fuzzy Hash: B4318131600118AFEF10AF64CC85BBE77A9FF45764F048129FE06E7291DB70AD549BA2

Function 008DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 008DF671
__wcsnicmp.LIBCMT ref: 008DF692
__wcsnicmp.LIBCMT ref: 008DF6AC

Strings

#OnAutoItStartRegister, xrefs: 008DF6A6
#requireadmin, xrefs: 008DF68C
#notrayicon, xrefs: 008DF669

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 6b91f25f257423b870dd256a50f9064345ec5c6dba019294deb35d6cc5c1fc9a
Instruction ID: 386ad67f19a955ae6ccd192a4e807924caf2fabb26d7c76f8c0ac987e37554de
Opcode Fuzzy Hash: 6b91f25f257423b870dd256a50f9064345ec5c6dba019294deb35d6cc5c1fc9a
Instruction Fuzzy Hash: 4621457220415166E321BA38AC02EE77398FF66358B14413BFA43C6692EB509D91E396

Function 008DDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DDC2F
SysAllocString.OLEAUT32(00000000), ref: 008DDC32
SysAllocString.OLEAUT32 ref: 008DDC53
SysFreeString.OLEAUT32 ref: 008DDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 008DDC76
SysAllocString.OLEAUT32(?), ref: 008DDC84

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 314d8d028c37ddcbb63daf7a1fe21b0cb8f4203e32f7d6a84d9957b0159093bc
Instruction ID: ac8eac4b06a1f84408fb7a666c477787104afd1c11ab68c0f4b6b13decba2ec7
Opcode Fuzzy Hash: 314d8d028c37ddcbb63daf7a1fe21b0cb8f4203e32f7d6a84d9957b0159093bc
Instruction Fuzzy Hash: 6E213275618204AFDB20DBA8DC88DAB77ACFB09360B108226F915CB761D674DD41DB64

Function 009075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00907632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0090763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0090764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00907659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00907665

Strings

Msctls_Progress32, xrefs: 00907603

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 842c65c3e4004d9a3bb53f9a9460f1527f9be4687e597551c25505323dadc341
Instruction ID: ba59136d0cefd84ab6c41c9646758ca0a4c35b77813c2585949f6877f6981df0
Opcode Fuzzy Hash: 842c65c3e4004d9a3bb53f9a9460f1527f9be4687e597551c25505323dadc341
Instruction Fuzzy Hash: D811B9B15101197FEF115FA4CC85EE7BF5DEF08798F014114B605A2090C672AC21DBA4

Function 008A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 008A9AE6

Part of subcall function 008A3187: EncodePointer.KERNEL32(00000000), ref: 008A318A
Part of subcall function 008A3187: __initp_misc_winsig.LIBCMT ref: 008A31A5
Part of subcall function 008A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008A9EA0
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008A9EB4
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008A9EC7
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008A9EDA
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008A9EED
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008A9F00
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 008A9F13
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008A9F26
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008A9F39
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008A9F4C
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008A9F5F
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008A9F72
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008A9F85
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008A9F98
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008A9FAB
Part of subcall function 008A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008A9FBE

__mtinitlocks.LIBCMT ref: 008A9AEB
__mtterm.LIBCMT ref: 008A9AF4

Part of subcall function 008A9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,008A9AF9,008A7CD0,0093A0B8,00000014), ref: 008A9C56
Part of subcall function 008A9B5C: _free.LIBCMT ref: 008A9C5D
Part of subcall function 008A9B5C: DeleteCriticalSection.KERNEL32(0093EC00,?,?,008A9AF9,008A7CD0,0093A0B8,00000014), ref: 008A9C7F

__calloc_crt.LIBCMT ref: 008A9B19
__initptd.LIBCMT ref: 008A9B3B
GetCurrentThreadId.KERNEL32 ref: 008A9B42

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: dc2e22e34cc0e01cc109aa6fa9f9e18d0d9a48160578b3533aa93af52e7f39c7
Instruction ID: 475be646f5d72fb8d82451898073d630523e9edf6465d395b6e75abb7f2ac83f
Opcode Fuzzy Hash: dc2e22e34cc0e01cc109aa6fa9f9e18d0d9a48160578b3533aa93af52e7f39c7
Instruction Fuzzy Hash: 8DF06D3251D7215AF734B67CBC0364A3690FB03730B214A2AF4E5C59D2EF60944245A2

Function 008A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008A3F85), ref: 008A4085
GetProcAddress.KERNEL32(00000000), ref: 008A408C
EncodePointer.KERNEL32(00000000), ref: 008A4097
DecodePointer.KERNEL32(008A3F85), ref: 008A40B2

Strings

RoUninitialize, xrefs: 008A4074
combase.dll, xrefs: 008A4080

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 50566ac1e8fea92afe89b8911c71debe9c8f9b71daec846c3d6d79a1557cb8a0
Instruction ID: 6918b99f76c18453375650ee0036b34a655bbbe5249d1d03b8c2b99ec4f99453
Opcode Fuzzy Hash: 50566ac1e8fea92afe89b8911c71debe9c8f9b71daec846c3d6d79a1557cb8a0
Instruction Fuzzy Hash: C6E092786AD700EFEB60AF71ED1AB453AA4B74A786F109024F111E58A0CBB64644FB14

Function 008E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008E660B
_memmove.LIBCMT ref: 008E6546

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

_memmove.LIBCMT ref: 008E65B9
_memmove.LIBCMT ref: 008E66A0
_memmove.LIBCMT ref: 008E66B9
_memmove.LIBCMT ref: 008E66D5

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 1a44ea1867cdb98926dfc3f4012692738adcbdbdccd52b9821b2ba9a2b0d409a
Instruction ID: ded6fef1deb4911a089b49dea4f2acdd985ad2e4e7e4174a87ba0acc2586f65b
Opcode Fuzzy Hash: 1a44ea1867cdb98926dfc3f4012692738adcbdbdccd52b9821b2ba9a2b0d409a
Instruction Fuzzy Hash: FA619D3050029A9BDF01FF69CC81AFE37A5FF16308F044529F8599B1A2EA35D815DB52

Function 009001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 00900E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009002BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009002FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00900320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00900349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0090038C
RegCloseKey.ADVAPI32(00000000), ref: 00900399

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 521b5ab066049f01ecf6dfe7884c89044204163ea30e771752517439b47978c7
Instruction ID: 2ae3911ded128bec99c6bc4e8a63590596659c81ceb32a84642085fcb9cff64b
Opcode Fuzzy Hash: 521b5ab066049f01ecf6dfe7884c89044204163ea30e771752517439b47978c7
Instruction Fuzzy Hash: 4A515731208204AFCB15EF68D885E6EBBF9FF89314F04492DF595872A2DB31E905DB52

Function 00905799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 009057FB
GetMenuItemCount.USER32(00000000), ref: 00905832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0090585A
GetMenuItemID.USER32(?,?), ref: 009058C9
GetSubMenu.USER32(?,?), ref: 009058D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00905928

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 415efa953e490f82dc3ab3aee2a287c7b70b1851d7182178b46cd3aa3be095fa
Instruction ID: 72ce652a765c2514af48dad0abc447a95e2541d2e08c5b2b504380fcc2bb18b0
Opcode Fuzzy Hash: 415efa953e490f82dc3ab3aee2a287c7b70b1851d7182178b46cd3aa3be095fa
Instruction Fuzzy Hash: 23515A35A00615EFCF11AF68C845AAEB7B4FF48320F158069EC56AB391CB34AE419F91

Function 008DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008DEF06
VariantClear.OLEAUT32(00000013), ref: 008DEF78
VariantClear.OLEAUT32(00000000), ref: 008DEFD3
_memmove.LIBCMT ref: 008DEFFD
VariantClear.OLEAUT32(?), ref: 008DF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008DF078

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 299746681ca80abfecefcb9f87ff61cb98c68d995f8a56db0b1d18360ab1aac6
Instruction ID: aa75fdfd4c1da1353955da21b055e46bc734742e781186b0f76eed7e096842b5
Opcode Fuzzy Hash: 299746681ca80abfecefcb9f87ff61cb98c68d995f8a56db0b1d18360ab1aac6
Instruction Fuzzy Hash: 3D515CB5A00209DFDB14DF58C884AAAB7B8FF4C314B15856AEE59DB301E735E911CBA0

Function 008E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E22A3
IsMenu.USER32(00000000), ref: 008E22C3
CreatePopupMenu.USER32 ref: 008E22F7
GetMenuItemCount.USER32(000000FF), ref: 008E2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008E2386

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
Instruction ID: 52844118774bccf09b70be315584af40d148cd4d225a239af52b4c1e269945db
Opcode Fuzzy Hash: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
Instruction Fuzzy Hash: E6518B70600289DFDF21CF6AC888BAEBBE9FF46318F144169E815D72A1D3749A44CF51

Function 00881765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0088179A
GetWindowRect.USER32(?,?), ref: 008817FE
ScreenToClient.USER32(?,?), ref: 0088181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0088182C
EndPaint.USER32(?,?), ref: 00881876

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 8ee311945cabf5a344a2ac2b71cbf057708ff841cad22aab1bec2ad11943a5a3
Instruction ID: 93078968fa0a063f5dd3d315fcffd42d4ade4be8fc81137e4638b01581214a73
Opcode Fuzzy Hash: 8ee311945cabf5a344a2ac2b71cbf057708ff841cad22aab1bec2ad11943a5a3
Instruction Fuzzy Hash: C841A3301047049FDB10EF64CC89FA67BECFB4A724F040639F564C62A2CB719946EB62

Function 0090B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(009457B0,00000000,00EB5C90,?,?,009457B0,?,0090B5A8,?,?), ref: 0090B712
EnableWindow.USER32(00000000,00000000), ref: 0090B736
ShowWindow.USER32(009457B0,00000000,00EB5C90,?,?,009457B0,?,0090B5A8,?,?), ref: 0090B796
ShowWindow.USER32(00000000,00000004,?,0090B5A8,?,?), ref: 0090B7A8
EnableWindow.USER32(00000000,00000001), ref: 0090B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0090B7EF

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
Instruction ID: 3d8ec3f4ca37a5a9e57d5b0ca547cca502df04f80b88506f10faed95295d0222
Opcode Fuzzy Hash: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
Instruction Fuzzy Hash: B4419D34604244AFDB22CF28C499B947BF4FF85710F1841B9E9489FAE3C732A956DB51

Function 008F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,008F4E41,?,?,00000000,00000001), ref: 008F70AC

Part of subcall function 008F39A0: GetWindowRect.USER32(?,?), ref: 008F39B3

GetDesktopWindow.USER32 ref: 008F70D6
GetWindowRect.USER32(00000000), ref: 008F70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008F710F

Part of subcall function 008E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC

GetCursorPos.USER32(?), ref: 008F713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008F7199

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: a73f3256cc721085d06bb31b79055e889797276b2ea0c802da9587f90bf6506f
Instruction ID: 491e78adb4c97929eddab1b0eeba121d186060641763e6f64bcdbeb71b23d59f
Opcode Fuzzy Hash: a73f3256cc721085d06bb31b79055e889797276b2ea0c802da9587f90bf6506f
Instruction Fuzzy Hash: A631B272509309AFD720DF24CC49BABB7EAFF89314F000919F585D7191DA71EA49CB92

Function 008D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D80C0
Part of subcall function 008D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D80CA
Part of subcall function 008D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D80D9
Part of subcall function 008D80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D80E0
Part of subcall function 008D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D80F6

GetLengthSid.ADVAPI32(?,00000000,008D842F), ref: 008D88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008D88D6
HeapAlloc.KERNEL32(00000000), ref: 008D88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 008D88F6
GetProcessHeap.KERNEL32(00000000,00000000,008D842F), ref: 008D890A
HeapFree.KERNEL32(00000000), ref: 008D8911

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: fdffe59a1eee648b9f2181c93a41710ae955ca251d5e2c8a52d4ef6f5dc0bb09
Instruction ID: d7ae52b5c30837527a5f2184b57a3007c31622eddc3a150ee8fa90d165cfef0d
Opcode Fuzzy Hash: fdffe59a1eee648b9f2181c93a41710ae955ca251d5e2c8a52d4ef6f5dc0bb09
Instruction Fuzzy Hash: A6116D71515209FFDB209FA4DC29FBE7B79FB45316F10422AE885D7210CB32AA44EB61

Function 008D85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008D85E2
OpenProcessToken.ADVAPI32(00000000), ref: 008D85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008D85F8
CloseHandle.KERNEL32(00000004), ref: 008D8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008D8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 008D8646

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
Instruction ID: 260ba0eedc19d614a287d2b15f7820e72fae4a894c95183d577f9d339643c0da
Opcode Fuzzy Hash: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
Instruction Fuzzy Hash: A5114A72504209EFDF118FA4ED49BEE7BA9FF08754F044165FE04E2160C7729E60AB61

Function 008DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008DB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 008DB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008DB7CD
ReleaseDC.USER32(00000000,00000000), ref: 008DB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 008DB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 008DB7FE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c324fc5764e436c2037ad7b2df17e99a0f2afebad5a2064145810729c4e7e83c
Instruction ID: 4c73ed5bfcab413fbe21cd90f2693e44d73078ba6e2efd3eee3e2b4f4a6955e0
Opcode Fuzzy Hash: c324fc5764e436c2037ad7b2df17e99a0f2afebad5a2064145810729c4e7e83c
Instruction Fuzzy Hash: CB018475E04609BFEF109BA69C45A5EBFB8EB48311F004076FA08E7391D6319D00CF91

Function 008A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 008A019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 008A01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 008A01C1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
Instruction ID: f28b384e10350ffd9a44f37633fc6fa819085a694c9beae79b76f30df141b19a
Opcode Fuzzy Hash: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
Instruction Fuzzy Hash: 35016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 008E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008E53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008E540F
GetWindowThreadProcessId.USER32(?,?), ref: 008E541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E543E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
Instruction ID: 134a6b183530748da6600fb1d595e23335ca92e2288fe4500d6ba48c49abc3e0
Opcode Fuzzy Hash: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
Instruction Fuzzy Hash: D0F06D32258558BFE3305BA2DC0DEAB7A7CEBC6B11F000169FA04D10909AA11B0196B5

Function 008E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 008E7243
EnterCriticalSection.KERNEL32(?,?,00890EE4,?,?), ref: 008E7254
TerminateThread.KERNEL32(00000000,000001F6,?,00890EE4,?,?), ref: 008E7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00890EE4,?,?), ref: 008E726E

Part of subcall function 008E6C35: CloseHandle.KERNEL32(00000000,?,008E727B,?,00890EE4,?,?), ref: 008E6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 008E7281
LeaveCriticalSection.KERNEL32(?,?,00890EE4,?,?), ref: 008E7288

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
Instruction ID: 1878dd3dfb8fa31bedb5152aa1069dcda0644f73be0529ad9a1213d732772ff2
Opcode Fuzzy Hash: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
Instruction Fuzzy Hash: A4F0E236058702EFE7212B28EC4C9DB7739FF05702B100131F203D04A0CB761A40EB50

Function 008D8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 008D899D
UnloadUserProfile.USERENV(?,?), ref: 008D89A9
CloseHandle.KERNEL32(?), ref: 008D89B2
CloseHandle.KERNEL32(?), ref: 008D89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 008D89C3
HeapFree.KERNEL32(00000000), ref: 008D89CA

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
Instruction ID: 8f9bbf84d9c719a86ad8372bf59e268435a320e341ca4ea3f4a1b51728f88cc4
Opcode Fuzzy Hash: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
Instruction Fuzzy Hash: 3AE0C236018601FFDA115FE1EC1C90ABB79FB89B62B108230F219C1870CB329560EB90

Function 008F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008F8613
CharUpperBuffW.USER32(?,?), ref: 008F8722
VariantClear.OLEAUT32(?), ref: 008F889A

Part of subcall function 008E7562: VariantInit.OLEAUT32(00000000), ref: 008E75A2
Part of subcall function 008E7562: VariantCopy.OLEAUT32(00000000,?), ref: 008E75AB
Part of subcall function 008E7562: VariantClear.OLEAUT32(00000000), ref: 008E75B7

Strings

AUTOIT.ERROR, xrefs: 008F8728
Incorrect Parameter format, xrefs: 008F864B, 008F880D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 44aace2ed5f51ae89a602b2635c08ccc3fb7364f48581399068968cc61c1241b
Instruction ID: 1caf6be98833376d2bb24af04c8f62f6ad2604dda563a03c579ef4c04044f9b3
Opcode Fuzzy Hash: 44aace2ed5f51ae89a602b2635c08ccc3fb7364f48581399068968cc61c1241b
Instruction Fuzzy Hash: 7C914671608305DFC710EF28C48496ABBE4FF89754F14896EF99ACB261DB30E905CB92

Function 008E2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9

_memset.LIBCMT ref: 008E2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008E2C97

Strings

0, xrefs: 008E2B73

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 52b6a925b9190f6b0b097c8cc80ce320b460c7fbb486ef5efdf0c94b69b1b028
Instruction ID: 9a57dc1256f7728f8e2cf795288517881bc57a15f6e1dc13153dd592a1f40c84
Opcode Fuzzy Hash: 52b6a925b9190f6b0b097c8cc80ce320b460c7fbb486ef5efdf0c94b69b1b028
Instruction Fuzzy Hash: 0551CE711083809BD7249F2AC845A6FB7ECFF9A324F240A2DF895D2291DB70CD44DB52

Function 008DD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008DD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008DD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008DD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008DD69D

Strings

DllGetClassObject, xrefs: 008DD610

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d7b33942d952c1f12bf4f3e0684774c61f59183b9f6ff62073182c0e01f1fe6c
Instruction ID: e9bd4a6cac72aab85e15d29678d65ec2b5fb17649916fa7f80c8f20f41141beb
Opcode Fuzzy Hash: d7b33942d952c1f12bf4f3e0684774c61f59183b9f6ff62073182c0e01f1fe6c
Instruction Fuzzy Hash: 1341AEB1600304EFDB15CF64D884A9ABBA9FF54314F1182AAAC09DF305D7B0DA40CBE0

Function 008E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008E27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 008E2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00945890,00000000), ref: 008E286B

Strings

0, xrefs: 008E27B5

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
Instruction ID: f4dcb111e96b7e38f92310534c896e02a6284074418a2ae063fe8184e0f15e49
Opcode Fuzzy Hash: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
Instruction Fuzzy Hash: D5417C702043919FD724DF2ACC44B2ABBE8FF86314F144A6DF9A5D7292D730A905CB52

Function 008FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008FD7C5

Part of subcall function 0088784B: _memmove.LIBCMT ref: 00887899

Strings

none, xrefs: 008FD8A0
cdecl, xrefs: 008FD81C
winapi, xrefs: 008FD836
stdcall, xrefs: 008FD847

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: dc518c201bfbf468a9e205c7e97a3671ccabe543d0ac6a718b7cb0086d5ef79d
Instruction ID: af95bece6cb498b10d0e329f93e9645ba77235cbf9f771b497f9bbb3b693bda7
Opcode Fuzzy Hash: dc518c201bfbf468a9e205c7e97a3671ccabe543d0ac6a718b7cb0086d5ef79d
Instruction Fuzzy Hash: 45319A7191421DABDF10EF68C8519BEB3B5FF05320B108A29E926E76D1EB71AD05CB80

Function 008D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008D8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008D8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 008D8F57

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

Strings

ListBox, xrefs: 008D8ED3
ComboBox, xrefs: 008D8E9E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: d55718f7a045050080fa817c7afea07491ea0e77513716a9823c2d942fce36b0
Instruction ID: 3546aed4f6ee155ae97952e4504cf09dca4ced78bf1834ce99fda76015abc86f
Opcode Fuzzy Hash: d55718f7a045050080fa817c7afea07491ea0e77513716a9823c2d942fce36b0
Instruction Fuzzy Hash: 4C21D272A04108BEDB24ABA49C85DFEB779EF45324B14461AF421E72E1DE3549099A11

Function 008F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008F184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008F1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008F18A2
InternetCloseHandle.WININET(00000000), ref: 008F18E9

Part of subcall function 008F2483: GetLastError.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F2498
Part of subcall function 008F2483: SetEvent.KERNEL32(?,?,008F1817,00000000,00000000,00000001), ref: 008F24AD

Strings

, xrefs: 008F1893

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 7c4f2e7f7a95294f8d39c38586a54d4d6cf922ed1d530f75bd6122e574a6f3ef
Instruction ID: 10379b308eb493d2889ca76ebfe1ed71137b017da6b0542aaa5bacd7a1170f80
Opcode Fuzzy Hash: 7c4f2e7f7a95294f8d39c38586a54d4d6cf922ed1d530f75bd6122e574a6f3ef
Instruction Fuzzy Hash: 0D21B0B151420CBFEB119B74CD89EBB77EDFB48784F10413AF605D6640EA608E0567A2

Function 009063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00906461
LoadLibraryW.KERNEL32(?), ref: 00906468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0090647D
DestroyWindow.USER32(?), ref: 00906485

Strings

SysAnimate32, xrefs: 0090643C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 20810bbfe68003d201a2fb020cefed74bf3eefdb92fea5f49f3da07b039cb6cd
Instruction ID: 13b54b09b57d1d34e02a331f80129bbf7abe9e79fc8561a886182292c4abbdfb
Opcode Fuzzy Hash: 20810bbfe68003d201a2fb020cefed74bf3eefdb92fea5f49f3da07b039cb6cd
Instruction Fuzzy Hash: B2218872210209AFEF108FA4DC90EBA77ADEF59368F104629FA10920E0D7719C62A760

Function 008E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008E6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E6DEF
GetStdHandle.KERNEL32(0000000C), ref: 008E6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008E6E3B

Strings

nul, xrefs: 008E6E36

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: af747ddc6b7467789f59490795de7e86db51ef69a1d395f6787b12fa28deb495
Instruction ID: 6eaaa3d4352091ae24e18216593074f8e3300a46c8881e0d62cf4b3ed90bbe26
Opcode Fuzzy Hash: af747ddc6b7467789f59490795de7e86db51ef69a1d395f6787b12fa28deb495
Instruction Fuzzy Hash: DB21977470034AAFDB209F2ADC05A5977F4FF667A0F204619FCA1D72D0E77199609B50

Function 008E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008E6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E6EBB
GetStdHandle.KERNEL32(000000F6), ref: 008E6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008E6F06

Strings

nul, xrefs: 008E6F01

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 095a4cf837867faf3eebe9ef60b0117b35ed6138ceb3bc15c86d148ebce69a52
Instruction ID: 2c4e2059002c1b2a2e4040f6721c37794b8ac355745e0a9216c8f19f7cf9ad5a
Opcode Fuzzy Hash: 095a4cf837867faf3eebe9ef60b0117b35ed6138ceb3bc15c86d148ebce69a52
Instruction Fuzzy Hash: 1921B275500346DBDB209F6ACC04AAA77A8FF66764F300A59F8B0D32D0E77099608B21

Function 008EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008EAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008EACA8
__swprintf.LIBCMT ref: 008EACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0090F910), ref: 008EACFF

Strings

%lu, xrefs: 008EACBB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 495941c7e8f769569a9f409eddb1f46013aff00befc095aca2b1bea9acd03e9a
Instruction ID: 52ce9aecfdaa807b3781158ffebfc8f4f59fbba54980406c3ee0850fbf2c0244
Opcode Fuzzy Hash: 495941c7e8f769569a9f409eddb1f46013aff00befc095aca2b1bea9acd03e9a
Instruction Fuzzy Hash: 8221A130A00109AFCB10EF69C945DAE7BB8FF89714B004069F809EB251DA31EE41DB22

Function 008E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008E1B19

Strings

EXISTS, xrefs: 008E1B41
APPEND, xrefs: 008E1B52
KEYS, xrefs: 008E1B30
REMOVE, xrefs: 008E1B1F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 054ee8be55db7c467d1158c42d76dcb32540982795e6228405528eacf6fa05d1
Instruction ID: c8347beba03a2e8a5f75d806ea8efb8c19651231d15c454f5c709e14d32427c5
Opcode Fuzzy Hash: 054ee8be55db7c467d1158c42d76dcb32540982795e6228405528eacf6fa05d1
Instruction Fuzzy Hash: 7B113C319102588FCF00EF58D8558AEB7B4FF66304F1444A5E825A7691EB326906CF51

Function 008FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008FEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 008FEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008FED6A
CloseHandle.KERNEL32(?), ref: 008FEDEB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 48ceddb24dfc770d38fa8b112c1968b49ae7df7f5a550ecaadb8029a452f444b
Instruction ID: 11d405a25e9b6118a3cf0b465c622f0f43a12fc61b205b10f5f6d3b1ee6aedd4
Opcode Fuzzy Hash: 48ceddb24dfc770d38fa8b112c1968b49ae7df7f5a550ecaadb8029a452f444b
Instruction Fuzzy Hash: 438150716043019FD760EF28C886F2AB7E5FF48724F14882DF99ADB292D670AD40CB52

Function 00900037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 00900E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,008FFDAD,?,?), ref: 00900E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009000FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0090013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00900183
RegCloseKey.ADVAPI32(?,?), ref: 009001AF
RegCloseKey.ADVAPI32(00000000), ref: 009001BC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 758dcb7d7e83c73dff174d001858e740c97fb3c99d5401a6786ccc7b4dd936ea
Instruction ID: baf81103bf9a5118eeb73164cb9fca36d44beec7e294f0d17978f1dae1bc174a
Opcode Fuzzy Hash: 758dcb7d7e83c73dff174d001858e740c97fb3c99d5401a6786ccc7b4dd936ea
Instruction Fuzzy Hash: BC513771208204AFD714EF68D891F6AB7F9FF84314F44492DF596872A2DB31E944CB52

Function 008FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008FD927
GetProcAddress.KERNEL32(00000000,?), ref: 008FD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 008FD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 008FDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008FDA21

Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7896,?,?,00000000), ref: 00885A2C
Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7896,?,?,00000000,?,?), ref: 00885A50

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 66ab0e87a2d5f147fa9f1b41627597a98c7d213e86f8194f1b07f78946485033
Instruction ID: 36b90fa258945a643a8fde642d40ebb0a4104fd0c28f34d3a9ea9164659db84b
Opcode Fuzzy Hash: 66ab0e87a2d5f147fa9f1b41627597a98c7d213e86f8194f1b07f78946485033
Instruction Fuzzy Hash: 8051F735A04219DFCB00EFA8C8949ADBBF5FF09324B148165EA59EB312D731AD45CF91

Function 008EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008EE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008EE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008EE687

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008EE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008EE6B4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 74b3b61a4bdc426c5d6e399da4bf76012d3873792c96eb70f23132f58b9d8515
Instruction ID: 05216122b1f4f246047a3d154f714b27cfd66397b226fe23956dd0b1273735f8
Opcode Fuzzy Hash: 74b3b61a4bdc426c5d6e399da4bf76012d3873792c96eb70f23132f58b9d8515
Instruction Fuzzy Hash: E0510835A00106DFCB01EF69C9819AEBBF5FF09314B1480A9E859EB361CB31ED11DB51

Function 0090A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56e025e1b404682f9bcd244ec60f6a54c6c46b83691e2e6a4f43bb43716c3b59
Instruction ID: bdf3f06fe8b257d97f263f3af1b5fd49d3cd3251f52e94056547b10fd2a5f543
Opcode Fuzzy Hash: 56e025e1b404682f9bcd244ec60f6a54c6c46b83691e2e6a4f43bb43716c3b59
Instruction Fuzzy Hash: 0B41B43590C308AFD760DF68CC58FA9BBBCEB09320F150565F815A72E1C770AE41EA91

Function 00882344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00882357
ScreenToClient.USER32(009457B0,?), ref: 00882374
GetAsyncKeyState.USER32(00000001), ref: 00882399
GetAsyncKeyState.USER32(00000002), ref: 008823A7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 4c39a3ed2c121e70e96a66364f39c98a32ce91a76468ccd8ee7840c234f5e363
Instruction ID: 440281961820a9876a15ee4c577c06db6952022d305d3f06451668204c31d90a
Opcode Fuzzy Hash: 4c39a3ed2c121e70e96a66364f39c98a32ce91a76468ccd8ee7840c234f5e363
Instruction Fuzzy Hash: 72416E75608109FFCF25AF68C854AE9BB75FB05364F20435AF829D23A0CB349990DB91

Function 008D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 008D6433
TranslateMessage.USER32(?), ref: 008D645C
DispatchMessageW.USER32(?), ref: 008D6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D6475

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 2f45089d4a7a7f78835897b248ce86c1e7fa860e4befa32fb2ff7aacb33584c9
Instruction ID: 2d2883c9ae9d0765a7b38458d6d8fb171d24625e84f715c9f5de0e1039384031
Opcode Fuzzy Hash: 2f45089d4a7a7f78835897b248ce86c1e7fa860e4befa32fb2ff7aacb33584c9
Instruction Fuzzy Hash: 5131F23091460EAFDB249FB48C44FB67BA9FB01314F150367E421C22A2F7659469EB60

Function 008D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008D8A30
PostMessageW.USER32(?,00000201,00000001), ref: 008D8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008D8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 008D8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008D8AF8

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
Instruction ID: 7d96b4056d9e68155e54a126185f1ae940d68819d7e87ab6c50e51b9bb5b9823
Opcode Fuzzy Hash: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
Instruction Fuzzy Hash: AF31C071504229EFDF14CFA8D94CA9E3BB5FB04315F10822AF925EA2D0C7B09A54DB91

Function 008DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 008DB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008DB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008DB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008DB27F
_wcsstr.LIBCMT ref: 008DB289

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 67fd82f01206b60aedca79b5029bb88b528b9fd934bf6dc8ed8b0f722ef11fb2
Instruction ID: e539965006ec7f65cb9955db8fe129cf2a65022bc3bd2b761a78b1947c46a07f
Opcode Fuzzy Hash: 67fd82f01206b60aedca79b5029bb88b528b9fd934bf6dc8ed8b0f722ef11fb2
Instruction Fuzzy Hash: A1212933204204BBEB255B79DC49E7F7B9CEF4A760F01423AF804DA261EF61DC41A661

Function 0090B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

GetWindowLongW.USER32(?,000000F0), ref: 0090B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0090B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0090B1CF
GetSystemMetrics.USER32(00000004), ref: 0090B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008F0E90,00000000), ref: 0090B216

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 273051f7f8d754316ae6ee9c93876c63fb57f79075e867b65a1f4d26bbe52a0b
Instruction ID: 21aecef96c106263de201b1770f1e3a5e80c427d6904e4a57b53b5243def98b0
Opcode Fuzzy Hash: 273051f7f8d754316ae6ee9c93876c63fb57f79075e867b65a1f4d26bbe52a0b
Instruction Fuzzy Hash: B521B571928251AFCB209F78DC14A6A37A8FB15721F114B38FD32D76E1E7309950DB90

Function 008D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D9320

Part of subcall function 00887BCC: _memmove.LIBCMT ref: 00887C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9352
__itow.LIBCMT ref: 008D936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9392
__itow.LIBCMT ref: 008D93A3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 65568ff8a6c0da0dc12169b0d56a043f03641c86aca78b01bd117d0f3b57de2c
Instruction ID: 96c46a8ceadb89d80edcaab9b282f59c91a26ff45b8d047c611095867e88376d
Opcode Fuzzy Hash: 65568ff8a6c0da0dc12169b0d56a043f03641c86aca78b01bd117d0f3b57de2c
Instruction Fuzzy Hash: 2A210731700208AFDB24AA648C85EAE7BADFB89714F145126F984D73C0D6B0CD419792

Function 008F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 008F5A6E
GetForegroundWindow.USER32 ref: 008F5A85
GetDC.USER32(00000000), ref: 008F5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 008F5ACD
ReleaseDC.USER32(00000000,00000003), ref: 008F5B08

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 583dc8fe2691bceff55df2476ff33575c626d46e4eb21797522649e54b5c6061
Instruction ID: d4e119dfe50d8ff6ceef5fd15a74a0f03f949b000d4673af4179c55e29081207
Opcode Fuzzy Hash: 583dc8fe2691bceff55df2476ff33575c626d46e4eb21797522649e54b5c6061
Instruction Fuzzy Hash: 6321A135A00118EFDB10EF69DC84AAABBE5FF48310F148079F949D7762CA70AD00DB91

Function 008812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0088134D
SelectObject.GDI32(?,00000000), ref: 0088135C
BeginPath.GDI32(?), ref: 00881373
SelectObject.GDI32(?,00000000), ref: 0088139C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6a95bed5c05dff05e42e4b31bfae4ec824feb212b13dc053872ac16d23389798
Instruction ID: a3034a55fc2da37dc145e8261d8b4cef93b4f5cd711aa3b0ddb7fee2b541900b
Opcode Fuzzy Hash: 6a95bed5c05dff05e42e4b31bfae4ec824feb212b13dc053872ac16d23389798
Instruction Fuzzy Hash: 0A219034828608EFDF20AFA5DD08B697BA8FB11321F154216F814D67B1DF749992EF90

Function 008DBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 008DBCB3
_memcmp.LIBCMT ref: 008DBCD1
_memcmp.LIBCMT ref: 008DBCE4
_memcmp.LIBCMT ref: 008DBCFC
_memcmp.LIBCMT ref: 008DBD14

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2fce90d801bc42aa4f2da5a553562d26cc7f3f2a6680b5e13eed9894955a9a1b
Instruction ID: 735bb0030cb1faf47d2bd66766f8a30322d71241b23f3da95c47e8ccbc18159d
Opcode Fuzzy Hash: 2fce90d801bc42aa4f2da5a553562d26cc7f3f2a6680b5e13eed9894955a9a1b
Instruction Fuzzy Hash: EF018071741209BAE6047B299D42FFBA35DFF5538CF054122FE05D6342EB60DE2083A9

Function 008E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 008E4ABA
__beginthreadex.LIBCMT ref: 008E4AD8
MessageBoxW.USER32(?,?,?,?), ref: 008E4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008E4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008E4B0A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: b4ef41d84227913f5b03cd499953d60109475f2129a43f31b3e124aa7eb7fb98
Instruction ID: 5dd10100c8cf044e832c5c624a73c4390029cdb7a2e6b20831cf2ea567c338e0
Opcode Fuzzy Hash: b4ef41d84227913f5b03cd499953d60109475f2129a43f31b3e124aa7eb7fb98
Instruction Fuzzy Hash: F311087691C658BFC7109FE99C08E9B7FACFB46320F154266F828D3351D6B1C90497A0

Function 008D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D821E
GetLastError.KERNEL32(?,008D7CE2,?,?,?), ref: 008D8228
GetProcessHeap.KERNEL32(00000008,?,?,008D7CE2,?,?,?), ref: 008D8237
HeapAlloc.KERNEL32(00000000,?,008D7CE2,?,?,?), ref: 008D823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D8255

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
Instruction ID: 64c57eedcb97ace822787a863888b2ee3e5415c0c3a8cdec5629750b32b8bf85
Opcode Fuzzy Hash: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
Instruction Fuzzy Hash: 24016D71218608FFDB208FA5DC59D6B7BBDFF8A755B50056AF809C2220DA329D40DA60

Function 008D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?,?,008D7455), ref: 008D7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?), ref: 008D7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D7044,80070057,?,?), ref: 008D716C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
Instruction ID: 4f74ab90ff1f205fd6cf8d5d368ac255c0a2930ee48367851e53c4f7c30dcd64
Opcode Fuzzy Hash: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
Instruction Fuzzy Hash: 7B017C72615219AFDF218F64DC44AAA7BADFB447A1F144265FD05D2320E731DE40ABA0

Function 008E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: aafdb54d08c660129331b1d6c4c64d39636f1e369eb515ddd26712348dbf82f8
Instruction ID: 3d0264591a90a7cdd6b0506417fe72d831f6fb79291145f4376fc534a3cd52fd
Opcode Fuzzy Hash: aafdb54d08c660129331b1d6c4c64d39636f1e369eb515ddd26712348dbf82f8
Instruction Fuzzy Hash: 30012931D19A1DDBCF10EFE5E8599EDBB78FB0E715F400156EA41F2240CB3096549BA1

Function 008D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8157

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
Instruction ID: d8d2ea7141167aafa8ad1458464aee4bb405756d824bc8bd18e753dc2e458cc2
Opcode Fuzzy Hash: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
Instruction Fuzzy Hash: F6F06271214314EFEB220FA5EC99F673BBCFF49B54F000126F945C6250CB619E45EA60

Function 008DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 008DC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 008DC20E
MessageBeep.USER32(00000000), ref: 008DC226
KillTimer.USER32(?,0000040A), ref: 008DC242
EndDialog.USER32(?,00000001), ref: 008DC25C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8f99dcd0552c4f96abfe4704e86512c09313034a0e293c3349bea786d190a707
Instruction ID: a765f1ac59a361cd4bdf2603e757f6493f6584cbd80ac4bd5b308b708fcddffc
Opcode Fuzzy Hash: 8f99dcd0552c4f96abfe4704e86512c09313034a0e293c3349bea786d190a707
Instruction Fuzzy Hash: 6001A7304587099BEB315B54DD5EB967778FB00B06F04076AE542D15E0D7E16944DB50

Function 008813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008813BF
StrokeAndFillPath.GDI32(?,?,008BB888,00000000,?), ref: 008813DB
SelectObject.GDI32(?,00000000), ref: 008813EE
DeleteObject.GDI32 ref: 00881401
StrokePath.GDI32(?), ref: 0088141C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9379cdfde4831bca80505605dcccef9bfe8f08ac2d8d084c7eb16711373cdf27
Instruction ID: 61ffb1ea42a4d7cb5f47f0d753f791a49df9f1273d8e7e0932c3680d76ac38c6
Opcode Fuzzy Hash: 9379cdfde4831bca80505605dcccef9bfe8f08ac2d8d084c7eb16711373cdf27
Instruction Fuzzy Hash: 91F0CD34028608DFDB215F56EC5CB583BA9F702326F098224E42989AF2CB354596EF54

Function 00892CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 008A0DB6: std::exception::exception.LIBCMT ref: 008A0DEC
Part of subcall function 008A0DB6: __CxxThrowException@8.LIBCMT ref: 008A0E01

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 00887A51: _memmove.LIBCMT ref: 00887AAB

__swprintf.LIBCMT ref: 00892ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00892D66

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 21d21172ec0c4eb86147fd8349cb2757764c0c238987fb025f47bb37b7c75cf9
Instruction ID: aac83b38451b3d2b410e622df3ddf9dca7e910568e922718b3ea5d7032ce5881
Opcode Fuzzy Hash: 21d21172ec0c4eb86147fd8349cb2757764c0c238987fb025f47bb37b7c75cf9
Instruction Fuzzy Hash: F9913671108215ABDB14FF28C885D6EB7B4FF85720F14492DF496DB2A2EA30ED44CB52

Function 008EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00884750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00884743,?,?,008837AE,?), ref: 00884770

CoInitialize.OLE32(00000000), ref: 008EB9BB
CoCreateInstance.OLE32(00912D6C,00000000,00000001,00912BDC,?), ref: 008EB9D4
CoUninitialize.OLE32 ref: 008EB9F1

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

Strings

.lnk, xrefs: 008EB99D, 008EB9AB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 4c8a7f9ab403a211ae2933f30ca2bfa02034ce3edc1d3b5ffa11010941799d69
Instruction ID: 8d306c58eb34defc2df35f5b6693fa29aada6b168763742fc0e8365e26591bda
Opcode Fuzzy Hash: 4c8a7f9ab403a211ae2933f30ca2bfa02034ce3edc1d3b5ffa11010941799d69
Instruction Fuzzy Hash: 4FA135756043469FCB00EF19C884D6ABBE5FF8A324F148958F8999B361CB31ED45CB92

Function 008A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008A50AD

Part of subcall function 008B00F0: __87except.LIBCMT ref: 008B012B

Strings

pow, xrefs: 008A5085, 008A50A2

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 6e975829ba9d35fa723074f7246c00574f6007b87c0ae85627d20fe554992c06
Instruction ID: 06a7d900585f3c661f525cc7157129d20fa7157dc4e536027cd40bbdd9b8ce64
Opcode Fuzzy Hash: 6e975829ba9d35fa723074f7246c00574f6007b87c0ae85627d20fe554992c06
Instruction Fuzzy Hash: B0515D21A1CE0696E715B718C8053FF7B94FB42700F208959E4D5C6799EE348DC8EE82

Function 00896192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00896248
_memmove.LIBCMT ref: 008962E4
_memset.LIBCMT ref: 00896308

Strings

ERCP, xrefs: 008961B3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: b487f9fbac8e9e6fb302b5110b924287e043f84e1785fe12f6934d9117e2226f
Instruction ID: e576b7615c36705ad39ece79ff6961d5b4e676d986c277731278bf6e6f1a9f6a
Opcode Fuzzy Hash: b487f9fbac8e9e6fb302b5110b924287e043f84e1785fe12f6934d9117e2226f
Instruction Fuzzy Hash: D151B071900309DFDB24DFA9C941BAAB7E5FF04314F24466EE44ACB291E770AA50DF40

Function 008D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D9296,?,?,00000034,00000800,?,00000034), ref: 008E14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 008D983F

Part of subcall function 008E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008E14B1

Part of subcall function 008E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 008E1409
Part of subcall function 008E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,008D925A,00000034,?,?,00001004,00000000,00000000), ref: 008E1419
Part of subcall function 008E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,008D925A,00000034,?,?,00001004,00000000,00000000), ref: 008E142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008D98F9

Strings

@, xrefs: 008D9911

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f7c4e248de33641389f52bd98d7bf3d7c3385b8a6ff3fa45b25053e1a7dac305
Instruction ID: cbf4242283cb427104b2d9a39419efba453abc2b8d7c9e8bfffe45fd7762f544
Opcode Fuzzy Hash: f7c4e248de33641389f52bd98d7bf3d7c3385b8a6ff3fa45b25053e1a7dac305
Instruction Fuzzy Hash: 16412D76900218BEDF10DFA4CC95EDEBBB8FB09700F004199F945B7291DA716E45DBA1

Function 00907946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0090F910,00000000,?,?,?,?), ref: 009079DF
GetWindowLongW.USER32 ref: 009079FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00907A0C

Strings

SysTreeView32, xrefs: 009079B1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: f49437fba8285d23066340000646d4ebdce8ebd0b7f7c3cd3efed30ef576215a
Instruction ID: c50644d91091c1507ca04ea1ab8da8acc208a4384b1d22a3f5860b76793c7775
Opcode Fuzzy Hash: f49437fba8285d23066340000646d4ebdce8ebd0b7f7c3cd3efed30ef576215a
Instruction Fuzzy Hash: FF31AB31604606AFDB219EB8CC45BEBB7A9FB49334F208725F875E22E0D731E9519B50

Function 009073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00907461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00907475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00907499

Strings

SysMonthCal32, xrefs: 0090742C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c91caaba404389f0d816759702626dea0d3704ee33f46d858beb6d64d456bbd1
Instruction ID: 9f042db68d60557cbb334769c8d8371873f5d2abbca2464649ede71f5c7141c9
Opcode Fuzzy Hash: c91caaba404389f0d816759702626dea0d3704ee33f46d858beb6d64d456bbd1
Instruction Fuzzy Hash: DB218032514219AFDF118F94CC46FEA7B6AEB48724F110214FE15AB1E0DAB5A8519BA0

Function 00907B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00907C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00907C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00907C5F

Strings

msctls_updown32, xrefs: 00907BC4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: f32b131edfca808b2ab4b0d85e60aa566cf4f94003cd4ddd2c1825891918e1e1
Instruction ID: 93e9fe650d9cd82112754978dfddffaa29c40100e0ac12a53a72e779536d0471
Opcode Fuzzy Hash: f32b131edfca808b2ab4b0d85e60aa566cf4f94003cd4ddd2c1825891918e1e1
Instruction Fuzzy Hash: 20218EB5604219AFEB10DF68DCC1DA677ECEF5A364B140059FA01DB3A1CB31EC519B60

Function 00906CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00906D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00906D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00906D70

Strings

Listbox, xrefs: 00906D08

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f85a7d14ffc2c73d62fb614e6ab7c8163bc08966adba5f28def67c8b3daa7ca6
Instruction ID: 081e4c61d4cc867958d622ddd458b2832ff46bd6eaab73fd73b3a3cff35f6939
Opcode Fuzzy Hash: f85a7d14ffc2c73d62fb614e6ab7c8163bc08966adba5f28def67c8b3daa7ca6
Instruction Fuzzy Hash: 52218032610118BFEF118F54DC45FAB3BBEEB89764F018124FA459B1E0CB71AC619BA0

Function 0090770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00907772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00907787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00907794

Strings

msctls_trackbar32, xrefs: 00907749

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2ba2aa6706988005a16a72f598e9bb857df4aab2fcf96d8e1c9e17bc0219ef9e
Instruction ID: 7809f49086fd5a2fd623390755924792f53112b0069256e08592b419174d6493
Opcode Fuzzy Hash: 2ba2aa6706988005a16a72f598e9bb857df4aab2fcf96d8e1c9e17bc0219ef9e
Instruction Fuzzy Hash: 99110432604209BEEF205FA4CC05FA777ACEF88B64F010128FA41920D0C672E811DB10

Function 00884C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00884BD0,?,00884DEF,?,009452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00884C1D
kernel32.dll, xrefs: 00884C0C

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 35754cf855ed74607ab95e5492fa73f26f1c8ce08ea35fc0f057b3282c5a2355
Instruction ID: 1629bfa7fa59b06c7150d11fb8ceb4bfd5842306a067d96003cb28150710458f
Opcode Fuzzy Hash: 35754cf855ed74607ab95e5492fa73f26f1c8ce08ea35fc0f057b3282c5a2355
Instruction Fuzzy Hash: C2D01231515723CFD730AF71D918606B6DAFF09355B118C39D485D6550E6B0D580CB50

Function 00884C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00884B83,?), ref: 00884C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00884C50
kernel32.dll, xrefs: 00884C3F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 61bb3d8a46b04f4e90148d01f151059716071070773a6cc48776acda238eedce
Instruction ID: 44414b84f1f117ba099a03b75f44ce5f9fb031c62cb23e1bd0598fa8f92277be
Opcode Fuzzy Hash: 61bb3d8a46b04f4e90148d01f151059716071070773a6cc48776acda238eedce
Instruction Fuzzy Hash: 1CD01772528713CFD730AF31D91860A76E9FF19355B12883AA496D69A0E670D980CB50

Function 00900DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00901039), ref: 00900DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00900E07

Strings

RegDeleteKeyExW, xrefs: 00900E01
advapi32.dll, xrefs: 00900DF0

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 1757015d9e2c2e10f26d6d1de5d1c285314288e0ec43571b218fc59706a66cec
Instruction ID: fa0bd1d556e342e58000aae9a15beab43499d4cb68f4898c08f75b0475197e0a
Opcode Fuzzy Hash: 1757015d9e2c2e10f26d6d1de5d1c285314288e0ec43571b218fc59706a66cec
Instruction Fuzzy Hash: 76D01770528722CFD7219F75C80878676E9AF84356F118C3EA886E2590E6B0D8D0CA50

Function 008F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,008F8CF4,?,0090F910), ref: 008F90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008F9100

Strings

GetModuleHandleExW, xrefs: 008F90FA
kernel32.dll, xrefs: 008F90E9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 910101a80ed4f20c07a7e8bfba9ae1ccb56cfb3b5107b0a85cc7a4f6d25dbea1
Instruction ID: e136986e3c66535bb99f45602a2e54060708bc8b11b1fa999102db4ae4e45157
Opcode Fuzzy Hash: 910101a80ed4f20c07a7e8bfba9ae1ccb56cfb3b5107b0a85cc7a4f6d25dbea1
Instruction Fuzzy Hash: ACD01734528713CFDB309F31D82861676E8FF05355B12887AE6C6D69A0EA74C8C0CA90

Function 008C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 008C1718
__swprintf.LIBCMT ref: 008C1749

Strings

%.3d, xrefs: 008C1723
WIN_XPe, xrefs: 008C1788

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0f18b073e0334a8ab2eae23c85880fcbe52abf108abe193b5828aee5ae808216
Instruction ID: 79c4c728c221e4fbea9db52071ba87706dbe67b48e10e778b63d91f1be4d2e0d
Opcode Fuzzy Hash: 0f18b073e0334a8ab2eae23c85880fcbe52abf108abe193b5828aee5ae808216
Instruction Fuzzy Hash: 7CD0177180910DEACF11DB9098CCEB9737CFB1A309F14046AB402E2446E231CB94EB61

Function 008D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
Instruction ID: 3e08fe44071d9a96aa13be39e780bf51b784434105c32e1f31afa055175006ee
Opcode Fuzzy Hash: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
Instruction Fuzzy Hash: 74C16074A0421AEFCB14CF94C884EAEBBB5FF48714B558699E805EB351E730ED81DB90

Function 008FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 008FE0BE
CharLowerBuffW.USER32(?,?), ref: 008FE101

Part of subcall function 008FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008FD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008FE301
_memmove.LIBCMT ref: 008FE314

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 25592d6a3cfb76276bda014a49d57c856a137f1c47eed57e547b7977093b1e58
Instruction ID: 57f48a2a5be94fb6696d270dfe919a7da40d5d25f8df65f8f57871d0248f1788
Opcode Fuzzy Hash: 25592d6a3cfb76276bda014a49d57c856a137f1c47eed57e547b7977093b1e58
Instruction Fuzzy Hash: 26C126716083059FC714DF28C480A6ABBE4FF89718F14896EF999DB361D731E946CB82

Function 008F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 008F80C3
CoUninitialize.OLE32 ref: 008F80CE

Part of subcall function 008DD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008DD5D4

VariantInit.OLEAUT32(?), ref: 008F80D9
VariantClear.OLEAUT32(?), ref: 008F83AA

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: dc8e52883744d46ab25f43360df4fa42b57a13dbe4c32de65b755957da75f412
Instruction ID: c3ffd626d1f98126262a4f839ac6b11d0b08c4d72e5968f3f1e259851b84e0ad
Opcode Fuzzy Hash: dc8e52883744d46ab25f43360df4fa42b57a13dbe4c32de65b755957da75f412
Instruction Fuzzy Hash: 4CA126356047069FDB10EF68C881A2AB7E4FF89714F184558FA9ADB3A1CB30ED45CB42

Function 008D7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00912C7C,?), ref: 008D76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00912C7C,?), ref: 008D7702
CLSIDFromProgID.OLE32(?,?,00000000,0090FB80,000000FF,?,00000000,00000800,00000000,?,00912C7C,?), ref: 008D7727
_memcmp.LIBCMT ref: 008D7748

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a729c8196ccba1257cc5dde4fb3466bf8be035a2ffdabf4bfc6f783ca4ff3a39
Instruction ID: a6f7eabff3d0d88fb428f8c15971daf02beac53f61183ebf61be51e1fae6920d
Opcode Fuzzy Hash: a729c8196ccba1257cc5dde4fb3466bf8be035a2ffdabf4bfc6f783ca4ff3a39
Instruction Fuzzy Hash: 8B811C75A00109EFCB04DFA8C984DEEB7B9FF89315F204559E516EB250EB71AE06CB60

Function 008D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 008D688E
SysAllocString.OLEAUT32(00000000), ref: 008D6937
VariantCopy.OLEAUT32 ref: 008D6966
VariantClear.OLEAUT32(?), ref: 008D698D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 4e2a79c66815f6b94e6f4f97a0f7bcf469e37d6b63d035118e1eac1c20330404
Instruction ID: aebd328a53c1e40b9aed6f24a675c4cb9219489a0a6ca919fab18f29761e9e57
Opcode Fuzzy Hash: 4e2a79c66815f6b94e6f4f97a0f7bcf469e37d6b63d035118e1eac1c20330404
Instruction Fuzzy Hash: A351B3746043099EDB24AF69D891A3AB7E5FF45314F20C91FE5C6DB791FA30D8A08702

Function 009097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EBE1E0,?), ref: 00909863
ScreenToClient.USER32(00000002,00000002), ref: 00909896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00909903

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 42841a40947d670f8bbe55e5123951894a3916408d482035948060ed30f804bb
Instruction ID: ec30eafd1bb4a1cc9cb56a02976952ef950408a5b9fab0758c6f44d742afcce9
Opcode Fuzzy Hash: 42841a40947d670f8bbe55e5123951894a3916408d482035948060ed30f804bb
Instruction Fuzzy Hash: F6513035A00209EFCF14DF58C884AAE7BB9FF56360F148159F8659B3A1D731AD81DB90

Function 008D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 008D9AD2
__itow.LIBCMT ref: 008D9B03

Part of subcall function 008D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 008D9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 008D9B6C
__itow.LIBCMT ref: 008D9BC3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c092615cafe3cc4513db48ebce62e343c9934256bb31ac452bbd200e65b0e279
Instruction ID: 1a5434c48873e29901f6f7db3d83f124e89c6e73e580ffb5257505c46f8130fe
Opcode Fuzzy Hash: c092615cafe3cc4513db48ebce62e343c9934256bb31ac452bbd200e65b0e279
Instruction Fuzzy Hash: 34416F74A00218ABDF21EF58D845BAEBFB9FF45724F00015AF945E7391DB709A44CB52

Function 008F69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 008F69D1
WSAGetLastError.WSOCK32(00000000), ref: 008F69E1

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008F6A45
WSAGetLastError.WSOCK32(00000000), ref: 008F6A51

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5e2bc8418ae23cb1e81fd669ba28892bc73104fcad90e765be40091ebf5746e6
Instruction ID: 5066bd661275c130c576e150d5ae8a1f12a0d84f460037116a870d5289afb15a
Opcode Fuzzy Hash: 5e2bc8418ae23cb1e81fd669ba28892bc73104fcad90e765be40091ebf5746e6
Instruction Fuzzy Hash: 5A41A275740215AFEB60BF28CC86F3A77A4FB04B14F448128FA59EB2C2DA709D009792

Function 008F641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0090F910), ref: 008F64A7
_strlen.LIBCMT ref: 008F64D9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 3f79601f5624054d47dc6b27f7f275aae3ad0dd1df0f4ee68f728499ff90cc83
Instruction ID: 3a53911f9c8aad6636872d47e3b2ce7235c8e83b83988776921910b960833909
Opcode Fuzzy Hash: 3f79601f5624054d47dc6b27f7f275aae3ad0dd1df0f4ee68f728499ff90cc83
Instruction Fuzzy Hash: F3418431500118ABCB14FBB8DC95EBEB7A9FF08314F148255F919D7292EB30AD14C751

Function 008EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008EB89E
GetLastError.KERNEL32(?,00000000), ref: 008EB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008EB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008EB915

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d77d71371a89bb7e3794112361a626bcd62948ccd05e7df69cb50f16a96ca936
Instruction ID: b1d09e383efe521b410b67747a7c04aaa4f6a3b7f71bc7321482a0806c881c79
Opcode Fuzzy Hash: d77d71371a89bb7e3794112361a626bcd62948ccd05e7df69cb50f16a96ca936
Instruction Fuzzy Hash: B541FB35600552DFCB11EF19C455A6ABBE1FF4A314F198098ED8A9B762CB30FD01DB92

Function 00908851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009088DE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 288aa17570063a60aa183013bd55b0568f03751b34771ee2cf3756346dbe3edb
Instruction ID: 9badf8312be947274fef0e59558225ceb4f7ae90070143cbc6d6800b23f7fcf4
Opcode Fuzzy Hash: 288aa17570063a60aa183013bd55b0568f03751b34771ee2cf3756346dbe3edb
Instruction Fuzzy Hash: 5331D434714108EFEB24AA58CC45FBE77A9EB06350F544512F9B1E62E1CE71D980AB52

Function 0090AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0090AB60
GetWindowRect.USER32(?,?), ref: 0090ABD6
PtInRect.USER32(?,?,0090C014), ref: 0090ABE6
MessageBeep.USER32(00000000), ref: 0090AC57

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ab615141ee127971dbde1e146fb1b8990aee66124641f58b0f3f2adb95517ca3
Instruction ID: 9dc915eec0ce2d10944761762c1f6bf9a0b48d8e7d91c8646e2fc9521c965ac3
Opcode Fuzzy Hash: ab615141ee127971dbde1e146fb1b8990aee66124641f58b0f3f2adb95517ca3
Instruction Fuzzy Hash: 6041AE34604229DFDB21DF58C884BA97BF9FF49300F1A80A9E854DB2A1D730E941DBD2

Function 008E0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008E0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 008E0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008E0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008E0BFB

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
Instruction ID: bfaa2d2aa31c06de4dee82e35fcf065b1564c97621f1c0f06ca0756c26505547
Opcode Fuzzy Hash: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
Instruction Fuzzy Hash: D7314A309442886EEB308B668C05BF9BBA9FB86328F144B5AF581D11D1C3F489C09F51

Function 008E0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 008E0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 008E0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 008E0CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 008E0D33

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
Instruction ID: 7a6aad60efaa692f1afca4b19a31a4a5ce6606a0cef6c9d2e9851396bcd72bed
Opcode Fuzzy Hash: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
Instruction Fuzzy Hash: DB314830A0429C6EFF308B6A8C147FEBB66FB47310F244B1AE481D21D1C3B999C59B52

Function 008B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008B61FB
__isleadbyte_l.LIBCMT ref: 008B6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B628D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: aff2a6561c96c76ed8503d49d8ac30d82916a6c0f479e24fc08038d790bd1ead
Instruction ID: 76b7365d9f3508190afa397536cbcb66a513a3569d52436078d682eaf314d923
Opcode Fuzzy Hash: aff2a6561c96c76ed8503d49d8ac30d82916a6c0f479e24fc08038d790bd1ead
Instruction Fuzzy Hash: EE31AE31A04246AFEF218F69CC44BBA7BA9FF42310F154029E864D72A1E735D961DB90

Function 00904EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00904F02

Part of subcall function 008E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008E365B
Part of subcall function 008E3641: GetCurrentThreadId.KERNEL32 ref: 008E3662
Part of subcall function 008E3641: AttachThreadInput.USER32(00000000,?,008E5005), ref: 008E3669

GetCaretPos.USER32(?), ref: 00904F13
ClientToScreen.USER32(00000000,?), ref: 00904F4E
GetForegroundWindow.USER32 ref: 00904F54

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ce588fae6e2ee114f6ece072dc4766e26f1f0bbd922f85649b5422ce740bb896
Instruction ID: 0cf0edd02739db2528c3c50a57132916efbedc6f5c360ca52567991443acffb3
Opcode Fuzzy Hash: ce588fae6e2ee114f6ece072dc4766e26f1f0bbd922f85649b5422ce740bb896
Instruction Fuzzy Hash: 38312D71E00108AFCB10EFB9C8859EFB7F9FF99304F10406AE555E7251DA719E058BA1

Function 0090C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

GetCursorPos.USER32(?), ref: 0090C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008BB9AB,?,?,?,?,?), ref: 0090C4E7
GetCursorPos.USER32(?), ref: 0090C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008BB9AB,?,?,?), ref: 0090C56E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bcc6e1da33573bf8e11450b6a571f4d09c0c9070e5f8520b9c23de15d58ed16e
Instruction ID: 45d7bcf77c9b73a44cd6d4680d3dd73da8b754bc65ae31b4f3848d17a6c69212
Opcode Fuzzy Hash: bcc6e1da33573bf8e11450b6a571f4d09c0c9070e5f8520b9c23de15d58ed16e
Instruction Fuzzy Hash: 79317379614058AFCB25CF98CC68EBA7BB9FB09310F444265F905CB2A1C731AD51EBA4

Function 008D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8121
Part of subcall function 008D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D812B
Part of subcall function 008D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D813A
Part of subcall function 008D810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8141
Part of subcall function 008D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008D86A3
_memcmp.LIBCMT ref: 008D86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D86FC
HeapFree.KERNEL32(00000000), ref: 008D8703

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: c929d74388e0a9313bd7d038efb04149284b3fac4d9cc2d5aa13ee8d6f1bcab1
Instruction ID: fada22dd4d06abc14052cfe71289f81dad1ae72761c40bc7d80c66b70fb235d8
Opcode Fuzzy Hash: c929d74388e0a9313bd7d038efb04149284b3fac4d9cc2d5aa13ee8d6f1bcab1
Instruction Fuzzy Hash: 99215771E04208EFDB10DFA8D949BAEB7B8FF54314F15415AE444AB240EB30AE05DB90

Function 008A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 008A09AE

Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7896,?,?,00000000), ref: 00885A2C
Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7896,?,?,00000000,?,?), ref: 00885A50

_fprintf.LIBCMT ref: 008A09E5
OutputDebugStringW.KERNEL32(?), ref: 008D5DBB

Part of subcall function 008A4AAA: _flsall.LIBCMT ref: 008A4AC3

__setmode.LIBCMT ref: 008A0A1A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 9c260b965db6a3e7990ca0a57a2da9235c527f3174007e82a5bd7d512a01d39d
Instruction ID: 77ee4553128fea0135998c5cc700f79aa0a81f87ef136e97246af3869530a514
Opcode Fuzzy Hash: 9c260b965db6a3e7990ca0a57a2da9235c527f3174007e82a5bd7d512a01d39d
Instruction Fuzzy Hash: F91127319042086FEB04B7BCAC479BE7B69FF87320F240126F105D6582EEA0584297A2

Function 008F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008F17A3

Part of subcall function 008F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008F184C
Part of subcall function 008F182D: InternetCloseHandle.WININET(00000000), ref: 008F18E9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
Instruction ID: fd94f43bad0f274b0350a27f0add65e4f12e376a94c2e7b7a4d7d14365b9aed5
Opcode Fuzzy Hash: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
Instruction Fuzzy Hash: 2B21B031214609FFEF129F748C04BBABBA9FF48751F14402AFA05D6550D7719911A7A1

Function 008E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0090FAC0), ref: 008E3A64
GetLastError.KERNEL32 ref: 008E3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 008E3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0090FAC0), ref: 008E3ADF

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: d67e70eeedc23ba2a927bda5748ac3504efe199132350a33a5938046e649428f
Instruction ID: d6b14c62d13de139fc27d39441b1644bda20088bd25954108afeefc75daa7e34
Opcode Fuzzy Hash: d67e70eeedc23ba2a927bda5748ac3504efe199132350a33a5938046e649428f
Instruction Fuzzy Hash: 3721D6341086119FC710EF29D88586A77E8FF56368F104A2DF499C72A1D731DE85CB83

Function 008DDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 008DF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,008DDCD3,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?), ref: 008DF0CB
Part of subcall function 008DF0BC: lstrcpyW.KERNEL32(00000000,?,?,008DDCD3,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DF0F1
Part of subcall function 008DF0BC: lstrcmpiW.KERNEL32(00000000,?,008DDCD3,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?), ref: 008DF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DDCEC
lstrcpyW.KERNEL32(00000000,?,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,008DEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 008DDD46

Strings

cdecl, xrefs: 008DDD3D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: fc0d54703f69a8c5255c6bd92af602c9c3d3573e6c5b7509ea66a2a7c91dafb7
Instruction ID: a0be294155fbc25d861b4332450208d96aee59d1c89e98c2408f1e78473ff409
Opcode Fuzzy Hash: fc0d54703f69a8c5255c6bd92af602c9c3d3573e6c5b7509ea66a2a7c91dafb7
Instruction Fuzzy Hash: C011AC3A200305EFDB25AF64C84597A77AAFF46350B40822AF906CB3A1EB719950DB91

Function 008B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008B5101

Part of subcall function 008A571C: __FF_MSGBANNER.LIBCMT ref: 008A5733
Part of subcall function 008A571C: __NMSG_WRITE.LIBCMT ref: 008A573A
Part of subcall function 008A571C: RtlAllocateHeap.NTDLL(00EA0000,00000000,00000001,00000000,?,?,?,008A0DD3,?), ref: 008A575F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 567e951994b1b8bdb96f5052dd9e5a8c23b0a6cd21f32e91f72cbce224200909
Instruction ID: a40908a179727e970d4aedba8bcb4de771709a28e0bb2cc5dab136ccc37c1ccb
Opcode Fuzzy Hash: 567e951994b1b8bdb96f5052dd9e5a8c23b0a6cd21f32e91f72cbce224200909
Instruction Fuzzy Hash: 8C11A372904A15EEDF312F7CBC45B9E3798FF063B1B204529FA04D6B61DE30994197A1

Function 008844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008844CF

Part of subcall function 0088407C: _memset.LIBCMT ref: 008840FC
Part of subcall function 0088407C: _wcscpy.LIBCMT ref: 00884150
Part of subcall function 0088407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00884160

KillTimer.USER32(?,00000001,?,?), ref: 00884524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00884533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008BD4B9

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: a307a93c971dafa2083ecca0fde40ed5adf8efef17667d741a3076aa356f27e5
Instruction ID: 696304fb113badd45818d9eebf4fab6f295ab22be2a837dc1f186a689f435242
Opcode Fuzzy Hash: a307a93c971dafa2083ecca0fde40ed5adf8efef17667d741a3076aa356f27e5
Instruction Fuzzy Hash: F8210A75508794AFE7329B248855BEBBBECFF01308F04009DE69ED6242D3742A84DB46

Function 008F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7896,?,?,00000000), ref: 00885A2C
Part of subcall function 00885A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7896,?,?,00000000,?,?), ref: 00885A50

gethostbyname.WSOCK32(?,?,?), ref: 008F6399
WSAGetLastError.WSOCK32(00000000), ref: 008F63A4
_memmove.LIBCMT ref: 008F63D1
inet_ntoa.WSOCK32(?), ref: 008F63DC

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 38f0ac93f9c86061e04c7df6f71f893cb27123fd9f555bff9ed10edcfa07d9ba
Instruction ID: 4bb1b758ff8f58bb26781fb843f46a7e663be710948cb0977c4ee29918a296a2
Opcode Fuzzy Hash: 38f0ac93f9c86061e04c7df6f71f893cb27123fd9f555bff9ed10edcfa07d9ba
Instruction Fuzzy Hash: 45111C36500109AFCB04FBA8DD96CEEB7B8FF08314B144165F506E7261DB31AE14DB62

Function 008D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 008D8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D8BA4

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
Instruction ID: 8c6128a74ee3ecffc00ca7e671360a36d96a6576bdd9d99b5b34225eb640276c
Opcode Fuzzy Hash: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
Instruction Fuzzy Hash: 77112E79901218FFDB11DFA5CC85F9DBB74FB48710F204196E904B7250DA716E11DB94

Function 00881290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623

DefDlgProcW.USER32(?,00000020,?), ref: 008812D8
GetClientRect.USER32(?,?), ref: 008BB5FB
GetCursorPos.USER32(?), ref: 008BB605
ScreenToClient.USER32(?,?), ref: 008BB610

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5523607ac6eb942c0b6ca14a7087f4d7f4bbed8517cba400a91fca3327206914
Instruction ID: f2823bc9d03ad61c51a0477cfdb5e60f8611ca2257989150a9fc7ba08d33ec90
Opcode Fuzzy Hash: 5523607ac6eb942c0b6ca14a7087f4d7f4bbed8517cba400a91fca3327206914
Instruction Fuzzy Hash: 7911E335A14119AFCF10EFA8D8899AE77B8FB05311F500466F901E7251DB30BA529BA6

Function 008E1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E118E
Sleep.KERNEL32(?,?,?,?,?,?,?,008DFCED,?,008E0D40,?,00008000), ref: 008E11C1

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 56149466624f98abca60945f769fa6b6486d94f00c06b038e553c6e1d81e3a6c
Instruction ID: d3db14b3813dafadf56df853d693b8f92e2b46020769b89eebef5aebd0499f2a
Opcode Fuzzy Hash: 56149466624f98abca60945f769fa6b6486d94f00c06b038e553c6e1d81e3a6c
Instruction Fuzzy Hash: 78113C31D0465DEBCF149FA6D848AEEBB78FF0A751F004055EA45F2240CB709690DBD5

Function 008DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 008DD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 008DD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008DD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008DD897

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: b869ca9879c899d0697698712ee6c095f746f60ffbdaf856f914585868b00877
Instruction ID: ff66ffdfaee6c94f24fb36dd2dd271112622576a3138da1e79f5b2fb7d38b2f3
Opcode Fuzzy Hash: b869ca9879c899d0697698712ee6c095f746f60ffbdaf856f914585868b00877
Instruction Fuzzy Hash: B8118E71605309DFE3219F50EC08F92BBBCFB00B00F108A7AA916C6650D7B0E609ABA1

Function 008B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 008B6FDB

Part of subcall function 008B76C2: __fltout2.LIBCMT ref: 008B76EB

__cftog_l.LIBCMT ref: 008B7001
__cftoe_l.LIBCMT ref: 008B7033

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3bc1bb832ce77332a556f8e630b2262754cb3812461cb3f2a0e918fd4bb85459
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8701407244864EBBCF166F88CC01CED3F62FB58354F598416FE1898231D636C9B2AB81

Function 0090B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0090B2E4
ScreenToClient.USER32(?,?), ref: 0090B2FC
ScreenToClient.USER32(?,?), ref: 0090B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0090B33B

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
Instruction ID: 3343d81a75a20003ed736ee01574f06641a2eeb66585089b3705a6846a62b808
Opcode Fuzzy Hash: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
Instruction Fuzzy Hash: D31132B9D0420DAFDB51CFA9C8849EEBBB9FF08310F108166E914E3620D735AA559F50

Function 0090B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0090B644
_memset.LIBCMT ref: 0090B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00946F20,00946F64), ref: 0090B682
CloseHandle.KERNEL32 ref: 0090B694

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 7fbe8baf16e83e17acd45858a8927fa613d9bc6d52cf9254e16b214339817b99
Instruction ID: 29f8722dba481a545d08b9f35920930a716f089a15a576e6c41334dce1a352d8
Opcode Fuzzy Hash: 7fbe8baf16e83e17acd45858a8927fa613d9bc6d52cf9254e16b214339817b99
Instruction Fuzzy Hash: 3DF05EF65543047EF3202B65BC06FBB3A9CEB0B795F004060BA48E5592E7724C0497AA

Function 008E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 008E6BE6

Part of subcall function 008E76C4: _memset.LIBCMT ref: 008E76F9

_memmove.LIBCMT ref: 008E6C09
_memset.LIBCMT ref: 008E6C16
LeaveCriticalSection.KERNEL32(?), ref: 008E6C26

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: fa862622d0a9c1dd2e3d36fe57362408f49460f96aa116e63426e602941b15ae
Instruction ID: b2e3e52fecb15e7ffa10d9cc488784dcb95f04bc66a17dbd0655267802b4511e
Opcode Fuzzy Hash: fa862622d0a9c1dd2e3d36fe57362408f49460f96aa116e63426e602941b15ae
Instruction Fuzzy Hash: CDF05E3A204100BBCF116F99DC85A8ABB29FF46320F048061FE089E627D732E911DBB5

Function 00882218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00882231
SetTextColor.GDI32(?,000000FF), ref: 0088223B
SetBkMode.GDI32(?,00000001), ref: 00882250
GetStockObject.GDI32(00000005), ref: 00882258
GetWindowDC.USER32(?,00000000), ref: 008BBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 008BBE90
GetPixel.GDI32(00000000,?,00000000), ref: 008BBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 008BBEC2
GetPixel.GDI32(00000000,?,?), ref: 008BBEE2
ReleaseDC.USER32(?,00000000), ref: 008BBEED

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: dca6913e89b02821c8cf5b689ea0d74e123ae3c7142f0f48cc0f3d90e3f71df6
Instruction ID: 160959e9283bfc24fb8505c22c1f93271634864138f7ebb42a8c35c821fbc242
Opcode Fuzzy Hash: dca6913e89b02821c8cf5b689ea0d74e123ae3c7142f0f48cc0f3d90e3f71df6
Instruction Fuzzy Hash: D6E03932118244AEDF715F64EC0D7E83B10EB05336F008366FA69880F187B14A90EB12

Function 008D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 008D871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,008D82E6), ref: 008D8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008D82E6), ref: 008D872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,008D82E6), ref: 008D8736

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
Instruction ID: 98be24e1c9006a631811b8a0c618c8e775beec4a3b5e9e4c67a5dd5427ce4814
Opcode Fuzzy Hash: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
Instruction Fuzzy Hash: D3E08636629211DFD7305FF45D0CB563BBCEF50BD1F148828B245D9040DA348545E750

Function 008DB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 008DB4BE

Strings

Container, xrefs: 008DB43B
AutoIt3GUI, xrefs: 008DB436

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 6fffb03e48732e29a5c077c6fba968ce37f90dd97d0da41b1dfa188bc5dcad9a
Instruction ID: 24af786e531910dd574d20fc510d8edf791a95b4ba1f813faaf53e770b41e4d0
Opcode Fuzzy Hash: 6fffb03e48732e29a5c077c6fba968ce37f90dd97d0da41b1dfa188bc5dcad9a
Instruction Fuzzy Hash: 7D913870600605EFDB24DF68C884A6ABBF5FF49714F21866EE94ACB791DB70E841CB50

Function 008EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0089FC86: _wcscpy.LIBCMT ref: 0089FCA9

Part of subcall function 00889837: __itow.LIBCMT ref: 00889862
Part of subcall function 00889837: __swprintf.LIBCMT ref: 008898AC

__wcsnicmp.LIBCMT ref: 008EB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008EB0F6

Strings

LPT, xrefs: 008EB027

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: c2af3f2971c0d92adcb1316dc0c79d0ac02b1623cf8e24ec5659f7734050d9a4
Instruction ID: 86e809d2f711b530cb3a5428560199754249ba050dba4c114a11084ff1cc2ae3
Opcode Fuzzy Hash: c2af3f2971c0d92adcb1316dc0c79d0ac02b1623cf8e24ec5659f7734050d9a4
Instruction Fuzzy Hash: 5D617F75A00219AFCB14EF99C891EAFB7B4FF09314F144069F956EB291D730AE44CB91

Function 00892957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00892968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00892981

Strings

@, xrefs: 00892975

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3edde85e9f7d12905c60a1b44a0357210abb4f688997793882e194a9ad68cc18
Instruction ID: 7fd7a4dbdff868b0a030c644bcf2d0b2e2c671de1ebfc6bc92658d438c94270b
Opcode Fuzzy Hash: 3edde85e9f7d12905c60a1b44a0357210abb4f688997793882e194a9ad68cc18
Instruction Fuzzy Hash: AA5144724187449BD320EF14D886BAFBBE8FF85344F81885DF2D9810A1EB308569CB67

Function 008E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00884F0B: __fread_nolock.LIBCMT ref: 00884F29

_wcscmp.LIBCMT ref: 008E9824
_wcscmp.LIBCMT ref: 008E9837

Strings

FILE, xrefs: 008E9770

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: e6721c65469260b69b23a991796ebef143034b56842e37e18792b0b102fdee11
Instruction ID: 2b8c3e8570fde601defefd5cbf201a2cf562fb2a7f43848ac22a4a8c77585de4
Opcode Fuzzy Hash: e6721c65469260b69b23a991796ebef143034b56842e37e18792b0b102fdee11
Instruction Fuzzy Hash: 2941A772A0025ABADF20AAA5CC45FEFB7B9FF86714F000479F904E7191DAB199048B61

Function 008F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008F259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008F25D4

Strings

|, xrefs: 008F25A5

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: cc3d29eab01f7f44e67f225851ce720e0480a02243f6af3ed9e2ad151b87c349
Instruction ID: 7b92d0e55a17e270c614b32a982da7f6c01ce2cddbaa9749f11b57a7158e024f
Opcode Fuzzy Hash: cc3d29eab01f7f44e67f225851ce720e0480a02243f6af3ed9e2ad151b87c349
Instruction Fuzzy Hash: AB310571804119EBCF11EFA8CC85EEEBFB8FF18310F100069F915E6162EA359A56DB61

Function 00907A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00907B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00907B76

Strings

', xrefs: 00907ACA

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b3583ded150fa11cc58d85b627098559009fdddbd887077c4dc0061d54af33dd
Instruction ID: cd6eec688ca5ee169135aa1ea326ce966192faf083ea7ae108792cc762857770
Opcode Fuzzy Hash: b3583ded150fa11cc58d85b627098559009fdddbd887077c4dc0061d54af33dd
Instruction Fuzzy Hash: EC410774E052099FDB14CFA4C881BEABBB9FF09310F10416AE905EB391D770A951DFA0

Function 00906A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00906B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00906B53

Strings

static, xrefs: 00906AB3

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1359f109673af50f093caf5ef17619c8f25a35d4d7a5cee47916732b70f74646
Instruction ID: 71f89cba740051826fd2df05ae00a077d8de5d0fbe5b67ab576da01e2b73cf8c
Opcode Fuzzy Hash: 1359f109673af50f093caf5ef17619c8f25a35d4d7a5cee47916732b70f74646
Instruction Fuzzy Hash: D9318F71210604AEDB109F68CC91BFB77ADFF48764F108629F9A5D7190DB31AC91D760

Function 008E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008E294C

Strings

0, xrefs: 008E290A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 0609ed7896ea455cbe114805f20b7acfc6b11939b67221d90c0695bbece954b3
Instruction ID: 645a248ca8e013a9f1de8ceaefbfc19e924d673097f6a995e7361d5f476c5fd8
Opcode Fuzzy Hash: 0609ed7896ea455cbe114805f20b7acfc6b11939b67221d90c0695bbece954b3
Instruction Fuzzy Hash: 1D31D1716003899BEB24EF5ACC45FAEBFACFF07350F141069E985E61A2DB709940CB11

Function 008F39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 008F3A66

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Strings

, $, xrefs: 008F3AA6
AUTOITCALLVARIABLE%d, xrefs: 008F3A58

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 409670424b4b8454e253de2dc32448041d62a1b2274c3429f65717ce8483a475
Instruction ID: b26d05fa72146b720562abf6813cb90104e56789c12f1be022d4ab49cff3e3b2
Opcode Fuzzy Hash: 409670424b4b8454e253de2dc32448041d62a1b2274c3429f65717ce8483a475
Instruction Fuzzy Hash: AA215E7160062DAECF10EFA9CC82AAEBBB5FF44704F500455F545E7182DA30EA45CB62

Function 009066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00906761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0090676C

Strings

Combobox, xrefs: 0090672E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 514fab7f9da8b14f5e77d7b1a68c1789766de68611824613bcefe7630c214c58
Instruction ID: 6eb3cfaf8150c69e589ec29d2b564b01fe55af1a968320b7e870be34ae4b58af
Opcode Fuzzy Hash: 514fab7f9da8b14f5e77d7b1a68c1789766de68611824613bcefe7630c214c58
Instruction Fuzzy Hash: 69118675210209AFEF119F54CC81EAB37AEEB84368F114125F914972D1D775DC6197A0

Function 00906C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91

GetWindowRect.USER32(00000000,?), ref: 00906C71
GetSysColor.USER32(00000012), ref: 00906C8B

Strings

static, xrefs: 00906C4E

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 08e70db7f01ac068af92ec5c0a9d1a394e905e4f1353915362441677721166cb
Instruction ID: 21be072f36d10028c61b9eb6e90fd6a4c293968aa47532c58a86981e84016c1a
Opcode Fuzzy Hash: 08e70db7f01ac068af92ec5c0a9d1a394e905e4f1353915362441677721166cb
Instruction Fuzzy Hash: 0C21297252421AAFDF14DFA8CC45EFA7BA8FB08314F004629FA95D2290D735E861DB60

Function 00906920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009069A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009069B1

Strings

edit, xrefs: 00906986

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 62318b6c8f0e148ce9b6340939f433e6c8d428b34b02e92d29bf87d56a00d8a5
Instruction ID: 8974011d7b4bec02be9ca69608183bf64ea38bf0b78a008af14694a3feba26d5
Opcode Fuzzy Hash: 62318b6c8f0e148ce9b6340939f433e6c8d428b34b02e92d29bf87d56a00d8a5
Instruction Fuzzy Hash: C0116A71110208AFEB108E649C54EAB3AADEB053B8F504728F9B5975E0C775DCA1AB60

Function 008E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008E2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008E2A41

Strings

0, xrefs: 008E2A18

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: dacc4fa6b48a1a333c4f8ec08a7ee8312357dc6882f100892b145a8dabba7b96
Instruction ID: cf031b3b8c1b9377bf094c5730cfaab21e44c857d2c48d4f384f8171389a00b2
Opcode Fuzzy Hash: dacc4fa6b48a1a333c4f8ec08a7ee8312357dc6882f100892b145a8dabba7b96
Instruction Fuzzy Hash: 3E1100329042A8ABCB30EA9DDC44FAA77AEFB47314F054031E815E7291D770AD0AC791

Function 008F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008F222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008F2255

Strings

<local>, xrefs: 008F221D

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 22682d41a6c9fe7de6bbd4d34011e14f8a6a275f2eb2a0a916619c9fd53ac56c
Instruction ID: 3ed810b333940fb5f9228c8a99003c99c22bc7f0d702b18812caf4304f505cc2
Opcode Fuzzy Hash: 22682d41a6c9fe7de6bbd4d34011e14f8a6a275f2eb2a0a916619c9fd53ac56c
Instruction Fuzzy Hash: B511027054122DBEEB258F618C95EBBFBA8FF06355F10822AFA14C6040D3706991D6F1

Function 008D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008D8E73

Strings

ListBox, xrefs: 008D8E3D
ComboBox, xrefs: 008D8E12

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 81d120888a02fecf58ee33cf9bb3910f44ce58b17f7e5a795be524ede54b7af1
Instruction ID: 589857f317c95e10b1cded2139cb739eb65091e9d89afc8d7f6a434547a8d040
Opcode Fuzzy Hash: 81d120888a02fecf58ee33cf9bb3910f44ce58b17f7e5a795be524ede54b7af1
Instruction Fuzzy Hash: 3301B5B5605229EBCB14FBA8CC558FE7769FF45320B540B1AF821A73D1DE315808DB51

Function 008D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 008D8D6B

Strings

ListBox, xrefs: 008D8D35
ComboBox, xrefs: 008D8D0A

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e4cbb6e75301f078acb3d2a0573151049e0dac0d503da60e6975704fb0616134
Instruction ID: f0cb9a04a915cb12391928561b57b32fc1c6c0fe8b3f4caf51ec04501b1253c6
Opcode Fuzzy Hash: e4cbb6e75301f078acb3d2a0573151049e0dac0d503da60e6975704fb0616134
Instruction Fuzzy Hash: 0E01D871641108ABDB14E7E4CD52AFE77A9EF15300F600116B402E32D1DE119E08D772

Function 008D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00887DE1: _memmove.LIBCMT ref: 00887E22

Part of subcall function 008DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 008DAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 008D8DEE

Strings

ListBox, xrefs: 008D8DBA
ComboBox, xrefs: 008D8D8F

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b8f2be11e6afee7da0033727ac84d193759be157cbaf670478b7ef7412282107
Instruction ID: a7d302b63ceac5785a043c8e1bcaa32c55d7a9521a76b92145a8d6ebad14b9ea
Opcode Fuzzy Hash: b8f2be11e6afee7da0033727ac84d193759be157cbaf670478b7ef7412282107
Instruction Fuzzy Hash: 8701A7B1A45109ABDB25F6A8C952AFE77A9EF11300F600616B805F33D1DE219E08D672

Function 008E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008E4F46
_wcscmp.LIBCMT ref: 008E4F58

Strings

#32770, xrefs: 008E4F52

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 64d8eeb9a4019d3654d8ecdf299719cfdaa665cfa9911e7f61eb46d11badc976
Instruction ID: 55b0444d6d0416ee7f0c0db3d8d92251828751ecc8ee80a6ec9414daaefc1651
Opcode Fuzzy Hash: 64d8eeb9a4019d3654d8ecdf299719cfdaa665cfa9911e7f61eb46d11badc976
Instruction Fuzzy Hash: 6DE0D1329043282BD7209B599C45FA7F7ACFB46B71F000057FD04D3051D9609B45C7D1

Function 008BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008BB314: _memset.LIBCMT ref: 008BB321

Part of subcall function 008A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008BB2F0,?,?,?,0088100A), ref: 008A0945

IsDebuggerPresent.KERNEL32(?,?,?,0088100A), ref: 008BB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0088100A), ref: 008BB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008BB2FE

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 15034167cb12441c6723987c5c78084404a8d156041d6f027cb263a657e54920
Instruction ID: 66bb72623c58539d8adcf1d57bf904e010d0103e988b7b812f715b9072084ef0
Opcode Fuzzy Hash: 15034167cb12441c6723987c5c78084404a8d156041d6f027cb263a657e54920
Instruction Fuzzy Hash: CDE06D702147118FD7709F68E4047827AE4FF04314F018A2DE456C7751E7F4E408DBA1

Function 008C1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 008C1775

Part of subcall function 008FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,008C195E,?), ref: 008FBFFE
Part of subcall function 008FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008FC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 008C196D

Strings

WIN_XPe, xrefs: 008C1788

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 51b975bbcaa61695ce91e27284ed6b10e3d5cf6de4b192e44a71016e08d005c2
Instruction ID: b0cf727bf48b36ab4b388c5c911610d0de6be640bcf6788b785382f33c202372
Opcode Fuzzy Hash: 51b975bbcaa61695ce91e27284ed6b10e3d5cf6de4b192e44a71016e08d005c2
Instruction Fuzzy Hash: 5FF0F270819009DFDB26DBA0C998BECBAB8FB09304F100099E102A24A5D7308F84DB61

Function 00905998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009059AE
PostMessageW.USER32(00000000), ref: 009059B5

Part of subcall function 008E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC

Strings

Shell_TrayWnd, xrefs: 009059A7

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 91e9e4d45ae91c785df03b9e67d3e1bb276dda3c3549df7a9cc818ddf3df53f7
Instruction ID: 2b51708fa38b91938f60fe4d73d57dc4537d49219d006ca530443cde6d5236d6
Opcode Fuzzy Hash: 91e9e4d45ae91c785df03b9e67d3e1bb276dda3c3549df7a9cc818ddf3df53f7
Instruction Fuzzy Hash: A3D0C931798311BAE678AB709C1BF976655BB45B55F000825B345EA5D0C9E0A900DA54

Function 00905964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0090596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00905981

Part of subcall function 008E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E52BC

Strings

Shell_TrayWnd, xrefs: 00905967

Memory Dump Source

Source File: 00000000.00000002.2102192823.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true

Associated: 00000000.00000002.2102135243.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102301957.0000000000934000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102540620.000000000093E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2102677375.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_Qz8OEUxYuH.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f69e2f9901871ebb76bd2b8b044d825444fe448eb97e0d54c1666d3e145c0e99
Instruction ID: 04b4bf9b6efd98fb415c842669af5b36aff436c8b8fedd5300814859acc5ead9
Opcode Fuzzy Hash: f69e2f9901871ebb76bd2b8b044d825444fe448eb97e0d54c1666d3e145c0e99
Instruction Fuzzy Hash: 55D0C931798311BAE678AB709C1BFA76A55BB40B55F000825B349AA5D0C9E09900DA54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Qz8OEUxYuH.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autA834.tmp

C:\Users\user\AppData\Local\Temp\autA893.tmp

C:\Users\user\AppData\Local\Temp\cunili

C:\Users\user\AppData\Local\Temp\trickstress

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
Qz8OEUxYuH.exe

Function 00883B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 008849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00884E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 008E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0088301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00883041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0088708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00883A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00883633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00883766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00F41488 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 008839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0088F76F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Function 00F41238 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Function 0088407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre