Edit tour

Windows Analysis Report
PK5pHX4Gu5.exe

Overview

General Information

Sample name:	PK5pHX4Gu5.exe renamed because original name is a hash value
Original sample name:	d05dd1eadb299496b0ba13586d436d919d47a3cc28987bded50c7ecd0a417040.exe
Analysis ID:	1588274
MD5:	c56387aa015a4b10fcae5750940804f0
SHA1:	15e781425e6ceb489b4669a8cb14572730efcd20
SHA256:	d05dd1eadb299496b0ba13586d436d919d47a3cc28987bded50c7ecd0a417040
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

PK5pHX4Gu5.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\PK5pHX4Gu5.exe" MD5: C56387AA015A4B10FCAE5750940804F0)

palladiums.exe (PID: 7160 cmdline: "C:\Users\user\Desktop\PK5pHX4Gu5.exe" MD5: C56387AA015A4B10FCAE5750940804F0)

RegSvcs.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\PK5pHX4Gu5.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 6716 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

palladiums.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\biopsies\palladiums.exe" MD5: C56387AA015A4B10FCAE5750940804F0)

RegSvcs.exe (PID: 5828 cmdline: "C:\Users\user\AppData\Local\biopsies\palladiums.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7277445290:AAGPMfh-7hOfYQqkToVnhbp-yTYEzy9NhGk", "Telegram Chatid": "5557063310"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3054315301.00000000028F6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xded7:$a1: get_encryptedPassword 0xe1ff:$a2: get_encryptedUsername 0xdc72:$a3: get_timePasswordChanged 0xdd93:$a4: get_passwordField 0xdeed:$a5: set_encryptedPassword 0xf84b:$a7: get_logins 0xf4fc:$a8: GetOutlookPasswords 0xf2ee:$a9: StartKeylogger 0xf79b:$a10: KeyLoggerEventArgs 0xf34b:$a11: KeyLoggerEventArgsEventHandler
00000008.00000002.3053661404.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: palladiums.exe PID: 7160	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: palladiums.exe PID: 7160	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: palladiums.exe PID: 7160	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: palladiums.exe PID: 7160	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x67651f:$a1: get_encryptedPassword 0x676838:$a2: get_encryptedUsername 0x6762ce:$a3: get_timePasswordChanged 0x6763ef:$a4: get_passwordField 0x676535:$a5: set_encryptedPassword 0x677e3a:$a7: get_logins 0x677aeb:$a8: GetOutlookPasswords 0x6778dd:$a9: StartKeylogger 0x677d8a:$a10: KeyLoggerEventArgs 0x67793a:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6244	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6244	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6244	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x2b20c:$a1: get_encryptedPassword 0x2b525:$a2: get_encryptedUsername 0x2afbb:$a3: get_timePasswordChanged 0x2b0dc:$a4: get_passwordField 0x2b222:$a5: set_encryptedPassword 0x2cb27:$a7: get_logins 0x2c7d8:$a8: GetOutlookPasswords 0x2c5ca:$a9: StartKeylogger 0x2ca77:$a10: KeyLoggerEventArgs 0x2c627:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: palladiums.exe PID: 6480	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: palladiums.exe PID: 6480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: palladiums.exe PID: 6480	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: palladiums.exe PID: 6480	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x255d1a:$a1: get_encryptedPassword 0x256033:$a2: get_encryptedUsername 0x255ac9:$a3: get_timePasswordChanged 0x255bea:$a4: get_passwordField 0x255d30:$a5: set_encryptedPassword 0x257635:$a7: get_logins 0x2572e6:$a8: GetOutlookPasswords 0x2570d8:$a9: StartKeylogger 0x257585:$a10: KeyLoggerEventArgs 0x257135:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 5828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5828	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.palladiums.exe.1f50000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.palladiums.exe.1f50000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.palladiums.exe.1f50000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.palladiums.exe.1f50000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2d7:$a1: get_encryptedPassword 0xd5ff:$a2: get_encryptedUsername 0xd072:$a3: get_timePasswordChanged 0xd193:$a4: get_passwordField 0xd2ed:$a5: set_encryptedPassword 0xec4b:$a7: get_logins 0xe8fc:$a8: GetOutlookPasswords 0xe6ee:$a9: StartKeylogger 0xeb9b:$a10: KeyLoggerEventArgs 0xe74b:$a11: KeyLoggerEventArgsEventHandler
1.2.palladiums.exe.1f50000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1228d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1178b:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a99:$a4: \Orbitum\User Data\Default\Login Data 0x12891:$a5: \Kometa\User Data\Default\Login Data
7.2.palladiums.exe.1d80000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.palladiums.exe.1d80000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.palladiums.exe.1d80000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.palladiums.exe.1d80000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2d7:$a1: get_encryptedPassword 0xd5ff:$a2: get_encryptedUsername 0xd072:$a3: get_timePasswordChanged 0xd193:$a4: get_passwordField 0xd2ed:$a5: set_encryptedPassword 0xec4b:$a7: get_logins 0xe8fc:$a8: GetOutlookPasswords 0xe6ee:$a9: StartKeylogger 0xeb9b:$a10: KeyLoggerEventArgs 0xe74b:$a11: KeyLoggerEventArgsEventHandler
7.2.palladiums.exe.1d80000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1228d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1178b:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a99:$a4: \Orbitum\User Data\Default\Login Data 0x12891:$a5: \Kometa\User Data\Default\Login Data
1.2.palladiums.exe.1f50000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.palladiums.exe.1f50000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.palladiums.exe.1f50000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.palladiums.exe.1f50000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
1.2.palladiums.exe.1f50000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
7.2.palladiums.exe.1d80000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.palladiums.exe.1d80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.palladiums.exe.1d80000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.palladiums.exe.1d80000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
7.2.palladiums.exe.1d80000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
8.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , ProcessId: 6716, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , ProcessId: 6716, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\biopsies\palladiums.exe, ProcessId: 7160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:21:36.940531+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	158.101.44.242	80	TCP
2025-01-10T23:21:53.940627+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49738	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.palladiums.exe.1f50000.1.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7277445290:AAGPMfh-7hOfYQqkToVnhbp-yTYEzy9NhGk", "Telegram Chatid": "5557063310"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe

ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: PK5pHX4Gu5.exe	Virustotal: Detection: 68%			Perma Link
Source: PK5pHX4Gu5.exe	ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PK5pHX4Gu5.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: PK5pHX4Gu5.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49739 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: palladiums.exe, 00000001.00000003.1863219711.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000001.00000003.1861339895.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026875676.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026688080.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: palladiums.exe, 00000001.00000003.1863219711.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000001.00000003.1861339895.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026875676.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026688080.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003C445A
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CC6D1 FindFirstFileW,FindClose,	0_2_003CC6D1
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003CC75C
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CEF95
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CF0F2
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CF3F3
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C37EF
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C3B12
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CBCBC
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0091445A
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091C6D1 FindFirstFileW,FindClose,	1_2_0091C6D1
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0091C75C
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091EF95
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091F0F2
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091F3F3
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_009137EF
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00913B12
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4A7E0h	2_2_00D4A3C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4A0B9h	2_2_00D49E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4E640h	2_2_00D4E220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4A7E0h	2_2_00D4A3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4EA98h	2_2_00D4E7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4A7E0h	2_2_00D4A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4EEF0h	2_2_00D4EC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4F348h	2_2_00D4F0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4F7A0h	2_2_00D4F4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00D4FBF8h	2_2_00D4F950

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49731 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49739 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_003D22EE

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comp
Source: RegSvcs.exe, 00000002.00000002.3054315301.000000000281E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3054315301.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3054315301.0000000002803000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: palladiums.exe, 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3051944992.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000008.00000002.3055936383.00000000061D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002803000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: palladiums.exe, 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3051944992.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: palladiums.exe, 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, palladiums.exe, 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3051944992.0000000000413000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/d

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003D4164

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_003D4164
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00924164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		1_2_00924164

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_003D3F66

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_003C001C

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_003ECABC
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0093CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		1_2_0093CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00363B3A
Source: PK5pHX4Gu5.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: PK5pHX4Gu5.exe, 00000000.00000003.1832060986.0000000003A23000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8d3b15c1-e
Source: PK5pHX4Gu5.exe, 00000000.00000003.1832060986.0000000003A23000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_82a2e558-1
Source: PK5pHX4Gu5.exe, 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c0c139c-d
Source: PK5pHX4Gu5.exe, 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ee7f957d-9
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: This is a third-party compiled AutoIt script.	1_2_008B3B3A
Source: palladiums.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: palladiums.exe, 00000001.00000000.1832360579.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8829d4c7-c
Source: palladiums.exe, 00000001.00000000.1832360579.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_9157582a-b
Source: palladiums.exe, 00000007.00000000.1985084308.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_65bd1266-7
Source: palladiums.exe, 00000007.00000000.1985084308.0000000000964000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_bd72089f-b
Source: PK5pHX4Gu5.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cc899bb9-9
Source: PK5pHX4Gu5.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_290813a0-2
Source: palladiums.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fe5b1184-3
Source: palladiums.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a497be48-0

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_003CA1EF

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003B8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_003B8310

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_003C51BD
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_009151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		1_2_009151BD

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0036E6A0	0_2_0036E6A0
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038D975	0_2_0038D975
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0036FCE0	0_2_0036FCE0
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003821C5	0_2_003821C5
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003962D2	0_2_003962D2
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003E03DA	0_2_003E03DA
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0039242E	0_2_0039242E
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003825FA	0_2_003825FA
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003BE616	0_2_003BE616
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003766E1	0_2_003766E1
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0039878F	0_2_0039878F
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00378808	0_2_00378808
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003E0857	0_2_003E0857
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00396844	0_2_00396844
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C8889	0_2_003C8889
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038CB21	0_2_0038CB21
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00396DB6	0_2_00396DB6
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00376F9E	0_2_00376F9E
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00373030	0_2_00373030
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00383187	0_2_00383187
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038F1D9	0_2_0038F1D9
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00361287	0_2_00361287
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00381484	0_2_00381484
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00375520	0_2_00375520
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00387696	0_2_00387696
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00375760	0_2_00375760
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00381978	0_2_00381978
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00399AB5	0_2_00399AB5
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038BDA6	0_2_0038BDA6
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00381D90	0_2_00381D90
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003E7DDB	0_2_003E7DDB
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0036DF00	0_2_0036DF00
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00373FE0	0_2_00373FE0
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_011605B8	0_2_011605B8
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008BE6A0	1_2_008BE6A0
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DD975	1_2_008DD975
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008BFCE0	1_2_008BFCE0
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D21C5	1_2_008D21C5
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008E62D2	1_2_008E62D2
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_009303DA	1_2_009303DA
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008E242E	1_2_008E242E
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D25FA	1_2_008D25FA
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C66E1	1_2_008C66E1
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0090E616	1_2_0090E616
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008E878F	1_2_008E878F
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00918889	1_2_00918889
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C8808	1_2_008C8808
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00930857	1_2_00930857
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008E6844	1_2_008E6844
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DCB21	1_2_008DCB21
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008E6DB6	1_2_008E6DB6
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C6F9E	1_2_008C6F9E
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C3030	1_2_008C3030
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D3187	1_2_008D3187
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DF1D9	1_2_008DF1D9
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008B1287	1_2_008B1287
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D1484	1_2_008D1484
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C5520	1_2_008C5520
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D7696	1_2_008D7696
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C5760	1_2_008C5760
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D1978	1_2_008D1978
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008E9AB5	1_2_008E9AB5
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D1D90	1_2_008D1D90
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DBDA6	1_2_008DBDA6
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00937DDB	1_2_00937DDB
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008C3FE0	1_2_008C3FE0
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008BDF00	1_2_008BDF00
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_013B0568	1_2_013B0568
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D427B9	2_2_00D427B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D42DD1	2_2_00D42DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D49E08	2_2_00D49E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4E220	2_2_00D4E220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4E7F0	2_2_00D4E7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4E7E0	2_2_00D4E7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4EC48	2_2_00D4EC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4EC39	2_2_00D4EC39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F090	2_2_00D4F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F0A0	2_2_00D4F0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F4F8	2_2_00D4F4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F4E8	2_2_00D4F4E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F950	2_2_00D4F950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D4F941	2_2_00D4F941
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D49BEC	2_2_00D49BEC

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: String function: 008D8900 appears 42 times
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: String function: 008D0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: String function: 008B7DE1 appears 35 times
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: String function: 00388900 appears 42 times
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: String function: 00367DE1 appears 36 times
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: String function: 00380AE3 appears 70 times

Source: PK5pHX4Gu5.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003CA06A GetLastError,FormatMessageW,

0_2_003CA06A

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003B81CB AdjustTokenPrivileges,CloseHandle,	0_2_003B81CB
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_003B87E1
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_009081CB AdjustTokenPrivileges,CloseHandle,	1_2_009081CB
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_009087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	1_2_009087E1

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003CB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003CB333

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_003DEE0D

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003D83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_003D83BB

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00364E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00364E89

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

File created: C:\Users\user\AppData\Local\biopsies

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

File created: C:\Users\user\AppData\Local\Temp\aut38BA.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"

Source: PK5pHX4Gu5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000008.00000002.3053661404.0000000002D73000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D91000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: PK5pHX4Gu5.exe	Virustotal: Detection: 68%
Source: PK5pHX4Gu5.exe	ReversingLabs: Detection: 86%

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

File read: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PK5pHX4Gu5.exe "C:\Users\user\Desktop\PK5pHX4Gu5.exe"
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Process created: C:\Users\user\AppData\Local\biopsies\palladiums.exe "C:\Users\user\Desktop\PK5pHX4Gu5.exe"
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PK5pHX4Gu5.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\biopsies\palladiums.exe "C:\Users\user\AppData\Local\biopsies\palladiums.exe"
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\biopsies\palladiums.exe"
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Process created: C:\Users\user\AppData\Local\biopsies\palladiums.exe "C:\Users\user\Desktop\PK5pHX4Gu5.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PK5pHX4Gu5.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\biopsies\palladiums.exe "C:\Users\user\AppData\Local\biopsies\palladiums.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\biopsies\palladiums.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: PK5pHX4Gu5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PK5pHX4Gu5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PK5pHX4Gu5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PK5pHX4Gu5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PK5pHX4Gu5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PK5pHX4Gu5.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: PK5pHX4Gu5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: palladiums.exe, 00000001.00000003.1863219711.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000001.00000003.1861339895.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026875676.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026688080.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: palladiums.exe, 00000001.00000003.1863219711.0000000003B90000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000001.00000003.1861339895.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026875676.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000003.2026688080.0000000003AA0000.00000004.00001000.00020000.00000000.sdmp

Source: PK5pHX4Gu5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PK5pHX4Gu5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PK5pHX4Gu5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PK5pHX4Gu5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PK5pHX4Gu5.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00364B37 LoadLibraryA,GetProcAddress,

0_2_00364B37

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C848F push FFFFFF8Bh; iretd	0_2_003C8491
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0036C4FE push A30036BAh; retn 0036h	0_2_0036C50D
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038E70F push edi; ret	0_2_0038E711
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038E828 push esi; ret	0_2_0038E82A
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_00388945 push ecx; ret	0_2_00388958
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038EA03 push esi; ret	0_2_0038EA05
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038EAEC push edi; ret	0_2_0038EAEE
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091848F push FFFFFF8Bh; iretd	1_2_00918491
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DE70F push edi; ret	1_2_008DE711
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DE828 push esi; ret	1_2_008DE82A
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008D8945 push ecx; ret	1_2_008D8958
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DEAEC push edi; ret	1_2_008DEAEE
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DEA03 push esi; ret	1_2_008DEA05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D43493 push ebx; iretd	2_2_00D4349A

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

File created: C:\Users\user\AppData\Local\biopsies\palladiums.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_003648D7
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_003E5376
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	1_2_008B48D7
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00935376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	1_2_00935376

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00383187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00383187

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	API/Special instruction interceptor: Address: 13B018C
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	API/Special instruction interceptor: Address: 121205C

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-101948

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	API coverage: 4.9 %

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003C445A
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CC6D1 FindFirstFileW,FindClose,	0_2_003CC6D1
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003CC75C
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CEF95
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CF0F2
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CF3F3
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C37EF
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C3B12
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CBCBC
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0091445A
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091C6D1 FindFirstFileW,FindClose,	1_2_0091C6D1
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0091C75C
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091EF95
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0091F0F2
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091F3F3
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_009137EF
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00913B12
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0091BCBC

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003649A0

Source: RegSvcs.exe, 00000002.00000002.3052372607.0000000000837000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: palladiums.exe, 00000007.00000003.1986346933.0000000001193000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe<
Source: RegSvcs.exe, 00000008.00000002.3053193591.00000000010E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: PK5pHX4Gu5.exe, 00000000.00000002.1833534424.0000000001178000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	API call chain: ExitProcess graph end node	graph_0-100284
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	API call chain: ExitProcess graph end node	graph_0-100383
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003D3F09 BlockInput,

0_2_003D3F09

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00363B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00363B3A

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00395A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00395A7C

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00364B37 LoadLibraryA,GetProcAddress,

0_2_00364B37

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_01160448 mov eax, dword ptr fs:[00000030h]	0_2_01160448
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_011604A8 mov eax, dword ptr fs:[00000030h]	0_2_011604A8
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0115EE28 mov eax, dword ptr fs:[00000030h]	0_2_0115EE28
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_013B03F8 mov eax, dword ptr fs:[00000030h]	1_2_013B03F8
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_013B0458 mov eax, dword ptr fs:[00000030h]	1_2_013B0458
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_013AEDD8 mov eax, dword ptr fs:[00000030h]	1_2_013AEDD8

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003B80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003B80A9

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038A124 SetUnhandledExceptionFilter,	0_2_0038A124
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_0038A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0038A155
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DA124 SetUnhandledExceptionFilter,	1_2_008DA124
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_008DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_008DA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 49F008			Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D7A008			Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003B87B1 LogonUserW,

0_2_003B87B1

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00363B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00363B3A

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003648D7

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003C4C27 mouse_event,

0_2_003C4C27

Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\PK5pHX4Gu5.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\biopsies\palladiums.exe "C:\Users\user\AppData\Local\biopsies\palladiums.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\biopsies\palladiums.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003B7CAF

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003B874B

Source: PK5pHX4Gu5.exe, palladiums.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: PK5pHX4Gu5.exe, palladiums.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_0038862B cpuid

0_2_0038862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00394E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00394E87

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003A1E06 GetUserNameW,

0_2_003A1E06

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_00393F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00393F3A

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Code function: 0_2_003649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003649A0

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5828, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: palladiums.exe	Binary or memory string: WIN_81
Source: palladiums.exe	Binary or memory string: WIN_XP
Source: palladiums.exe	Binary or memory string: WIN_XPe
Source: palladiums.exe	Binary or memory string: WIN_VISTA
Source: palladiums.exe	Binary or memory string: WIN_7
Source: palladiums.exe	Binary or memory string: WIN_8
Source: palladiums.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3054315301.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3053661404.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5828, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6244, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.palladiums.exe.1f50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.palladiums.exe.1d80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 6480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5828, type: MEMORYSTR

Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_003D6283
Source: C:\Users\user\Desktop\PK5pHX4Gu5.exe	Code function: 0_2_003D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_003D6747
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00926283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	1_2_00926283
Source: C:\Users\user\AppData\Local\biopsies\palladiums.exe	Code function: 1_2_00926747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	1_2_00926747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PK5pHX4Gu5.exe	68%	Virustotal		Browse
PK5pHX4Gu5.exe	87%	ReversingLabs	Win32.Trojan.AutoitInject
PK5pHX4Gu5.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\biopsies\palladiums.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\biopsies\palladiums.exe	87%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://checkip.dyndns.comp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.64.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.comp	RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/d	RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	RegSvcs.exe, 00000008.00000002.3055936383.00000000061D0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	palladiums.exe, 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3051944992.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false		high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000002.00000002.3054315301.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3054315301.0000000002851000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3054315301.000000000281E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000002.00000002.3054315301.0000000002830000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002D10000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3054315301.0000000002803000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3053661404.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	palladiums.exe, 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.3051944992.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588274
Start date and time:	2025-01-10 23:20:22 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PK5pHX4Gu5.exe renamed because original name is a hash value
Original Sample Name:	d05dd1eadb299496b0ba13586d436d919d47a3cc28987bded50c7ecd0a417040.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 281
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6244 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:21:36	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/
158.101.44.242	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	RmIYOfX0yO.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	2V7usxd7Vc.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	tx4pkcHL9o.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PO#17971.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
reallyfreegeoip.org	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	xXUnP7uCBJ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	158.101.44.242
	ajRZflJ2ch.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	hZbkP3TJBJ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
CLOUDFLARENETUS	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.11.60
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.64.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.64.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.64.1

Process:	C:\Users\user\Desktop\PK5pHX4Gu5.exe
File Type:	data
Category:	dropped
Size (bytes):	58644
Entropy (8bit):	7.8567605635982405
Encrypted:	false
SSDEEP:	1536:W8A9/GzkTJmlAzZq4G5Y9JfDl7nzbztGyRROrHs:I+zkMloq7Y9XvbzrRIrHs
MD5:	1A3503E3574D9BA9BCF2993E0A247D06
SHA1:	0479A8EF5AEEB6FDC49C6F11B0B9CD71AD6F2A93
SHA-256:	6D716D8DC59EC3B1297E4E72572B9A506C976F5834AE94F174EA62194AED1F8C
SHA-512:	CEC6C1C09C0F31F1188909B08F1D4FD4D55C226129160A90845E1D75E1317144CE11576021A50DA132D86AF6B31BA7DB00ABD6073CC316FF88AE5ECC93CA6DC2
Malicious:	false
Reputation:	low
Preview:	EA06..l..B.5.5JmZ..&t...P..(...f.s.....D.;30....U.x.-..H..<.H.....V..i...6.I'.i..u].L..9..U0.E.s{......'.Y.;._@.....jW..j.....Z..&4.m.#P...).H.....B.E..?.I..q..To..Eb.T..Ff..5.=..Q..TbcK.p.5..b.B..dt.5\...`.N.e.z.X.9...z..w..R.@!_..w.t..........xH.Wm.9$.J..\.U....p..8...7...Vf....k"..0up...@.............'..(5......T) ....5.Dk.X..G.y...4..d.8.V..J~..G... B...3..`B.......UW.........+u...N...jN.T@.#1R....`..X.8X@.38..&.....p....`..T.8M..3O.[i.j.N....-...F.E.~%7....Pj.Y]..6.vj.:].ib..8..-.O......F.A...U...F..oP...Y .Vj..%..A.Tk{.<.Y..m.j-..Q.S.Q..f..P(..]..E.m.`M..!4.T5.h..S.N.tj/....^%...^gK.[lr..b.V..wjm\|....nVyd..Y.F)v.,...T^f...IK.P.U..z.0.J:5...(..?P.B...Ph7.]bw\.......K.^.T[..Y.L.qz=..Q.}.T.H.ag..nU..r.D.Z......A.U..p.....1....%...-@...;X..&.(..qF.....-....G....^.6.Vo...b.z..(..x.13..gV..".V...?*=.W}..#...Rkm.[.@/P..m..m.9 .....l1.=.]D..&......P.....2.t...N.A.T.Ti}..`..b./D...8V).(.Qk.S.\|.\.X....(E..X..6...B..Pj...r...@j.:}f.i.p.+x.0.d.......L

C:\Users\user\AppData\Local\Temp\aut457B.tmp

Download File

Process:	C:\Users\user\AppData\Local\biopsies\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	58644
Entropy (8bit):	7.8567605635982405
Encrypted:	false
SSDEEP:	1536:W8A9/GzkTJmlAzZq4G5Y9JfDl7nzbztGyRROrHs:I+zkMloq7Y9XvbzrRIrHs
MD5:	1A3503E3574D9BA9BCF2993E0A247D06
SHA1:	0479A8EF5AEEB6FDC49C6F11B0B9CD71AD6F2A93
SHA-256:	6D716D8DC59EC3B1297E4E72572B9A506C976F5834AE94F174EA62194AED1F8C
SHA-512:	CEC6C1C09C0F31F1188909B08F1D4FD4D55C226129160A90845E1D75E1317144CE11576021A50DA132D86AF6B31BA7DB00ABD6073CC316FF88AE5ECC93CA6DC2
Malicious:	false
Reputation:	low
Preview:	EA06..l..B.5.5JmZ..&t...P..(...f.s.....D.;30....U.x.-..H..<.H.....V..i...6.I'.i..u].L..9..U0.E.s{......'.Y.;._@.....jW..j.....Z..&4.m.#P...).H.....B.E..?.I..q..To..Eb.T..Ff..5.=..Q..TbcK.p.5..b.B..dt.5\...`.N.e.z.X.9...z..w..R.@!_..w.t..........xH.Wm.9$.J..\.U....p..8...7...Vf....k"..0up...@.............'..(5......T) ....5.Dk.X..G.y...4..d.8.V..J~..G... B...3..`B.......UW.........+u...N...jN.T@.#1R....`..X.8X@.38..&.....p....`..T.8M..3O.[i.j.N....-...F.E.~%7....Pj.Y]..6.vj.:].ib..8..-.O......F.A...U...F..oP...Y .Vj..%..A.Tk{.<.Y..m.j-..Q.S.Q..f..P(..]..E.m.`M..!4.T5.h..S.N.tj/....^%...^gK.[lr..b.V..wjm\|....nVyd..Y.F)v.,...T^f...IK.P.U..z.0.J:5...(..?P.B...Ph7.]bw\.......K.^.T[..Y.L.qz=..Q.}.T.H.ag..nU..r.D.Z......A.U..p.....1....%...-@...;X..&.(..qF.....-....G....^.6.Vo...b.z..(..x.13..gV..".V...?*=.W}..#...Rkm.[.@/P..m..m.9 .....l1.=.]D..&......P.....2.t...N.A.T.Ti}..`..b./D...8V).(.Qk.S.\|.\.X....(E..X..6...B..Pj...r...@j.:}f.i.p.+x.0.d.......L

C:\Users\user\AppData\Local\Temp\aut815C.tmp

Download File

Process:	C:\Users\user\AppData\Local\biopsies\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	58644
Entropy (8bit):	7.8567605635982405
Encrypted:	false
SSDEEP:	1536:W8A9/GzkTJmlAzZq4G5Y9JfDl7nzbztGyRROrHs:I+zkMloq7Y9XvbzrRIrHs
MD5:	1A3503E3574D9BA9BCF2993E0A247D06
SHA1:	0479A8EF5AEEB6FDC49C6F11B0B9CD71AD6F2A93
SHA-256:	6D716D8DC59EC3B1297E4E72572B9A506C976F5834AE94F174EA62194AED1F8C
SHA-512:	CEC6C1C09C0F31F1188909B08F1D4FD4D55C226129160A90845E1D75E1317144CE11576021A50DA132D86AF6B31BA7DB00ABD6073CC316FF88AE5ECC93CA6DC2
Malicious:	false
Reputation:	low
Preview:	EA06..l..B.5.5JmZ..&t...P..(...f.s.....D.;30....U.x.-..H..<.H.....V..i...6.I'.i..u].L..9..U0.E.s{......'.Y.;._@.....jW..j.....Z..&4.m.#P...).H.....B.E..?.I..q..To..Eb.T..Ff..5.=..Q..TbcK.p.5..b.B..dt.5\...`.N.e.z.X.9...z..w..R.@!_..w.t..........xH.Wm.9$.J..\.U....p..8...7...Vf....k"..0up...@.............'..(5......T) ....5.Dk.X..G.y...4..d.8.V..J~..G... B...3..`B.......UW.........+u...N...jN.T@.#1R....`..X.8X@.38..&.....p....`..T.8M..3O.[i.j.N....-...F.E.~%7....Pj.Y]..6.vj.:].ib..8..-.O......F.A...U...F..oP...Y .Vj..%..A.Tk{.<.Y..m.j-..Q.S.Q..f..P(..]..E.m.`M..!4.T5.h..S.N.tj/....^%...^gK.[lr..b.V..wjm\|....nVyd..Y.F)v.,...T^f...IK.P.U..z.0.J:5...(..?P.B...Ph7.]bw\.......K.^.T[..Y.L.qz=..Q.}.T.H.ag..nU..r.D.Z......A.U..p.....1....%...-@...;X..&.(..qF.....-....G....^.6.Vo...b.z..(..x.13..gV..".V...?*=.W}..#...Rkm.[.@/P..m..m.9 .....l1.=.]D..&......P.....2.t...N.A.T.Ti}..`..b./D...8V).(.Qk.S.\|.\.X....(E..X..6...B..Pj...r...@j.:}f.i.p.+x.0.d.......L

C:\Users\user\AppData\Local\Temp\saccule

Download File

Process:	C:\Users\user\Desktop\PK5pHX4Gu5.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	6.802471375006318
Encrypted:	false
SSDEEP:	1536:oRD1qgMZrEOwAhVMlns0enbjyDMzKaJUrFDfSFAOcjGF2FV:ohMZrEBwRpOMzyrAF2V
MD5:	D6FF0A56EEF56C2E0038B9414C4FF141
SHA1:	E8B5EBD9405FD20507F3F1A5DEEFE397FCE5D111
SHA-256:	056490593804BD64D1FD6920791D21F5BF446CE32634257E5F91377734E6E160
SHA-512:	DC7A6691A5D3ADF6B48F86B3AE6230DCDFC8CB98C59A3DFEB968DCE6DFB87AD25B96418128F0DA53B2F1AA574FB9CB32203ECA2DB3CFF33497A689157DD1363C
Malicious:	false
Reputation:	low
Preview:	...XFR6Z]T3K..AP.XER6ZYTsKFGAPQXER6ZYT3KFGAPQXER6ZYT3KFGAPQX.R6ZWK.EF.H.p.D..{.<Z8f73?6$?.98:]$2g#5q0<.37tw..g,?5=k_;P}T3KFGAP..ERz[ZT.%..APQXER6Z.T1JMF.PQ:DR6RYT3KFG..PXEr6ZY.2KFG.PQxER6XYT7KFGAPQXCR6ZYT3KF.@PQZER6ZYT1K&.APAXEB6ZYT#KFWAPQXER&ZYT3KFGAPQX.-7Z.T3KF.@P.]ER6ZYT3KFGAPQXER6ZY.2KJGAPQXER6ZYT3KFGAPQXER6ZYT3KFGAPQXER6ZYT3KFGAPQXER6ZYt3KNGAPQXER6ZYT;kFG.PQXER6ZYT3Kh3$(%XERr:XT3kFGA2PXEP6ZYT3KFGAPQXER.ZY4.955"PQX.W6ZY.2KFAAPQ<DR6ZYT3KFGAPQX.R6.w&V')$AP]XER6.XT3IFGA:PXER6ZYT3KFGAP.XE.6ZYT3KFGAPQXER6Zy.2KFGAP.XER4Z\TO.FG1.QXFR6Z.T3M..AP.XER6ZYT3KFGAPQXER6ZYT3KFGAPQXER6ZYT3KFGAPQX./.U..."5.PQXER6[[W7MNOAPQXER6Z'T3K.GAP.XER.ZYT.KFG,PQXaR6Z'T3K8GAP5XERDZYTRKFG.PQXR6Z7T3K8GAPOZmM6ZS~.KDoaPQREx.)xT3A.FAPU+gR6P.V3KB4bPQR.Q6Z]'.KFM.TQXA!.ZY^.NFGEz.XF. \YT($~GAZQ[.G0ZYO.mFEiiQXOR.\|YW.^@GAK{zEP.SYT7a.4\PQ^m.6ZS :KFE.ZQXAx(Xq.3KLmc.BXEV.ZsvM_FGE{Qrg,#ZYP.Kle?FQXAy6p{$KFCjP{^o06(.X3;E( PQ^m.6ZS\|sKFAAzkX;\6Z]V\.FGKv{bEzfZYR3c.GAVQr.RHiYT7gA9rPQ\nDHkYT7.@?APW+.R6P\|..KFCi.QXOR..Y\|jKFAAx.XET

C:\Users\user\AppData\Local\biopsies\palladiums.exe

Download File

Process:	C:\Users\user\Desktop\PK5pHX4Gu5.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	983552
Entropy (8bit):	6.880419410484294
Encrypted:	false
SSDEEP:	24576:vu6J33O0c+JY5UZ+XC0kGso6FahUuYFWY:Zu0c++OCvkGs9FahLY
MD5:	C56387AA015A4B10FCAE5750940804F0
SHA1:	15E781425E6CEB489B4669A8CB14572730EFCD20
SHA-256:	D05DD1EADB299496B0BA13586D436D919D47A3CC28987BDED50C7ECD0A417040
SHA-512:	A78B77687A241E299085DD080E8029F188FB42B69A98B6840AA074D84EE8D6E936A7299F8A5A69A34A153ACD7828EDC273A19C0DDCAE4D8C3AED76ED0FF31DA2
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....Vg..........".......... .......}............@..........................p.......\|....@...@.......@.....................L...\|....p...y.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....y...p...z..................@..@.reloc...q.......r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Download File

Process:	C:\Users\user\AppData\Local\biopsies\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.411260899297191
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfcloRKUEZ+lX1JUZiInkSMBnriIM8lfQVn:DsO+vNloRKQ1onpMRmA2n
MD5:	AA60E7CEBE715143DCC7CC8097043026
SHA1:	DF059403A2A62E5ABE8B7D47BF45DEA6BA1C550F
SHA-256:	AFA39B0DABD54CC27A4EC3EE2992B4731355BCD9019152AFFAC3F7BDAB4FB16D
SHA-512:	8FC0AD2C06E59EE3680542B52BEF454E9615852D1BB7A29BD3091C20850B8AE3383B6708A309977223026CE1E9FF7F6ED548CF703BB3AACEFA2F05330B6E6930
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.b.i.o.p.s.i.e.s.\.p.a.l.l.a.d.i.u.m.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.880419410484294
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PK5pHX4Gu5.exe
File size:	983'552 bytes
MD5:	c56387aa015a4b10fcae5750940804f0
SHA1:	15e781425e6ceb489b4669a8cb14572730efcd20
SHA256:	d05dd1eadb299496b0ba13586d436d919d47a3cc28987bded50c7ecd0a417040
SHA512:	a78b77687a241e299085dd080e8029f188fb42b69a98b6840aa074d84ee8d6e936a7299f8a5a69a34a153acd7828edc273a19c0ddcae4d8c3aed76ed0ff31da2
SSDEEP:	24576:vu6J33O0c+JY5UZ+XC0kGso6FahUuYFWY:Zu0c++OCvkGs9FahLY
TLSH:	9125AD2273DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA960162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675692EE [Mon Dec 9 06:49:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F69B8F09C2Ah
jmp 00007F69B8EFC9F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F69B8EFCB7Ah
cmp edi, eax
jc 00007F69B8EFCEDEh
bt dword ptr [004C31FCh], 01h
jnc 00007F69B8EFCB79h
rep movsb
jmp 00007F69B8EFCE8Ch
cmp ecx, 00000080h
jc 00007F69B8EFCD44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F69B8EFCB80h
bt dword ptr [004BE324h], 01h
jc 00007F69B8EFD050h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F69B8EFCD1Dh
test edi, 00000003h
jne 00007F69B8EFCD2Eh
test esi, 00000003h
jne 00007F69B8EFCD0Dh
bt edi, 02h
jnc 00007F69B8EFCB7Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F69B8EFCB83h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F69B8EFCBD5h
bt esi, 03h
jnc 00007F69B8EFCC28h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x279c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xef000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x279c0	0x27a00	5cd60f6f7a4682f1efa39aaac26cfdcf	False	0.834267793769716	data	7.641622101670987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xef000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1ec87	data			1.0003648274604042
RT_GROUP_ICON	0xee440	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xee4b8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xee4cc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xee4e0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xee4f4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xee5d0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:21:36.940531+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	158.101.44.242	80	TCP
2025-01-10T23:21:53.940627+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49738	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:21:34.151331902 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:34.156294107 CET	80	49730	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:34.156563997 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:34.156653881 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:34.161636114 CET	80	49730	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:35.722213030 CET	80	49730	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:35.741122007 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:35.746057034 CET	80	49730	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:36.895042896 CET	80	49730	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:36.923422098 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:36.923468113 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:36.923535109 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:36.934302092 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:36.934324026 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:36.940531015 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:37.405735016 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:37.405838966 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:37.411087990 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:37.411102057 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:37.411470890 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:37.456161022 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:37.461807966 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:37.503336906 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:37.971224070 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:37.971297026 CET	443	49731	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:37.971347094 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:37.976946115 CET	49731	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:50.838907003 CET	49738	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:50.843781948 CET	80	49738	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:50.843894958 CET	49738	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:50.844135046 CET	49738	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:50.848942995 CET	80	49738	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:52.556233883 CET	80	49738	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:52.570251942 CET	49738	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:52.575067043 CET	80	49738	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:53.888145924 CET	80	49738	158.101.44.242	192.168.2.4
Jan 10, 2025 23:21:53.890830994 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:53.890871048 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:53.890969992 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:53.895962954 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:53.895978928 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:53.940627098 CET	49738	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:21:54.443569899 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:54.443727970 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:54.445404053 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:54.445411921 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:54.445736885 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:54.487624884 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:54.494364023 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:54.539326906 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:54.873209953 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:54.873272896 CET	443	49739	104.21.64.1	192.168.2.4
Jan 10, 2025 23:21:54.873414040 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:21:54.876235962 CET	49739	443	192.168.2.4	104.21.64.1
Jan 10, 2025 23:22:41.894994020 CET	80	49730	158.101.44.242	192.168.2.4
Jan 10, 2025 23:22:41.896588087 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:22:58.887728930 CET	80	49738	158.101.44.242	192.168.2.4
Jan 10, 2025 23:22:58.887897015 CET	49738	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:23:16.909914970 CET	49730	80	192.168.2.4	158.101.44.242
Jan 10, 2025 23:23:16.914740086 CET	80	49730	158.101.44.242	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:21:34.137152910 CET	65418	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:21:34.144613028 CET	53	65418	1.1.1.1	192.168.2.4
Jan 10, 2025 23:21:36.915632963 CET	52094	53	192.168.2.4	1.1.1.1
Jan 10, 2025 23:21:36.922823906 CET	53	52094	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:21:34.137152910 CET	192.168.2.4	1.1.1.1	0xa12e	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.915632963 CET	192.168.2.4	1.1.1.1	0x64a2	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:21:34.144613028 CET	1.1.1.1	192.168.2.4	0xa12e	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:21:34.144613028 CET	1.1.1.1	192.168.2.4	0xa12e	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:34.144613028 CET	1.1.1.1	192.168.2.4	0xa12e	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:34.144613028 CET	1.1.1.1	192.168.2.4	0xa12e	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:34.144613028 CET	1.1.1.1	192.168.2.4	0xa12e	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:34.144613028 CET	1.1.1.1	192.168.2.4	0xa12e	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:21:36.922823906 CET	1.1.1.1	192.168.2.4	0x64a2	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	158.101.44.242	80	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:21:34.156653881 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:21:35.722213030 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:21:35 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 59b1dfabcf3cf5b463ddecab4fa6a939 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 23:21:35.741122007 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:21:36.895042896 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:21:36 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 09a5415d05da06cb6bd58ed50d92c33c Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	158.101.44.242	80	5828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:21:50.844135046 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:21:52.556233883 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:21:52 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: c49d848e6f68474dc47b78e78e8bfdda Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 23:21:52.570251942 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:21:53.888145924 CET	730	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:21:53 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive X-Request-ID: 2ffccf6373ba7abe15655e8af2d0c350 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	104.21.64.1	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:21:37 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:21:37 UTC	766	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:21:37 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m087lmh8feFnJ1%2Fxi2EKQI8PGCItqXWPG8FuDo5En6FdHrgWzbisiHt8yM7QOxGYg6pbSLLkaphl0iSv6wtGjo3u%2BnS8HDfEPKUQ7jJqG23VQz9G%2BpU4uZOptiwKQJaeWWSWM1LZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90000fa57a857c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1941&rtt_var=743&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=687&delivery_rate=1457813&cwnd=218&unsent_bytes=0&cid=87b537a66ec930fd&ts=578&x=0"
2025-01-10 22:21:37 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49739	104.21.64.1	443	5828	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:21:54 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:21:54 UTC	766	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:21:54 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8A9UcMcX1j916VdtqPN8D3RIzC2peeWy2fUYd7eMwUlRDg01oxlUlNc%2FemjzoUltL%2BoSbiKpCcJlKxtKHJopXkycrDhETO54wWzyeQjasKB592vFwAzsW9Nm8mygD2yKupOB6YTM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900010107dc14414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=12121&min_rtt=10487&rtt_var=7202&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=687&delivery_rate=123917&cwnd=180&unsent_bytes=0&cid=050347a00ff253ca&ts=375&x=0"
2025-01-10 22:21:54 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	17:21:27
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\PK5pHX4Gu5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PK5pHX4Gu5.exe"
Imagebase:	0x360000
File size:	983'552 bytes
MD5 hash:	C56387AA015A4B10FCAE5750940804F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:21:30
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\biopsies\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PK5pHX4Gu5.exe"
Imagebase:	0x8b0000
File size:	983'552 bytes
MD5 hash:	C56387AA015A4B10FCAE5750940804F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1865151003.0000000001F50000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:21:33
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PK5pHX4Gu5.exe"
Imagebase:	0x370000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3054315301.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3052022073.0000000000743000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	17:21:45
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"
Imagebase:	0x7ff7f9920000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:21:45
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\biopsies\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\biopsies\palladiums.exe"
Imagebase:	0x8b0000
File size:	983'552 bytes
MD5 hash:	C56387AA015A4B10FCAE5750940804F0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2033313050.0000000001D80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:21:49
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\biopsies\palladiums.exe"
Imagebase:	0xa00000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3053661404.0000000002DB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 00363B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00363B68
IsDebuggerPresent.KERNEL32 ref: 00363B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004252F8,004252E0,?,?), ref: 00363BEB

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Part of subcall function 0037092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00363C14,004252F8,?,?,?), ref: 0037096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00363C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00417770,00000010), ref: 0039D281
SetCurrentDirectoryW.KERNEL32(?,004252F8,?,?,?), ref: 0039D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00414260,004252F8,?,?,?), ref: 0039D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0039D346

Part of subcall function 00363A46: GetSysColorBrush.USER32(0000000F), ref: 00363A50
Part of subcall function 00363A46: LoadCursorW.USER32(00000000,00007F00), ref: 00363A5F
Part of subcall function 00363A46: LoadIconW.USER32(00000063), ref: 00363A76
Part of subcall function 00363A46: LoadIconW.USER32(000000A4), ref: 00363A88
Part of subcall function 00363A46: LoadIconW.USER32(000000A2), ref: 00363A9A
Part of subcall function 00363A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00363AC0
Part of subcall function 00363A46: RegisterClassExW.USER32(?), ref: 00363B16

Part of subcall function 003639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00363A03
Part of subcall function 003639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00363A24
Part of subcall function 003639D5: ShowWindow.USER32(00000000,?,?), ref: 00363A38
Part of subcall function 003639D5: ShowWindow.USER32(00000000,?,?), ref: 00363A41

Part of subcall function 0036434A: _memset.LIBCMT ref: 00364370
Part of subcall function 0036434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00364415

Strings

This is a third-party compiled AutoIt script., xrefs: 0039D279
%?, xrefs: 00363C44
runas, xrefs: 0039D33A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%?
API String ID: 529118366-505933256
Opcode ID: 964ed0258bf669d27132c26e2bcea4c9b22323f0dd5e5bca200027297c424831
Instruction ID: 84c90862d69b1908313bcc720b2043c86ee5caf731bdb4c51ecfe2706ff1c8f0
Opcode Fuzzy Hash: 964ed0258bf669d27132c26e2bcea4c9b22323f0dd5e5bca200027297c424831
Instruction Fuzzy Hash: B5510730A08148EECF23EBB4EC46AFD7B78AB45300F90C1A5F451AA1E5CBB45642CB34

Function 003649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003649CD

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

GetCurrentProcess.KERNEL32(?,003EFAEC,00000000,00000000,?), ref: 00364A9A
IsWow64Process.KERNEL32(00000000), ref: 00364AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00364AE7
FreeLibrary.KERNEL32(00000000), ref: 00364AF2
GetSystemInfo.KERNEL32(00000000), ref: 00364B23
GetSystemInfo.KERNEL32(00000000), ref: 00364B2F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 0e55340853a1fd778bb37495be33eba950969f65477e9539c70b63723ec7689c
Instruction ID: f70a066286bf5b8991631b3e79af4961e3aaf7cfa638d73ce7166b51439a9d26
Opcode Fuzzy Hash: 0e55340853a1fd778bb37495be33eba950969f65477e9539c70b63723ec7689c
Instruction Fuzzy Hash: BD91C63198D7C4DECB33DBA8C5511AAFFF5AF2A300B448AADD0CB97A45D220E548C759

Function 00364E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00364D8E,?,?,00000000,00000000), ref: 00364E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00364D8E,?,?,00000000,00000000), ref: 00364EB0
LoadResource.KERNEL32(?,00000000,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F), ref: 0039D937
SizeofResource.KERNEL32(?,00000000,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F), ref: 0039D94C
LockResource.KERNEL32(00364D8E,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F,00000000), ref: 0039D95F

Strings

SCRIPT, xrefs: 00364EA6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5b294fb96a21861bea3ffca30c2a32277d80edf9c0433ad420f7309238a43f3d
Instruction ID: 49d91c74f0c587d362949b36e1b0b018ed2ebd59c3986e4b33397a42596ecd6f
Opcode Fuzzy Hash: 5b294fb96a21861bea3ffca30c2a32277d80edf9c0433ad420f7309238a43f3d
Instruction Fuzzy Hash: 37115175640741BFD7228B65EC48F677BBDFBC6711F108668F5159A190DBA1EC008660

Function 0036FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbB, xrefs: 003A49B9
%?, xrefs: 0036FCF3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbB$%?
API String ID: 3964851224-3075198358
Opcode ID: e5802990cc31714cb601eedacf7589ccf3178dec13e80c489b258cba855280f2
Instruction ID: 5b63de59d6533bafd43b3b7282b03c8ca80ff3849b0f20d53225f72840a14503
Opcode Fuzzy Hash: e5802990cc31714cb601eedacf7589ccf3178dec13e80c489b258cba855280f2
Instruction Fuzzy Hash: 73927874608341CFD726DF24C480B2AB7E4FF89304F15896DE89A9B262D775EC45CB92

Function 0036E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdB, xrefs: 003A3B2E
DdB, xrefs: 003A3AF5
DdB, xrefs: 0036EABA
DdB, xrefs: 0036EAC1
Variable must be of type 'Object'., xrefs: 003A3E62

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID: DdB$DdB$DdB$DdB$Variable must be of type 'Object'.
API String ID: 0-4073077587
Opcode ID: 1c120a2b9218d6465b729fbbd89b4061b218aa6a68c4d08fc97a75122ffe17b6
Instruction ID: 324cfab5ffee2a3f24db67aa02fc8c37d1779d7524ce526840952430082b1250
Opcode Fuzzy Hash: 1c120a2b9218d6465b729fbbd89b4061b218aa6a68c4d08fc97a75122ffe17b6
Instruction Fuzzy Hash: 3CA2C178A00215CFCB26CF98C480AAEB7B5FF59310F65C069E805AB359D775ED4ACB90

Function 003C445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0039E398), ref: 003C446A
FindFirstFileW.KERNELBASE(?,?), ref: 003C447B
FindClose.KERNEL32(00000000), ref: 003C448B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e24e9fd7f7d2c90a20565f91a74e2ace94db03e9a983ab80c05e88bd6d497b18
Instruction ID: 260b61b3aa551640694d1690b2e11948ab01f506d4f047667f99b47802ec9c9e
Opcode Fuzzy Hash: e24e9fd7f7d2c90a20565f91a74e2ace94db03e9a983ab80c05e88bd6d497b18
Instruction Fuzzy Hash: BAE0D8378145406B82256B38EC4DAE9775C9F05335F204B19F935C50D0E7B49D009695

Function 003709D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00370A5B
timeGetTime.WINMM ref: 00370D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00370E53
Sleep.KERNEL32(0000000A), ref: 00370E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00370EFA
DestroyWindow.USER32 ref: 00370F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00370F20
Sleep.KERNEL32(0000000A,?,?), ref: 003A4E83
TranslateMessage.USER32(?), ref: 003A5C60
DispatchMessageW.USER32(?), ref: 003A5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003A5C82

Strings

@GUI_WINHANDLE, xrefs: 003A4F8F
@COM_EVENTOBJ, xrefs: 003A54F0
@GUI_CTRLHANDLE, xrefs: 003A4FE4
pbB, xrefs: 003A5003
pbB, xrefs: 003A4F59
pbB, xrefs: 003A57B4
pbB, xrefs: 003A4FAE
@TRAY_ID, xrefs: 003A578F
@GUI_CTRLID, xrefs: 003A4F3A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbB$pbB$pbB$pbB
API String ID: 4212290369-707248984
Opcode ID: 3827fb57e05187f1ce7d4a7fc9a70bb43e6a6d5f420e9d6ef8f91f72245fc44d
Instruction ID: 4652b29cb5ca71d7e33490bae53b8fbf11b6f7bd20c2cfa66235d067333820af
Opcode Fuzzy Hash: 3827fb57e05187f1ce7d4a7fc9a70bb43e6a6d5f420e9d6ef8f91f72245fc44d
Instruction Fuzzy Hash: 17B2C070608741DFD73ADF24C884BAAB7E4FF86304F15891DE4999B2A1CB75E844CB92

Function 003C9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C8F5F: __time64.LIBCMT ref: 003C8F69

Part of subcall function 00364EE5: _fseek.LIBCMT ref: 00364EFD

__wsplitpath.LIBCMT ref: 003C9234

Part of subcall function 003840FB: __wsplitpath_helper.LIBCMT ref: 0038413B

_wcscpy.LIBCMT ref: 003C9247
_wcscat.LIBCMT ref: 003C925A
__wsplitpath.LIBCMT ref: 003C927F
_wcscat.LIBCMT ref: 003C9295
_wcscat.LIBCMT ref: 003C92A8

Part of subcall function 003C8FA5: _memmove.LIBCMT ref: 003C8FDE
Part of subcall function 003C8FA5: _memmove.LIBCMT ref: 003C8FED

_wcscmp.LIBCMT ref: 003C91EF

Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9824
Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003C9452
_wcsncpy.LIBCMT ref: 003C94C5
DeleteFileW.KERNEL32(?,?), ref: 003C94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003C9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003C9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003C9534

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c6affcb70e152318ab35bc8c2ac3ded48c1f940e28e436eace4c6a5a1bdeade9
Instruction ID: 9b156f3ba1a701b30a30a6a832e40f11cf0e5b6184617a5f3fb643c380d86c45
Opcode Fuzzy Hash: c6affcb70e152318ab35bc8c2ac3ded48c1f940e28e436eace4c6a5a1bdeade9
Instruction Fuzzy Hash: 32C12AB1D00219AADF22DF95CC85FDEBBBDAF45310F0044AAF609EA151DB309E448F65

Function 0036301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00363074
RegisterClassExW.USER32(00000030), ref: 0036309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
InitCommonControlsEx.COMCTL32(?), ref: 003630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
LoadIconW.USER32(000000A9), ref: 003630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101

Strings

TaskbarCreated, xrefs: 003630A4
AutoIt v3 GUI, xrefs: 00363090
+, xrefs: 0036305D
0, xrefs: 00363056

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8001da4f566df5225480be6b25409729359a940a66bc5266e7201cd2061d65e8
Instruction ID: 143c8d3253955d3489b7f89cb32abd473717c9681cbb89b4750b18f213aa4bf6
Opcode Fuzzy Hash: 8001da4f566df5225480be6b25409729359a940a66bc5266e7201cd2061d65e8
Instruction Fuzzy Hash: ED3149B1940349EFDB619FA4D885AD9BBF4FB09310F10426AE580EA2A0D3F50596CF64

Function 00363041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00363074
RegisterClassExW.USER32(00000030), ref: 0036309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
InitCommonControlsEx.COMCTL32(?), ref: 003630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
LoadIconW.USER32(000000A9), ref: 003630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101

Strings

TaskbarCreated, xrefs: 003630A4
AutoIt v3 GUI, xrefs: 00363090
+, xrefs: 0036305D
0, xrefs: 00363056

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 215e3f0e4bdfbbee28bb5a7d3f92d6d167f2be96984b9af3cbb2d19bf124e276
Instruction ID: a83a36bf51d28092fd6566a0540cdcc40262a56a6003091d2b2b91a10404afca
Opcode Fuzzy Hash: 215e3f0e4bdfbbee28bb5a7d3f92d6d167f2be96984b9af3cbb2d19bf124e276
Instruction Fuzzy Hash: AB21FCB1A01258EFDB21DF94EC88BDD7BF8FB08710F00422AF510AA2A0D7F145558F95

Function 0036708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00364706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004252F8,?,003637AE,?), ref: 00364724

Part of subcall function 0038050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00367165), ref: 0038052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003671A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0039E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0039E909
RegCloseKey.ADVAPI32(?), ref: 0039E947
_wcscat.LIBCMT ref: 0039E9A0

Strings

\, xrefs: 0039E9C3
Software\AutoIt v3\AutoIt, xrefs: 0036719E
Include, xrefs: 0039E8BF, 0039E900
\Include\, xrefs: 00367165

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 61d21ef27f728b548190f9d8f8ebdb419970254fcf7f90422297d55049abfecf
Instruction ID: 465104c37e8d7e4eedc0f4df5c775388c764b367aeb8a2f414afa7b227ff04b5
Opcode Fuzzy Hash: 61d21ef27f728b548190f9d8f8ebdb419970254fcf7f90422297d55049abfecf
Instruction Fuzzy Hash: 04719E71608301DEC716EF25E8819ABBBE8FF84310F81497EF4458B1A0EB709949CB66

Function 00363633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 003636D2
KillTimer.USER32(?,00000001), ref: 003636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0036371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0036372A
CreatePopupMenu.USER32 ref: 0036373E
PostQuitMessage.USER32(00000000), ref: 0036374D

Strings

TaskbarCreated, xrefs: 00363725
%?, xrefs: 0039D081, 0039D0CF

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%?
API String ID: 129472671-4267315211
Opcode ID: 35ae6c5a70dd0119b869c6814ee630708d04a03d98cc6c36d59ef27dca5c6525
Instruction ID: 849c0b9f61bea13db480f04c8b2583559200590866e0c977d6d6ba67b42f44ed
Opcode Fuzzy Hash: 35ae6c5a70dd0119b869c6814ee630708d04a03d98cc6c36d59ef27dca5c6525
Instruction Fuzzy Hash: 3A4146B2300545BBDF336F28EC8AB793B58EB01300F948135F5029A2E9CAB49E519779

Function 00363A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00363A50
LoadCursorW.USER32(00000000,00007F00), ref: 00363A5F
LoadIconW.USER32(00000063), ref: 00363A76
LoadIconW.USER32(000000A4), ref: 00363A88
LoadIconW.USER32(000000A2), ref: 00363A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00363AC0
RegisterClassExW.USER32(?), ref: 00363B16

Part of subcall function 00363041: GetSysColorBrush.USER32(0000000F), ref: 00363074
Part of subcall function 00363041: RegisterClassExW.USER32(00000030), ref: 0036309E
Part of subcall function 00363041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
Part of subcall function 00363041: InitCommonControlsEx.COMCTL32(?), ref: 003630CC
Part of subcall function 00363041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
Part of subcall function 00363041: LoadIconW.USER32(000000A9), ref: 003630F2
Part of subcall function 00363041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101

Strings

AutoIt v3, xrefs: 00363B05
0, xrefs: 00363AF4
#, xrefs: 00363AFB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 81734d4539b8539e1245788b4183dd7031fac49495a022f2aae86bc3c8aad939
Instruction ID: fc92b9fb9fcbad9a3aa38efdc8146e895de4a2c62bbea1524ffcbc1025864964
Opcode Fuzzy Hash: 81734d4539b8539e1245788b4183dd7031fac49495a022f2aae86bc3c8aad939
Instruction Fuzzy Hash: CC215E74E00304EFEB21DFA4EC49BAD7BB4FB08711F4041AAF500AA2E1D3B556518FA8

Function 00363766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteLine, xrefs: 003638A7
RB, xrefs: 0039D213
CMDLINE, xrefs: 00363822
/AutoIt3OutputDebug, xrefs: 00363892
/AutoIt3ExecuteScript, xrefs: 003638BC
CMDLINERAW, xrefs: 003637FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003637AE
/ErrorStdOut, xrefs: 0036387D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RB
API String ID: 1825951767-219029296
Opcode ID: f3b77fa271eb0b8e97b79a39e1e8e97f552672097d59e78744a7ea594e833944
Instruction ID: 0ed538ab04a73d891072ce89ba2e00ca2a7276d2f0c7ef3855ae583cb57c9ad9
Opcode Fuzzy Hash: f3b77fa271eb0b8e97b79a39e1e8e97f552672097d59e78744a7ea594e833944
Instruction Fuzzy Hash: F5A16E7290022D9ACF16EBA0DC95AFEB778BF15310F40852AF415BB195DF745A08CB60

Function 0036F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00380162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00380193
Part of subcall function 00380162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0038019B
Part of subcall function 00380162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003801A6
Part of subcall function 00380162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003801B1
Part of subcall function 00380162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003801B9
Part of subcall function 00380162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003801C1

Part of subcall function 003760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0036F930), ref: 00376154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0036F9CD
OleInitialize.OLE32(00000000), ref: 0036FA4A
CloseHandle.KERNEL32(00000000), ref: 003A45C8

Strings

SB, xrefs: 0036F7EB
%?, xrefs: 0036F796, 0036F7A8, 0036F96E, 0036FA51
<WB, xrefs: 0036F930
\TB, xrefs: 0036F7F7

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WB$\TB$%?$SB
API String ID: 1986988660-697478888
Opcode ID: c0caf8b01a9fcb540e58e6578fc6754caaf72064133d6dfa544f67a887c019db
Instruction ID: 4c7b18dc296dc458e6f460f84dc2938dd7c0807612e78b3ab77756d5284a18e7
Opcode Fuzzy Hash: c0caf8b01a9fcb540e58e6578fc6754caaf72064133d6dfa544f67a887c019db
Instruction Fuzzy Hash: 5D81ADB0B01A40DFC3A5EF29B945729BBE5FB983167D0813AD418CB261EBB44586CF19

Function 0115D8A8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0115D8ED

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: ca238c44ad864e5a991d5eda1a42083ff7cdacd444e6a4129cd74601471d2ba1
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: F751F375A50208FBEF64DFE4DC49FEE77B8AB48700F108554FA1AEA180DB749A44CB60

Function 003639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00363A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00363A24
ShowWindow.USER32(00000000,?,?), ref: 00363A38
ShowWindow.USER32(00000000,?,?), ref: 00363A41

Strings

edit, xrefs: 00363A1E
AutoIt v3, xrefs: 003639FB, 00363A00, 00363A01

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 910183feb34e7371dfe001fa80f7bc9c2bc65a5129808d8a47ba5aaafd423469
Instruction ID: 49c78bc4eec7e1a72a358853faa8de252a036114c085a0840924e96ff3abe3c7
Opcode Fuzzy Hash: 910183feb34e7371dfe001fa80f7bc9c2bc65a5129808d8a47ba5aaafd423469
Instruction Fuzzy Hash: 7FF03A706002A0BEEA3157236C48E7B2E7DD7C6F60F4001BAB900E61F0C2B10842CEB4

Function 0036407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0039D3D7

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

_memset.LIBCMT ref: 003640FC
_wcscpy.LIBCMT ref: 00364150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00364160

Strings

Line: , xrefs: 0039D400

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 0b4f1cbb18cfb767acc37d2d5100307916a8bf49bc581853fb8807a7d08009b0
Instruction ID: bce2b2df68524a99e2d837ed313c8577dff3934343ac58e7f738685b585ddc33
Opcode Fuzzy Hash: 0b4f1cbb18cfb767acc37d2d5100307916a8bf49bc581853fb8807a7d08009b0
Instruction Fuzzy Hash: A831D031508304AFD732EB60DC46FEB77DCAF44304F50862AF5858A0E5DB709648CBA6

Function 0038541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0038547B
_memcpy_s.LIBCMT ref: 003854ED
__read_nolock.LIBCMT ref: 0038554B
__filbuf.LIBCMT ref: 0038556E
_memset.LIBCMT ref: 003855B2

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 8f25456cb4f95a7e602415a32a972dabac365bfbc413d7dc428e341e0b819b97
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: C651D731A00B05DBDF27AF79D84066E77A6AF41321F2587A9F836972D0D770DE948B40

Function 0036686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00364DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E0F

_free.LIBCMT ref: 0039E263
_free.LIBCMT ref: 0039E2AA

Part of subcall function 00366A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00366BAD

Strings

Bad directive syntax error, xrefs: 0039E292
>>>AUTOIT SCRIPT<<<, xrefs: 0039E039

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a4ab1d9f1c127d2060d4cbbb9bdb41779367bee458de0aaca5e4e6d85d31df58
Instruction ID: 246b9f00fd833590f6fd5535fa127cdf5788c2ef8c58c58bc2282e0fb0909f3b
Opcode Fuzzy Hash: a4ab1d9f1c127d2060d4cbbb9bdb41779367bee458de0aaca5e4e6d85d31df58
Instruction Fuzzy Hash: 6F917D71910219AFCF06EFA4CC919EEB7B8FF18314F10856AF815AB2A1DB71AD05CB50

Function 0115F368 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0115F258: Sleep.KERNELBASE(000001F4), ref: 0115F269

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0115F46F

Strings

APQXER6ZYT3KFG, xrefs: 0115F4EF, 0115F4F2

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateFileSleep
String ID: APQXER6ZYT3KFG
API String ID: 2694422964-3083600590
Opcode ID: cfd5b1c74b212ee10e6d893d4aca29ce2758dd9271947f5ca1603855b4decfc0
Instruction ID: 5649ba1405e69d42ed120b6a3f6b0192a93f6c2eb2352a311fd6d117577038c6
Opcode Fuzzy Hash: cfd5b1c74b212ee10e6d893d4aca29ce2758dd9271947f5ca1603855b4decfc0
Instruction Fuzzy Hash: 5951B331D1424ADBEF15DBA4C858BEFBB74AF14304F004199EA18BB2C0D7B94B45CBA6

Function 003635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003635A1,SwapMouseButtons,00000004,?), ref: 003635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003635A1,SwapMouseButtons,00000004,?,?,?,?,00362754), ref: 003635F5
RegCloseKey.KERNELBASE(00000000,?,?,003635A1,SwapMouseButtons,00000004,?,?,?,?,00362754), ref: 00363617

Strings

Control Panel\Mouse, xrefs: 003635D2

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0ccbf5a3262365c73b5a93cb7ae379a8b60968733c627cd1418e107059a14b13
Instruction ID: 6bd489419d3c3ed8422cb44f76042b42cbc3a17954c47e9c461e535b5484b183
Opcode Fuzzy Hash: 0ccbf5a3262365c73b5a93cb7ae379a8b60968733c627cd1418e107059a14b13
Instruction Fuzzy Hash: 79115771614218BFDB22CF68DC80EAEBBBCEF04740F018569F805DB214E2719F409BA4

Function 003C955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00364EE5: _fseek.LIBCMT ref: 00364EFD

Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9824
Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9837

_free.LIBCMT ref: 003C96A2
_free.LIBCMT ref: 003C96A9
_free.LIBCMT ref: 003C9714

Part of subcall function 00382D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00389A24), ref: 00382D69
Part of subcall function 00382D55: GetLastError.KERNEL32(00000000,?,00389A24), ref: 00382D7B

_free.LIBCMT ref: 003C971C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction ID: 1ffa577895b785983435910fbad7f3b613eef6d86ef4971d665a4796a529bb4d
Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction Fuzzy Hash: 26512BB1D04258AFDF269F64CC85B9EBBB9EF48300F10449EF609AB251DB715E908F58

Function 0038470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003847A0
__flush.LIBCMT ref: 003847C0
__write.LIBCMT ref: 003847F3
__flsbuf.LIBCMT ref: 00384821

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 5f536ce81fc6121791bbb0591d85efc12f60ed5ab336dc9770998ea1102441e4
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 7B41E634A007479BDF1AEF69C8809AE77A6EF81364B2581BDF825CBE40E771DD408B40

Function 003644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003644CF

Part of subcall function 0036407C: _memset.LIBCMT ref: 003640FC
Part of subcall function 0036407C: _wcscpy.LIBCMT ref: 00364150
Part of subcall function 0036407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00364160

KillTimer.USER32(?,00000001,?,?), ref: 00364524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00364533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0039D4B9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 29f6c9934b97cbdeee32ce41991d4abac0794c391274faabd15cc50227228fa6
Instruction ID: 2a7467fb96c510b4d12e7aa21bf7577e624b485726297da926add9d9a2417aa1
Opcode Fuzzy Hash: 29f6c9934b97cbdeee32ce41991d4abac0794c391274faabd15cc50227228fa6
Instruction Fuzzy Hash: A12107709047849FEB338B25984ABE7BBEC9F02314F04409DE79E5B181C7742A84CB51

Function 00364C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00364CBA

Strings

AU3!P/?, xrefs: 00364CB4
EA06, xrefs: 0039D8CC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/?$EA06
API String ID: 4104443479-2942601680
Opcode ID: 31d9b317360dab12b3405050654d616b6ec0a4650d291c645477cd47371911a1
Instruction ID: 1fd43877a57a9342a21cc5129cc06489106c518e8b3753e7392dd79d5da887e6
Opcode Fuzzy Hash: 31d9b317360dab12b3405050654d616b6ec0a4650d291c645477cd47371911a1
Instruction Fuzzy Hash: 5C414C21E041586BDF239B64C8617BF7FA6DB46300F68C475ED829F28FD6319D4483A1

Function 00367285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039EA39
GetOpenFileNameW.COMDLG32(?), ref: 0039EA83

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

Part of subcall function 00380791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0

Strings

X, xrefs: 0039EA51

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 08e7c50e9c84cc8d975f68b2e12c73088f5e3d4ad25a7e5fc94c340ade763e52
Instruction ID: f05197229de63c03821d0e035311a8b448a0dbf0b19e096cea8beeb08ebf2e9d
Opcode Fuzzy Hash: 08e7c50e9c84cc8d975f68b2e12c73088f5e3d4ad25a7e5fc94c340ade763e52
Instruction Fuzzy Hash: 9D219071A002589BCF52DF94D845BEE7BFCAF49714F00805AE408AB281DBF859898FA1

Function 003C8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C8DAC
__fread_nolock.LIBCMT ref: 003C8DC1

Strings

EA06, xrefs: 003C8DF3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 0642b7ffbbe8d7b88d3c27e09f9cd8fa87d63be9f0c9b9cacb2a911a052fce78
Instruction ID: 61caae64fed9a80aa9d7746dabc1d65c8d17ec58b317635cd1ea23610cd3bb36
Opcode Fuzzy Hash: 0642b7ffbbe8d7b88d3c27e09f9cd8fa87d63be9f0c9b9cacb2a911a052fce78
Instruction Fuzzy Hash: DF01D6718046186EDB19DBA8C816EEABBF89B11301F00459EF553D6181E974AA088760

Function 0115DF88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0115DFCD
ExitProcess.KERNEL32(00000000), ref: 0115DFEC

Strings

D, xrefs: 0115DF99

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
Instruction ID: c125cdc10a41eead6873d2b7e25528c24aa64eb589f9e3e652df2249be9cf5d5
Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
Instruction Fuzzy Hash: A2F0EC7154024DABDB64EFE4CC49FEE7778BF04705F408509BA1A9A180DB7496098B61

Function 003C98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003C98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003C990F

Strings

aut, xrefs: 003C9909

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f37f65b28a0601b194858a0e7bf8f79f55787c39532236dd80b09ae3f5146a08
Instruction ID: 3b4dcdedd6529c0b9b9aafea56993148c35565e92ca5376c7f22f703c5fc3ec7
Opcode Fuzzy Hash: f37f65b28a0601b194858a0e7bf8f79f55787c39532236dd80b09ae3f5146a08
Instruction Fuzzy Hash: 16D05E7954030DAFDB60ABA4DC8EFEA773CE704700F0007B1BB54990E1EBB095988B95

Function 003DCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fbf2fe84fe281921f9a1b000b6b740320a8d30e4f355b905e3aa24fcb395ab
Instruction ID: 9373082971ecb5d8e4107c82cec66502bd88a02844b64342e3198bf61d4578a5
Opcode Fuzzy Hash: 14fbf2fe84fe281921f9a1b000b6b740320a8d30e4f355b905e3aa24fcb395ab
Instruction Fuzzy Hash: C3F138B16183019FCB15DF28D480A6ABBE9FF89314F15892EF8999B351D730E945CF82

Function 0036434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00364370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00364415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00364432

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f9de4c4213b7f5ee76ce85fd8dc61fbd59fe92b651dc7b2b2838cae9be824b04
Instruction ID: d1ff23cb32d91d49ac15ebc27394f24345fe770eff92e1489eb44f25e50bd257
Opcode Fuzzy Hash: f9de4c4213b7f5ee76ce85fd8dc61fbd59fe92b651dc7b2b2838cae9be824b04
Instruction Fuzzy Hash: FF3191B4A04701CFC732DF25D885A9BBBF8FB48309F00493EE59A86291E770A944CB56

Function 0038571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00385733

Part of subcall function 0038A16B: __NMSG_WRITE.LIBCMT ref: 0038A192
Part of subcall function 0038A16B: __NMSG_WRITE.LIBCMT ref: 0038A19C

__NMSG_WRITE.LIBCMT ref: 0038573A

Part of subcall function 0038A1C8: GetModuleFileNameW.KERNEL32(00000000,004233BA,00000104,?,00000001,00000000), ref: 0038A25A
Part of subcall function 0038A1C8: ___crtMessageBoxW.LIBCMT ref: 0038A308

Part of subcall function 0038309F: ___crtCorExitProcess.LIBCMT ref: 003830A5
Part of subcall function 0038309F: ExitProcess.KERNEL32 ref: 003830AE

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 32f07cfdee57f52e9792b64e64da774349c5a4c70a40a35a4b6d4488d3bf08ee
Instruction ID: 62a69dcd647fced57177c00f0697de00f798e7739de1bbeb6853785cc8d9e51e
Opcode Fuzzy Hash: 32f07cfdee57f52e9792b64e64da774349c5a4c70a40a35a4b6d4488d3bf08ee
Instruction Fuzzy Hash: C101B175340B01DAE6233B38EC82A2E739C9B82762F6145FAF5059E2C1DFB49C414765

Function 003C98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003C9548,?,?,?,?,?,00000004), ref: 003C98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003C9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003C98D1
CloseHandle.KERNEL32(00000000,?,003C9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003C98D8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 070aa61eeef2d7fdb7edc87070267b15dc0112d98e2f3a6396458671afe95181
Instruction ID: 6135cbd23bc18e7fe1cd8876873d322a6cf0d9cd3287494e59688c9c177b3d3c
Opcode Fuzzy Hash: 070aa61eeef2d7fdb7edc87070267b15dc0112d98e2f3a6396458671afe95181
Instruction Fuzzy Hash: 29E04F32140218BBDB321B54EC49F9A7B19AB06761F118220FB14A90E087B119119798

Function 003C8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003C8D1B

Part of subcall function 00382D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00389A24), ref: 00382D69
Part of subcall function 00382D55: GetLastError.KERNEL32(00000000,?,00389A24), ref: 00382D7B

_free.LIBCMT ref: 003C8D2C
_free.LIBCMT ref: 003C8D3E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: f5f8503ce71bb0d127822cfdf3c775b001977c6d61ee6abb72f20e7657a38a92
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: DFE012B1601B014ACB26B678AA44F9357EC4F98352715095DB41EDB186CE64FD468324

Function 0036A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0039FC01

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 1e8b2e74df76a0c70ccdb740283a84de5b6c1578ee473d07d40769686c512702
Instruction ID: c1594d96c9514b29438dbbf19723f670dd3294be334bf64b5be33c037053a66c
Opcode Fuzzy Hash: 1e8b2e74df76a0c70ccdb740283a84de5b6c1578ee473d07d40769686c512702
Instruction Fuzzy Hash: 44225670508700DFCB26DF24C490A6ABBE5BF85304F15C96DE88A9B666D735EC85CF82

Function 00367A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00367AAB
_memmove.LIBCMT ref: 00367B16

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: 104a360ddf9b9cecb89ceb5e3ef0003d9ff947073bd2b875999681f6295c7868
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: 1431D4B1604A06AFC705DF68C8D1E69F3A9FF48324755C629E429CB791EB30E924CB90

Function 003647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00364834

Part of subcall function 0038336C: __lock.LIBCMT ref: 00383372
Part of subcall function 0038336C: DecodePointer.KERNEL32(00000001,?,00364849,003B7C74), ref: 0038337E
Part of subcall function 0038336C: EncodePointer.KERNEL32(?,?,00364849,003B7C74), ref: 00383389

Part of subcall function 003648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00364915
Part of subcall function 003648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0036492A

Part of subcall function 00363B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00363B68
Part of subcall function 00363B3A: IsDebuggerPresent.KERNEL32 ref: 00363B7A
Part of subcall function 00363B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004252F8,004252E0,?,?), ref: 00363BEB
Part of subcall function 00363B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00363C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00364874

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: a3ac00fff01ca316bcc29c4708e9ff73ad8aa5bdfaa4624fb4ddface27b7cf64
Instruction ID: 37539c4cc2624dfb2c6dbd2fc15eeffed4c46528cedee32ec6ea63b875383793
Opcode Fuzzy Hash: a3ac00fff01ca316bcc29c4708e9ff73ad8aa5bdfaa4624fb4ddface27b7cf64
Instruction Fuzzy Hash: 5A118C71A08341DFD711EF28DC4591ABBE8EB85750F50856EF0808B2B1DBB09646CB96

Function 00380DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0038571C: __FF_MSGBANNER.LIBCMT ref: 00385733
Part of subcall function 0038571C: __NMSG_WRITE.LIBCMT ref: 0038573A
Part of subcall function 0038571C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F

std::exception::exception.LIBCMT ref: 00380DEC
__CxxThrowException@8.LIBCMT ref: 00380E01

Part of subcall function 0038859B: RaiseException.KERNEL32(?,?,?,00419E78,00000000,?,?,?,?,00380E06,?,00419E78,?,00000001), ref: 003885F0

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b6070de7e95b63457384120595cf140ef9454592ca3835305ac027210860dea3
Instruction ID: 318c5d5e731fe41b6fef26192fb0546246f95aa7a1db71706a4fd8d4d9a32628
Opcode Fuzzy Hash: b6070de7e95b63457384120595cf140ef9454592ca3835305ac027210860dea3
Instruction Fuzzy Hash: 34F0F43540031EA6CB17BBA5EC019EF7BAC9F01310F1004A6FD149A281DFB09A8883D1

Function 003855FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0038562C
__lock_file.LIBCMT ref: 0038564D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: d89600ddf13ba1505f345ac0122a483a32a96ad6f9feb33ffc2e47e60855c738
Instruction ID: 2f1674e849230d1bd888d5675c791388c390a4aa5798bcd157eb328a6b866a5b
Opcode Fuzzy Hash: d89600ddf13ba1505f345ac0122a483a32a96ad6f9feb33ffc2e47e60855c738
Instruction Fuzzy Hash: 14018F71801B08ABCF23BF699C0289E7B61AF91362F9541D5F8245E191EB318A61DF91

Function 003853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

__lock_file.LIBCMT ref: 003853EB

Part of subcall function 00386C11: __lock.LIBCMT ref: 00386C34

__fclose_nolock.LIBCMT ref: 003853F6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 22580836e1cee28497bb39efc7271d78d18f0fd3720244346dc71c0ff3a2b8f1
Instruction ID: a87f1ecb5b7b55af8e1c857d4cd5a220cb19d91c3e6b99c2eea45e993a0708cf
Opcode Fuzzy Hash: 22580836e1cee28497bb39efc7271d78d18f0fd3720244346dc71c0ff3a2b8f1
Instruction Fuzzy Hash: 43F0B431801B049ADB23BF7598067AD7BE06F41375F6582C9E424AF1C1CFFC8A419B52

Function 0115DFF8 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 0115D868: GetFileAttributesW.KERNELBASE(?), ref: 0115D873

CreateDirectoryW.KERNELBASE(?,00000000), ref: 0115E154

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 55a19f43cd1a351c94bde36ba588a1f8928a04be560a078e699ab9466f9c802c
Instruction ID: 0016672bb0d9398542b80bfb82cec0970732fc12c15c723364095d5c97db9052
Opcode Fuzzy Hash: 55a19f43cd1a351c94bde36ba588a1f8928a04be560a078e699ab9466f9c802c
Instruction Fuzzy Hash: 06516C31A10209D6EF14DFA0D854BEFB339EF58700F004569EA1DE7290EB759A45CBA6

Function 0036750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003675EA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f184b909f5c37eee664cd7acf2c05774b1c81be9277b7e6e3ce7726deba19878
Instruction ID: 8af63cbd7484d13885736e3d4355583b6b61902eaeee911c51bcb53995758e32
Opcode Fuzzy Hash: f184b909f5c37eee664cd7acf2c05774b1c81be9277b7e6e3ce7726deba19878
Instruction Fuzzy Hash: C031B475608A12DFC726EF18C090921F7A4FF0A310755C5ADEA8B8B7A9D730EC51CB84

Function 00380C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00380CB7

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4d7b0a8849ebf0008d9c4bbb4d330e655d8fbd9f62c57faa3419a71fbf22d6f9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5131E270A002059FCB9AEF58C494A69F7B6FB49300B2586E5E80ACF751D631EEC5DB80

Function 0039FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0039FCB7

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1278f01d2574e2d4fdc738452f7baf278147b03ea4f48bb01117c135eee1e93b
Instruction ID: 2ee5b246e636f77ed7685bf23557f6219090282e0d45dbf482b9ed6a9367c98e
Opcode Fuzzy Hash: 1278f01d2574e2d4fdc738452f7baf278147b03ea4f48bb01117c135eee1e93b
Instruction Fuzzy Hash: 754127745047518FDB26DF24C454B1ABBE0BF45318F09C8ACE89A9B766C732E845CF52

Function 00367B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00367BB3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6c6500a46772b76bae893456c1ac7a3ccb4a10f7aea5403709b5bda715c2235f
Instruction ID: 9723ef57a606e467007e1a75d087b4233bbe752d0240b076cf5a85b95976760f
Opcode Fuzzy Hash: 6c6500a46772b76bae893456c1ac7a3ccb4a10f7aea5403709b5bda715c2235f
Instruction Fuzzy Hash: 1C213672604B09EBDF169F11F8417AA7BB8FB14350F21C46DE486CA194EB3095D0CB49

Function 00364DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00364BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00364BEF

Part of subcall function 0038525B: __wfsopen.LIBCMT ref: 00385266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E0F

Part of subcall function 00364B6A: FreeLibrary.KERNEL32(00000000), ref: 00364BA4

Part of subcall function 00364C70: _memmove.LIBCMT ref: 00364CBA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c4ae379b7e5c62f9828c55d32478d81b19e148bf9535258a9638f019abbb8fa3
Instruction ID: fb2d8bf72d85372810e1b8339cb9e3da24de277cfe77e1771f4808bf14f36c04
Opcode Fuzzy Hash: c4ae379b7e5c62f9828c55d32478d81b19e148bf9535258a9638f019abbb8fa3
Instruction Fuzzy Hash: 4211E331A00205ABCF13BF70C816FAD77A8AF44710F10C829F541AF1C5DEB29A009BA1

Function 0039FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0039FD91

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8f1239c7572f3cacd7808f59993a474258d89301221991f0f633bf4abc5b4b89
Instruction ID: f7cd2dded75aecf3129e27e4acb6a248c304ababda98aea73f2a880455e7be0d
Opcode Fuzzy Hash: 8f1239c7572f3cacd7808f59993a474258d89301221991f0f633bf4abc5b4b89
Instruction Fuzzy Hash: A2211374908741DFCB26DF64C454A1ABBE4BF88314F05896CF88A9B762D731E809CF92

Function 0038072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c88b1d45fa533082644f8eec5a8da90621851afedfa5cc1a530cc671d9e8539b
Instruction ID: 933d014c8b5d0bfcb88b19bafd2a9c78d90a05b2f2c92ff0dda46ebec127eadd
Opcode Fuzzy Hash: c88b1d45fa533082644f8eec5a8da90621851afedfa5cc1a530cc671d9e8539b
Instruction Fuzzy Hash: 3E01D671446944AFD712CB24E8C1EF877E8EF86220B1505E6ED48CBC35C62098D8CB91

Function 00384863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003848A6

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 75ef7f13b69a37f5739f69d1e4505f902a8b200fa61a484f09ac1503a6518ff7
Instruction ID: 77f984f156d0bbc1a34e58e5152bdc821f53183d951162d0cb54838bc28d98ea
Opcode Fuzzy Hash: 75ef7f13b69a37f5739f69d1e4505f902a8b200fa61a484f09ac1503a6518ff7
Instruction Fuzzy Hash: 38F0C23190070AEBDF13BFB48C067EE3AA1AF00325F558494F4249E592CB79CA51DF51

Function 00364E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E7E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c8211da3005f915916b132b824a403448e220528d0430e2290d176c464f6a8a7
Instruction ID: 1edd2c9a8ad3afe7e143aee22228db0f724ebc5ceceedf6b616bd719dfda4076
Opcode Fuzzy Hash: c8211da3005f915916b132b824a403448e220528d0430e2290d176c464f6a8a7
Instruction Fuzzy Hash: BEF01571901B11CFCB369F64E494812BBE5BF14329321CA7EE1D686A24C7739840DB40

Function 00380791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4c64a454ed80057744597ffae654d0455b5a149846094e8ba502d7e23e65a2ba
Instruction ID: 863b9c71ffb9d930ee4711c2f0b203e07620095b8c090898e79d59ba1bc8a9d9
Opcode Fuzzy Hash: 4c64a454ed80057744597ffae654d0455b5a149846094e8ba502d7e23e65a2ba
Instruction Fuzzy Hash: BAE0CD369041285BC721D6589C05FFA77DDDF897A0F0442B5FD0CDB248DA609C8086D0

Function 003C8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003C8EC1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 1ddf51c3d323a8aea9b215c6063c5a13992abcf37d0174f9d996ece5a1dd3435
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: F8E092B0104B005BDB398B24D800BA373E1AB06304F00085DF2AAC3241EF627C41C75D

Function 0115D868 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0115D873

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: e997a0c359da70159ccb1656b484e23a497ee28fa4698a893e6b169855e69952
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 2DE0EC31915208EBDF9CCBECE905AA977A8AB05320F104A55ED6AC7280E7319A50D755

Function 0115D838 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0115D843

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: be92a4cd9287b01b5ee61908a2b7dd36a361172e576f7c6b5c7657583af1aec8
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 97D05E3090520CEBCB54CEE8A90499973A8DB05320F408759ED2983280D63199009751

Function 0038525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00385266

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a4d3d7d242977b5a8b57a95baa685f8487ac5c22ea5aac9b9a86dafda0d054ca
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C5B0927644020C77CE022A82EC02A493B299B41764F408060FB0C1C162AA73A6649A89

Function 0115F254 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0115F269

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 65be15634855ef9d4517624080f0c255100f23d47ae8d1a10f0846236f8fd6a5
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 1BE0BF7494020EEFDB40DFA4D5496DD7BB4EF04301F1006A1FD05D7680DB309E548A62

Function 0115F258 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0115F269

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 61bcb7c5648ef65203673a922642bc0f9665ee023a247ddf06b7a30e847315d1
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: FBE0E67494020EDFDB40DFB4D54969D7BB4EF04301F100261FD01D2280D7309D508A62

Non-executed Functions

Function 003ECABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003ECB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ECB95
GetWindowLongW.USER32(?,000000F0), ref: 003ECBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ECC00
SendMessageW.USER32 ref: 003ECC29
_wcsncpy.LIBCMT ref: 003ECC95
GetKeyState.USER32(00000011), ref: 003ECCB6
GetKeyState.USER32(00000009), ref: 003ECCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ECCD9
GetKeyState.USER32(00000010), ref: 003ECCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ECD0C
SendMessageW.USER32 ref: 003ECD33
SendMessageW.USER32(?,00001030,?,003EB348), ref: 003ECE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003ECE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003ECE60
SetCapture.USER32(?), ref: 003ECE69
ClientToScreen.USER32(?,?), ref: 003ECECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003ECEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003ECEF5
ReleaseCapture.USER32 ref: 003ECF00
GetCursorPos.USER32(?), ref: 003ECF3A
ScreenToClient.USER32(?,?), ref: 003ECF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 003ECFA3
SendMessageW.USER32 ref: 003ECFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 003ED00E
SendMessageW.USER32 ref: 003ED03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003ED05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 003ED06D
GetCursorPos.USER32(?), ref: 003ED08D
ScreenToClient.USER32(?,?), ref: 003ED09A
GetParent.USER32(?), ref: 003ED0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 003ED123
SendMessageW.USER32 ref: 003ED154
ClientToScreen.USER32(?,?), ref: 003ED1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003ED1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 003ED20C
SendMessageW.USER32 ref: 003ED22F
ClientToScreen.USER32(?,?), ref: 003ED281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003ED2B5

Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC

GetWindowLongW.USER32(?,000000F0), ref: 003ED351

Strings

pbB, xrefs: 003ECEAF
@GUI_DRAGID, xrefs: 003ECE9C
F, xrefs: 003ED235

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbB
API String ID: 3977979337-2595871605
Opcode ID: 4714859737c231d10407a95a69f7209bff56bb18fe2bedf814b256774a2604d8
Instruction ID: f0f56e86ba83f277df28317c02081c8e4a4f6e27bbde4262c5521dddf4c2a8e3
Opcode Fuzzy Hash: 4714859737c231d10407a95a69f7209bff56bb18fe2bedf814b256774a2604d8
Instruction Fuzzy Hash: 9E42CD342042D1AFDB26DF26C884AAABBE9FF49310F150A29F555CB2F0C771D852DB91

Function 00376F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003771C3
_memset.LIBCMT ref: 00377539
_memmove.LIBCMT ref: 003776AC

Strings

[:>:]], xrefs: 00377492
]A, xrefs: 003B1A22
[:<:]], xrefs: 00377479
\b(?<=\w), xrefs: 003B3773
P\A, xrefs: 003B1AB8
Q\E, xrefs: 00377FCB
_7, xrefs: 003B23CB
3c7, xrefs: 003B23A0
DEFINE, xrefs: 003B2103
\b(?=\w), xrefs: 003B3769

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]A$3c7$DEFINE$P\A$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_7
API String ID: 1357608183-3946336730
Opcode ID: 58f90922ac46001c1da9d4a1e1c980be59b8e96707a0f799d06a774d2b12c790
Instruction ID: c404c411815d4621a5abf846e174d230fb8318a6e7c93d6c25fc525735fd8ed9
Opcode Fuzzy Hash: 58f90922ac46001c1da9d4a1e1c980be59b8e96707a0f799d06a774d2b12c790
Instruction Fuzzy Hash: B793B375E00215DBDB26CF58C881BEDB7B1FF48314F25816AEA49EB681E7749E81CB40

Function 003648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 003648DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039D665
IsIconic.USER32(?), ref: 0039D66E
ShowWindow.USER32(?,00000009), ref: 0039D67B
SetForegroundWindow.USER32(?), ref: 0039D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0039D69B
GetCurrentThreadId.KERNEL32 ref: 0039D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0039D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0039D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0039D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0039D6CF
SetForegroundWindow.USER32(?), ref: 0039D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D6E7
keybd_event.USER32(00000012,00000000), ref: 0039D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D6FC
keybd_event.USER32(00000012,00000000), ref: 0039D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D70A
keybd_event.USER32(00000012,00000000), ref: 0039D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D719
keybd_event.USER32(00000012,00000000), ref: 0039D71E
SetForegroundWindow.USER32(?), ref: 0039D721
AttachThreadInput.USER32(?,?,00000000), ref: 0039D748

Strings

Shell_TrayWnd, xrefs: 0039D660

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6ced1565e6ff74db442f456c59312e3eaeda79f8dbd524657ed40626fd2a3d9b
Instruction ID: 642f822bd2240e4c38d888727cb78c8fe6e8e9668414d566be5a52567aacc48b
Opcode Fuzzy Hash: 6ced1565e6ff74db442f456c59312e3eaeda79f8dbd524657ed40626fd2a3d9b
Instruction Fuzzy Hash: 91317271A40358BFEF326FA19C8AF7F7E6CEB44B50F114125FA04EA1D1C6B15940AAA0

Function 003B8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 003B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
Part of subcall function 003B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
Part of subcall function 003B87E1: GetLastError.KERNEL32 ref: 003B8865

_memset.LIBCMT ref: 003B8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003B83A5
CloseHandle.KERNEL32(?), ref: 003B83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003B83CD
GetProcessWindowStation.USER32 ref: 003B83E6
SetProcessWindowStation.USER32(00000000), ref: 003B83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003B840A

Part of subcall function 003B81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003B8309), ref: 003B81E0
Part of subcall function 003B81CB: CloseHandle.KERNEL32(?,?,003B8309), ref: 003B81F2

Strings

, xrefs: 003B8362
winsta0, xrefs: 003B83C8
default, xrefs: 003B8405

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: c943a36ed3a07752ead1fbd7ca880a8c928e6450a6b52921f1ac060914ce4c46
Instruction ID: e0db61017c2cecf958ceca90a129d423895ea4c5dbec54a600cb472ed71f79ac
Opcode Fuzzy Hash: c943a36ed3a07752ead1fbd7ca880a8c928e6450a6b52921f1ac060914ce4c46
Instruction Fuzzy Hash: 99817E71900249AFDF22DFA5CC45AEE7BBDFF05308F14416AFA14AA5A1DB718E14DB20

Function 003CC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003CC78D
FindClose.KERNEL32(00000000), ref: 003CC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003CC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003CC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 003CC844
__swprintf.LIBCMT ref: 003CC890
__swprintf.LIBCMT ref: 003CC8D3

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

__swprintf.LIBCMT ref: 003CC927

Part of subcall function 00383698: __woutput_l.LIBCMT ref: 003836F1

__swprintf.LIBCMT ref: 003CC975

Part of subcall function 00383698: __flsbuf.LIBCMT ref: 00383713
Part of subcall function 00383698: __flsbuf.LIBCMT ref: 0038372B

__swprintf.LIBCMT ref: 003CC9C4
__swprintf.LIBCMT ref: 003CCA13
__swprintf.LIBCMT ref: 003CCA62

Strings

%02d, xrefs: 003CC91B, 003CC925, 003CC973, 003CC9C2, 003CCA11, 003CCA60
%4d, xrefs: 003CC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 003CC88A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6908b36f0e5886e14179796ef52bb8cdbc2cad817d85b455c86a04d4b348bfaa
Instruction ID: e16c48491cee95dcb14b8ecef6b17fffa87df88b2bc20cacf8227015758be932
Opcode Fuzzy Hash: 6908b36f0e5886e14179796ef52bb8cdbc2cad817d85b455c86a04d4b348bfaa
Instruction Fuzzy Hash: C2A11EB1414344ABC712EF94C885EAFB7ECAF99704F40492EF595CB191EB35DA08CB62

Function 003CEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003CEFB6
_wcscmp.LIBCMT ref: 003CEFCB
_wcscmp.LIBCMT ref: 003CEFE2
GetFileAttributesW.KERNEL32(?), ref: 003CEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 003CF00E
FindNextFileW.KERNEL32(00000000,?), ref: 003CF026
FindClose.KERNEL32(00000000), ref: 003CF031
FindFirstFileW.KERNEL32(*.*,?), ref: 003CF04D
_wcscmp.LIBCMT ref: 003CF074
_wcscmp.LIBCMT ref: 003CF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 003CF09D
SetCurrentDirectoryW.KERNEL32(00418920), ref: 003CF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 003CF0C5
FindClose.KERNEL32(00000000), ref: 003CF0D2
FindClose.KERNEL32(00000000), ref: 003CF0E4

Strings

*.*, xrefs: 003CF048

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 57415eefaeaac96489a502d0ae17417fdfe58230a91f53d05506b9ea07ff7a58
Instruction ID: 62c06bf3e2beeefdd051011c2849bdfdc9a893b09839c69d217e6add4f1f6cd8
Opcode Fuzzy Hash: 57415eefaeaac96489a502d0ae17417fdfe58230a91f53d05506b9ea07ff7a58
Instruction Fuzzy Hash: DF3105365002686FCB26ABA0DC88FEE77AD9F45720F1042BAE800D6091DB70DE80CB55

Function 003766E1 Relevance: 27.1, Strings: 21, Instructions: 889COMMON

Download Yara Rule

Strings

LF), xrefs: 003B12A4
UCP), xrefs: 003B110D
pG@, xrefs: 00376751
UTF), xrefs: 003B10FA
UTF16), xrefs: 003B10CF
0F@, xrefs: 00376747
CRLF), xrefs: 003B12C1
BSR_ANYCRLF), xrefs: 003B131E
CR), xrefs: 003B1287
0D@, xrefs: 00376733
-es, xrefs: 003B12F2, 003B13AF
LIMIT_MATCH=, xrefs: 003B1170
BSR_UNICODE), xrefs: 003B1338
ANYCRLF), xrefs: 003B12FB
NO_AUTO_POSSESS), xrefs: 003B112E
NO_START_OPT), xrefs: 003B114F
ANY), xrefs: 003B12DE
_7, xrefs: 003B1465, 003B150C, 003B15B4
3c7, xrefs: 003768FF
LIMIT_RECURSION=, xrefs: 003B11FC
0E@, xrefs: 0037673D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID: -es$0D@$0E@$0F@$3c7$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG@$_7
API String ID: 0-239065333
Opcode ID: c00b662749c4e886d738acb2feb1e2ff37ac35f36d51340f0ae70f3b008561c6
Instruction ID: 3c8ce6f38daeacb16a2c5e56dacd14d8b56b597aa3c79f7cc123968890f5d65e
Opcode Fuzzy Hash: c00b662749c4e886d738acb2feb1e2ff37ac35f36d51340f0ae70f3b008561c6
Instruction Fuzzy Hash: 6672AD71E006198BDB26CF59C8A17EEB7F5FF44314F54816AE909EB680E7349E81CB90

Function 003E0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,003EF910,00000000,?,00000000,?,?), ref: 003E09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003E0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003E0A92
RegCloseKey.ADVAPI32(?), ref: 003E0DB2
RegCloseKey.ADVAPI32(00000000), ref: 003E0DBF

Strings

REG_BINARY, xrefs: 003E0D4D
REG_SZ, xrefs: 003E0AD0
REG_DWORD, xrefs: 003E0C83
REG_QWORD, xrefs: 003E0D00
REG_MULTI_SZ, xrefs: 003E0B7A
REG_EXPAND_SZ, xrefs: 003E0A2F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 03bab408fd20a2bdd068c58586171f70d11cf20bf47daa326a20f31b4978ee02
Instruction ID: e2b8aa4084c12192a0151a2575a702e3e0af799f96e291798a7cf136fd89a66c
Opcode Fuzzy Hash: 03bab408fd20a2bdd068c58586171f70d11cf20bf47daa326a20f31b4978ee02
Instruction Fuzzy Hash: 83026B756006519FCB16EF25C881E2AB7E9FF89324F05855DF8999B3A2CB70EC41CB81

Function 003CF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 003CF113
_wcscmp.LIBCMT ref: 003CF128
_wcscmp.LIBCMT ref: 003CF13F

Part of subcall function 003C4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003C43A0

FindNextFileW.KERNEL32(00000000,?), ref: 003CF16E
FindClose.KERNEL32(00000000), ref: 003CF179
FindFirstFileW.KERNEL32(*.*,?), ref: 003CF195
_wcscmp.LIBCMT ref: 003CF1BC
_wcscmp.LIBCMT ref: 003CF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 003CF1E5
SetCurrentDirectoryW.KERNEL32(00418920), ref: 003CF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 003CF20D
FindClose.KERNEL32(00000000), ref: 003CF21A
FindClose.KERNEL32(00000000), ref: 003CF22C

Strings

*.*, xrefs: 003CF190

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: e6c16b656fb82e5c0e8a5cdb2335e13af44fbe37b8e2c8016ec0c8aaf1b2e358
Instruction ID: 7000f4e104f9e9c6c7ce85e7f4f7c0bc7919bfd83d3326c331a01eb0e498d7be
Opcode Fuzzy Hash: e6c16b656fb82e5c0e8a5cdb2335e13af44fbe37b8e2c8016ec0c8aaf1b2e358
Instruction Fuzzy Hash: AF31073A5002596FCB22AB60EC58FEE77AE9F45320F1506B9E800E61D0DB70DF45CB54

Function 003CA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003CA20F
__swprintf.LIBCMT ref: 003CA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 003CA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003CA293
_memset.LIBCMT ref: 003CA2B2
_wcsncpy.LIBCMT ref: 003CA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003CA323
CloseHandle.KERNEL32(00000000), ref: 003CA32E
RemoveDirectoryW.KERNEL32(?), ref: 003CA337
CloseHandle.KERNEL32(00000000), ref: 003CA341

Strings

\, xrefs: 003CA247
\??\%s, xrefs: 003CA22B
:, xrefs: 003CA252

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 9872d13a44a7b9782f8e673d55af4653718a6ed713b08fab56f19027709ac3af
Instruction ID: ba1c5b4f21d56e6aa00b59bdf367cacd3d1b1439e6c6483b1a82b48e7abc9f9e
Opcode Fuzzy Hash: 9872d13a44a7b9782f8e673d55af4653718a6ed713b08fab56f19027709ac3af
Instruction Fuzzy Hash: B831C87590425DABDB22DFA0DC85FEB77BCEF88744F1041BAF508D6190E7709A448B25

Function 003B7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003B8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003B821E
Part of subcall function 003B8202: GetLastError.KERNEL32(?,003B7CE2,?,?,?), ref: 003B8228
Part of subcall function 003B8202: GetProcessHeap.KERNEL32(00000008,?,?,003B7CE2,?,?,?), ref: 003B8237
Part of subcall function 003B8202: HeapAlloc.KERNEL32(00000000,?,003B7CE2,?,?,?), ref: 003B823E
Part of subcall function 003B8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003B8255

Part of subcall function 003B829F: GetProcessHeap.KERNEL32(00000008,003B7CF8,00000000,00000000,?,003B7CF8,?), ref: 003B82AB
Part of subcall function 003B829F: HeapAlloc.KERNEL32(00000000,?,003B7CF8,?), ref: 003B82B2
Part of subcall function 003B829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,003B7CF8,?), ref: 003B82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003B7D13
_memset.LIBCMT ref: 003B7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003B7D47
GetLengthSid.ADVAPI32(?), ref: 003B7D58
GetAce.ADVAPI32(?,00000000,?), ref: 003B7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003B7DB1
GetLengthSid.ADVAPI32(?), ref: 003B7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 003B7DDD
HeapAlloc.KERNEL32(00000000), ref: 003B7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003B7E05
CopySid.ADVAPI32(00000000), ref: 003B7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003B7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003B7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003B7E77

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 8395670e53fc56e7ca74a30924f0dd620e0182abf6fd8bc5e0faef05f353cc48
Instruction ID: 65d0a2ce6b4db9f63f7ccbafed1bea301d332500942dcc2cd12340b6a4d9adbc
Opcode Fuzzy Hash: 8395670e53fc56e7ca74a30924f0dd620e0182abf6fd8bc5e0faef05f353cc48
Instruction Fuzzy Hash: F0613D71904209AFDF12DFA4DC85AEEBB79FF44304F048269F915AA291DB71DE05CBA0

Function 003C001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003C0097
SetKeyboardState.USER32(?), ref: 003C0102
GetAsyncKeyState.USER32(000000A0), ref: 003C0122
GetKeyState.USER32(000000A0), ref: 003C0139
GetAsyncKeyState.USER32(000000A1), ref: 003C0168
GetKeyState.USER32(000000A1), ref: 003C0179
GetAsyncKeyState.USER32(00000011), ref: 003C01A5
GetKeyState.USER32(00000011), ref: 003C01B3
GetAsyncKeyState.USER32(00000012), ref: 003C01DC
GetKeyState.USER32(00000012), ref: 003C01EA
GetAsyncKeyState.USER32(0000005B), ref: 003C0213
GetKeyState.USER32(0000005B), ref: 003C0221

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 68d5755d5ad7b66de526a843ebbf08dd7a9bd275fb003ca6cacb2783cdd3fc1b
Instruction ID: b71b0a55b0dc8c633f166851dc64926a6d3f31064f5bcdad924b2fbee38c6101
Opcode Fuzzy Hash: 68d5755d5ad7b66de526a843ebbf08dd7a9bd275fb003ca6cacb2783cdd3fc1b
Instruction Fuzzy Hash: 7F51DB249047D899FB3BDBA08854FAABFB49F01380F09459E95C19A5C3DAA49F8CC761

Function 003E03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E04AC

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003E054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003E05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003E0822
RegCloseKey.ADVAPI32(00000000), ref: 003E082F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 2e0ff9c640cff2b644ce68d886e70f1a1a9c54f64b0576f2fff8adaf0a3a26dc
Instruction ID: 828a36e16fb88f0a58a21f0a51bc54ec917977a3d4a679e1a1f6e4cfea3dd248
Opcode Fuzzy Hash: 2e0ff9c640cff2b644ce68d886e70f1a1a9c54f64b0576f2fff8adaf0a3a26dc
Instruction Fuzzy Hash: 46E16D71604250AFCB16DF25C891E2ABBE8FF89314F04C56DF84ADB2A2D670ED45CB91

Function 003D83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

CoInitialize.OLE32 ref: 003D8403
CoUninitialize.OLE32 ref: 003D840E
CoCreateInstance.OLE32(?,00000000,00000017,003F2BEC,?), ref: 003D846E
IIDFromString.OLE32(?,?), ref: 003D84E1
VariantInit.OLEAUT32(?), ref: 003D857B
VariantClear.OLEAUT32(?), ref: 003D85DC

Strings

NULL Pointer assignment, xrefs: 003D84B3
Failed to create object, xrefs: 003D8479, 003D852F
Invalid parameter, xrefs: 003D84FA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: a2fea7cc85b04a5f0b358f7d85705f934a339b4bc2f18b774c5017839e029df4
Instruction ID: 6e24c6e979911c987482c2ea11a81094000eb65b6c591bddd86a6add62ab9566
Opcode Fuzzy Hash: a2fea7cc85b04a5f0b358f7d85705f934a339b4bc2f18b774c5017839e029df4
Instruction Fuzzy Hash: 9C61BF726083129FC712DF55E888F6AB7E9AF49714F00451EF9819B391CB70ED44CB92

Function 003D4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003D418B
EmptyClipboard.USER32 ref: 003D4191
GlobalAlloc.KERNEL32(00000002,?), ref: 003D41A6
CloseClipboard.USER32 ref: 003D4245

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: da733c82408ff578dafe1c13f336b1af5d76369d3b93f2395acf6021ac6dc786
Instruction ID: 4088fff98d02be1f3041d5c9050f016c83f5a3fbdc3d15d0c00f66168e5dc555
Opcode Fuzzy Hash: da733c82408ff578dafe1c13f336b1af5d76369d3b93f2395acf6021ac6dc786
Instruction Fuzzy Hash: 8D219C76600210DFDB22AF64EC49B6A7BACEF55710F10852AF946DF2A1DB70AD01CB54

Function 003C37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32

FindFirstFileW.KERNEL32(?,?), ref: 003C38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003C394B
MoveFileW.KERNEL32(?,?), ref: 003C395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003C397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 003C399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 003C39B9

Strings

\*.*, xrefs: 003C384E, 003C3857, 003C386C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8940847b610143af1ba85bb53ddfc5e8feced7696f664b6524489a18365fd69f
Instruction ID: e3daee18caa00cf050d1abb0e9299bb95ab89c6a1c6f994598ff05b19aa1b007
Opcode Fuzzy Hash: 8940847b610143af1ba85bb53ddfc5e8feced7696f664b6524489a18365fd69f
Instruction Fuzzy Hash: 9851AF3180414CAACF17EBA0D992EEDB778AF11304F60816DE402BB195EF706F09CB61

Function 003CF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003CF440
Sleep.KERNEL32(0000000A), ref: 003CF470
_wcscmp.LIBCMT ref: 003CF484
_wcscmp.LIBCMT ref: 003CF49F
FindNextFileW.KERNEL32(?,?), ref: 003CF53D
FindClose.KERNEL32(00000000), ref: 003CF553

Strings

*.*, xrefs: 003CF425

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 83d50e86f1d64c051208fb3343a0abbfbf1e1dd0665e6210c3f743d2972c8f9d
Instruction ID: 388de0495d87e7e9b1ff12d022555345d6957dc027297568e53c15a5af3a34dd
Opcode Fuzzy Hash: 83d50e86f1d64c051208fb3343a0abbfbf1e1dd0665e6210c3f743d2972c8f9d
Instruction Fuzzy Hash: 26417B7180021AAFCF16EF64CC45BEEBBB9FF05310F20456AE915A6190DB309E84CB50

Function 00373030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_7, xrefs: 00373322
3c7, xrefs: 00373225

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c7$_7
API String ID: 674341424-4188345352
Opcode ID: 8da5935f73747f9cab141125a16ffde4c2c337f978f91329c41cbb5fc71c6551
Instruction ID: 4396b301f9ebcb378ce8d23b85c0be8ce73baa1e8d0e06f3d8945e85b43cdab7
Opcode Fuzzy Hash: 8da5935f73747f9cab141125a16ffde4c2c337f978f91329c41cbb5fc71c6551
Instruction Fuzzy Hash: F022AF716083009FD726DF24C881BAFB7E8EF85714F04891DF59A9B291DB75E904CB92

Function 00375760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003758A5
_memmove.LIBCMT ref: 003758F5
_memmove.LIBCMT ref: 0037595B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a50d85a462289fbe6d4ccf77da606f2cc91fc2e0d1b62cb8eafabc6d3b3fab0e
Instruction ID: 55de2f476eace020f7a57870936593ca772753d4b4c49dd93a55a4e120328e2d
Opcode Fuzzy Hash: a50d85a462289fbe6d4ccf77da606f2cc91fc2e0d1b62cb8eafabc6d3b3fab0e
Instruction Fuzzy Hash: 4D129C70A00609EFCF19DFA4D981AEEB7F5FF48304F108569E44AEB650EB39A914CB50

Function 003C3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32

FindFirstFileW.KERNEL32(?,?), ref: 003C3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 003C3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 003C3BEA
FindClose.KERNEL32(00000000), ref: 003C3C01
FindClose.KERNEL32(00000000), ref: 003C3C0A

Strings

\*.*, xrefs: 003C3B5B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4ef5aba4c4f198e1af36a77d192fa6f30a2f6e4a608df2c7e01c879d633dead0
Instruction ID: bbc303e0f1f06f5e70bf642a146e3d5e7798f2cf3b2265c04baa291a3e5b843e
Opcode Fuzzy Hash: 4ef5aba4c4f198e1af36a77d192fa6f30a2f6e4a608df2c7e01c879d633dead0
Instruction Fuzzy Hash: DF316D350083859FC312EB24C891DAFB7E8AE95304F408E2DF4D59A191EB21DE08CB67

Function 003C51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
Part of subcall function 003B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
Part of subcall function 003B87E1: GetLastError.KERNEL32 ref: 003B8865

ExitWindowsEx.USER32(?,00000000), ref: 003C51F9

Strings

SeShutdownPrivilege, xrefs: 003C51C9
, xrefs: 003C51E7
@, xrefs: 003C51EC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: bfe4ef4543ada4581c93fd558b8ab433e9e50c9c8c6b90f51fa1a9ec38782709
Instruction ID: 9a056b0ed1bf8762705fc0b9135c59211e9e63300703fe58e0b8c2724b274abc
Opcode Fuzzy Hash: bfe4ef4543ada4581c93fd558b8ab433e9e50c9c8c6b90f51fa1a9ec38782709
Instruction Fuzzy Hash: 7E01F7316916156BF72A62689C8BFBB72DC9B05350F250D2DF913EA4D2DA917C808790

Function 003D6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003D62DC
WSAGetLastError.WSOCK32(00000000), ref: 003D62EB
bind.WSOCK32(00000000,?,00000010), ref: 003D6307
listen.WSOCK32(00000000,00000005), ref: 003D6316
WSAGetLastError.WSOCK32(00000000), ref: 003D6330
closesocket.WSOCK32(00000000,00000000), ref: 003D6344

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3dfc249c53a96143c35ceb34388db98b9be734219a744a0184c50a8952b68ef9
Instruction ID: d11df50490c904097e89bfbf57c3595d6cd76563e81eb792cea51377425fa059
Opcode Fuzzy Hash: 3dfc249c53a96143c35ceb34388db98b9be734219a744a0184c50a8952b68ef9
Instruction Fuzzy Hash: 6321D5756002009FCB12EF64D886B6EB7ADEF49310F15825AE926AB3E1C770AD01CB51

Function 00375520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

_memmove.LIBCMT ref: 003B0258
_memmove.LIBCMT ref: 003B036D
_memmove.LIBCMT ref: 003B0414

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 298312eb0c7b78ab8770f452c6be9d0e39065a8d518b9645c5958de4a9522ec1
Instruction ID: e7030ff1f551176c258e9db48c84a047f9f8206b150366991dba1e60659b671b
Opcode Fuzzy Hash: 298312eb0c7b78ab8770f452c6be9d0e39065a8d518b9645c5958de4a9522ec1
Instruction Fuzzy Hash: 6902D070A00209DBCF1ADF64D981AAEBBF5EF44304F14C4A9E90ADF255EB34DA54CB91

Function 00361287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DefDlgProcW.USER32(?,?,?,?,?), ref: 003619FA
GetSysColor.USER32(0000000F), ref: 00361A4E
SetBkColor.GDI32(?,00000000), ref: 00361A61

Part of subcall function 00361290: DefDlgProcW.USER32(?,00000020,?), ref: 003612D8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: d94e9e0979bf1f12dcd6157da80db4e9d1a18f2323e1231f28e1f492c619cac9
Instruction ID: 5f907445d8b3ffbbaab8e8a951601563a118acfc099c7982cf3abef1332a4d54
Opcode Fuzzy Hash: d94e9e0979bf1f12dcd6157da80db4e9d1a18f2323e1231f28e1f492c619cac9
Instruction Fuzzy Hash: 2BA19B70112594BEEA3BAB69DC48EBF259CDB42346F1E8219F402DA5DACB208D01C2B5

Function 003CBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003CBCE6
_wcscmp.LIBCMT ref: 003CBD16
_wcscmp.LIBCMT ref: 003CBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 003CBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 003CBD6C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 904a8cea1b53d20219fdcba536427ec15e4303a543bdd7f354260705c2f0bc7e
Instruction ID: a28b72589f62ce949d1e81ff5d2af9274ee34454c1970978260331c5cdc68111
Opcode Fuzzy Hash: 904a8cea1b53d20219fdcba536427ec15e4303a543bdd7f354260705c2f0bc7e
Instruction Fuzzy Hash: 3251AB75A047029FC716DF28C495EAAB3E8EF4A320F00465EE956CB3A1CB30ED04CB91

Function 003D6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003D7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003D679E
WSAGetLastError.WSOCK32(00000000), ref: 003D67C7
bind.WSOCK32(00000000,?,00000010), ref: 003D6800
WSAGetLastError.WSOCK32(00000000), ref: 003D680D
closesocket.WSOCK32(00000000,00000000), ref: 003D6821

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 4f9000c5340b27b99968b785bacd278881ae663bd14ff4a058a6335843254fd7
Instruction ID: f7413fc8082be1498eb8ad028a30d2440433fbefae96ce790256fa8871ef1598
Opcode Fuzzy Hash: 4f9000c5340b27b99968b785bacd278881ae663bd14ff4a058a6335843254fd7
Instruction Fuzzy Hash: 4341C375A00214AFDB12AF64DC87F6E77EC9B09754F04C55AF91AAF3D2CA709D0087A1

Function 003E5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003E53C5
IsWindowEnabled.USER32 ref: 003E53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 003E53E0
IsIconic.USER32 ref: 003E53EE
IsZoomed.USER32 ref: 003E53FC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 36c398d8b0b2e83a8511405c972fa9d66543a36f615d426aa198465484396347
Instruction ID: ab493fdfef19afc6c91880952be4fb18116df50b1c30f69a898f0d8ad58c1521
Opcode Fuzzy Hash: 36c398d8b0b2e83a8511405c972fa9d66543a36f615d426aa198465484396347
Instruction Fuzzy Hash: B111B6717009A19FDB235F279C84B6ABB9CEF457A5B418529F845DB2C1CBB09C018AA4

Function 003B80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003B80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003B80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003B80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003B80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003B80F6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c55101aae65d84c54d75bc6d9067dee08f4d4fb493d73e03aecf62064bae7107
Instruction ID: 0e6a5faadfd1cc10f6bfeee04cec6bd4e66f3864c200580fcf4f2a09bd990e2f
Opcode Fuzzy Hash: c55101aae65d84c54d75bc6d9067dee08f4d4fb493d73e03aecf62064bae7107
Instruction Fuzzy Hash: 53F06835241244AFD7224F65DCCDEA73BACEF85759F010125F645C6190CBA1DD41DA60

Function 00364B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00364AD0), ref: 00364B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00364B57

Strings

kernel32.dll, xrefs: 00364B40
GetNativeSystemInfo, xrefs: 00364B51

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2214c2da4dec49ee4ac0009f4b89033732fa81b17f09035e155d5c29f4f0b9a9
Instruction ID: 690784e3201b56e1d8f5fc11a7d29827e168ee9fc23a4fcac2b2af2602a963a6
Opcode Fuzzy Hash: 2214c2da4dec49ee4ac0009f4b89033732fa81b17f09035e155d5c29f4f0b9a9
Instruction Fuzzy Hash: 0CD01234E10767CFDB229F32D858B4676D8AF45351F11C93DD4C6DA190D6B0D480C654

Function 003DEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003DEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 003DEE4B

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Process32NextW.KERNEL32(00000000,?), ref: 003DEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 003DEF1A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: f8ec537205f1b09776748829f8385345db73843792a114918df75834896cbf5f
Instruction ID: 1110e38078146f551e7dd7c6d5b85c7e31b673d92016d8ab95c851c1d41bdb9d
Opcode Fuzzy Hash: f8ec537205f1b09776748829f8385345db73843792a114918df75834896cbf5f
Instruction Fuzzy Hash: 435171725043119FD322EF24DC81E6BBBE8EF94750F50892DF5959B2A1DB70A904CB92

Function 003BE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003BE628

Strings

|, xrefs: 003BE658
(, xrefs: 003BE66E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 4a78a3f5e88d059c9ed1fe90b7e63993765d46ddcbad67170e4cd27a3417863c
Instruction ID: ddeb71de55b567756b80559fecca5180ae7c1a16f6756a7d1276b82c98d416dd
Opcode Fuzzy Hash: 4a78a3f5e88d059c9ed1fe90b7e63993765d46ddcbad67170e4cd27a3417863c
Instruction Fuzzy Hash: C6324675A007059FD729CF19C481AAAB7F0FF48314B12C56EE99ADB7A1EB70E941CB40

Function 003D22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003D180A,00000000), ref: 003D23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003D2418

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b7378c7452da65e6e67e59f4bf87bdf1541338a197964a96dd3c8ced090d9685
Instruction ID: 35df0148ad072df9f91b482bbe9a68da421672256eabe901960767c8332e9e48
Opcode Fuzzy Hash: b7378c7452da65e6e67e59f4bf87bdf1541338a197964a96dd3c8ced090d9685
Instruction Fuzzy Hash: 7341F776904309BFEB22DE96EC81EBB77BCEB50314F10406BFA01A6740DA759E419650

Function 003CB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003CB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003CB3EA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d4b7c6f56c3e75af211058d738ca86988f3eb6f45e0a45852470c9896986754e
Instruction ID: d86032159247edca225688d0f8bb485f5316250ba191b69ad1f3c75757916066
Opcode Fuzzy Hash: d4b7c6f56c3e75af211058d738ca86988f3eb6f45e0a45852470c9896986754e
Instruction Fuzzy Hash: 5D215C75A00508EFCB01EFA5D881EEDBBB8FF49314F1481AAE905EB355CB31A915CB51

Function 003B87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
GetLastError.KERNEL32 ref: 003B8865

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: dde87459db21c79b41d8a9bdea2659580ef35d446f1ca29678bdfc08bec7b604
Instruction ID: aa242cb84a11beee5b9da12d53a59a0890bd94cfdc77ddc9cbf908fc5450c5ee
Opcode Fuzzy Hash: dde87459db21c79b41d8a9bdea2659580ef35d446f1ca29678bdfc08bec7b604
Instruction Fuzzy Hash: 70119DB2414304AFE729EFA4DC85D6BB7ADFB44314B20852EF45587651EA70BC04CB60

Function 003B874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003B8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003B878B
FreeSid.ADVAPI32(?), ref: 003B879B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6fb0085660597593d6cc54980098a3eb455b1decca8d21d9dbecc21f76d33a66
Instruction ID: 43e82a9e57bd10509ad5eb88169c3c80034b4643170712c07251b09a700baa2a
Opcode Fuzzy Hash: 6fb0085660597593d6cc54980098a3eb455b1decca8d21d9dbecc21f76d33a66
Instruction Fuzzy Hash: CAF04975A1130CBFDF10DFF4DC89ABEBBBCEF08311F1045A9AA01E6581E6716A048B50

Function 003C8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 003C889B

Part of subcall function 0038520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003C8F6E,00000000,?,?,?,?,003C911F,00000000,?), ref: 00385213
Part of subcall function 0038520A: __aulldiv.LIBCMT ref: 00385233

Strings

0eB, xrefs: 003C8892

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eB
API String ID: 2893107130-1534231516
Opcode ID: 4bcfaa03c87d9f14309691819c12892384edc3a2f11ca1f504f40666854174ba
Instruction ID: 4c0d334efea22ed266afc9c90f27bbaa2a661a5d41be218dc8cfca723f0b0471
Opcode Fuzzy Hash: 4bcfaa03c87d9f14309691819c12892384edc3a2f11ca1f504f40666854174ba
Instruction Fuzzy Hash: 7C21A2326256108BC729CF29D841B52B3E1EFA5311BA98E6CD0F5CB2C0CA74AD45CB54

Function 003CC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003CC6FB
FindClose.KERNEL32(00000000), ref: 003CC72B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f852ac380d2bfc4b9ce01337c29451fae6412b27b5048ef2eeffd281f48710ce
Instruction ID: e215cead3bd065fbeff468ef97beb8ba34ad8b0851e6bebd4cce988423287fd1
Opcode Fuzzy Hash: f852ac380d2bfc4b9ce01337c29451fae6412b27b5048ef2eeffd281f48710ce
Instruction Fuzzy Hash: 6D1182756002009FDB11DF29C885A2AF7E8EF45324F00C51EF9A9CB291DB70AC05CB81

Function 003CA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003D9468,?,003EFB84,?), ref: 003CA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003D9468,?,003EFB84,?), ref: 003CA0A9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ecdc7a938d0fab39ae0fa67aebdc5878cd473e4eb0e1d40cf9a0db8ac3b5336e
Instruction ID: e9a39894c74f4f97762ad0a8630637fdbee9bff6b6a32aa8c6f5100b65ea71bc
Opcode Fuzzy Hash: ecdc7a938d0fab39ae0fa67aebdc5878cd473e4eb0e1d40cf9a0db8ac3b5336e
Instruction Fuzzy Hash: 0AF0823510522DABDB229FA4CC88FEA776CFF08361F008269F909DA181D7709D44CBA1

Function 003B81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003B8309), ref: 003B81E0
CloseHandle.KERNEL32(?,?,003B8309), ref: 003B81F2

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c72ea4f988f1d80960ba3056c0dae933d1cd36db393d548c4d741993953122e6
Instruction ID: d2f7ec27bc2ffa5e26c1be9fe06fc5de097a51c7feded5c05e2df67ac8001b00
Opcode Fuzzy Hash: c72ea4f988f1d80960ba3056c0dae933d1cd36db393d548c4d741993953122e6
Instruction Fuzzy Hash: 36E0E671011610AFE7672B74EC05D7777EDEF04315B14896DF55588470DB616C91DB10

Function 0038A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00388D57,?,?,?,00000001), ref: 0038A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0038A163

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8723645a10973f231d96ef33a92cbcdda9447381201735653944b5600148869a
Instruction ID: 9fc0a2891c899cf2d6d1949a25d3538415185ed22bc6b4ace57dc8f43b9fc39c
Opcode Fuzzy Hash: 8723645a10973f231d96ef33a92cbcdda9447381201735653944b5600148869a
Instruction Fuzzy Hash: 1BB09235054248AFCA122B91EC49B883F6CEB44BA2F404120F60D886A4CBA255508A91

Function 0038F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2199619d16f740ab76fb638b3abcf49d51b0caa7720228d85a1b1a6fa612c310
Instruction ID: 94cea69ebca3a010be17762b1c97f01544c36b5a603f033e90a408803e654f7f
Opcode Fuzzy Hash: 2199619d16f740ab76fb638b3abcf49d51b0caa7720228d85a1b1a6fa612c310
Instruction Fuzzy Hash: 1D32F521D29F414DD723A634D832336A64DAFB73D4F15D777F81AB5AA5EB29C8838200

Function 0039242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decd6550ab92198d31e0cbbcb3af51534fdacd6af618eec7309e553489792ad1
Instruction ID: ca469b3330785ddba35e45bb9ffc5ad33f3aa83c9f95127ef46de4e3ccd8f1c9
Opcode Fuzzy Hash: decd6550ab92198d31e0cbbcb3af51534fdacd6af618eec7309e553489792ad1
Instruction Fuzzy Hash: BDB10260D2AF414DD72396398871336BB5CAFBB2C5F52D71BFC2A74E22EB2185838141

Function 003C4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003C4C4A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e0ea61ca6fde625e67a3e8a7ec91b9c5fd0c1c7c06a263481fa13fa00471ec24
Instruction ID: 0869fbb83f2e72c7301d3662373f34a0accd2865aaffd6d7fb0f6bf38823d6e8
Opcode Fuzzy Hash: e0ea61ca6fde625e67a3e8a7ec91b9c5fd0c1c7c06a263481fa13fa00471ec24
Instruction Fuzzy Hash: F6D05E9116520938ED2E0720AE7FFBA010CE300782FD1E24D7102CA0E1ECC09C405330

Function 003B87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003B8389), ref: 003B87D1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 03347e4bede9531efaf88cc6c81895b00b487ef9b566c0ed51be88aa4e7d57fe
Instruction ID: 541b6b2f24b8e14358d83f7396721b263442b47654fd56005efedeff33904bad
Opcode Fuzzy Hash: 03347e4bede9531efaf88cc6c81895b00b487ef9b566c0ed51be88aa4e7d57fe
Instruction Fuzzy Hash: 2ED05E3226050EAFEF118EA4DC01EBE3B69EB04B01F408111FE15C50A1C7B5D835AB60

Function 0038A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0038A12A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b073c756e92ecc296baa838702e8edc59671edab1e8e67f3e0e1b0f5f52250be
Instruction ID: bf7c1880107007591ae2039c9e61e98cffcde5d1b02fee211000810603d6b043
Opcode Fuzzy Hash: b073c756e92ecc296baa838702e8edc59671edab1e8e67f3e0e1b0f5f52250be
Instruction Fuzzy Hash: 1BA0113000020CAB8A022B82EC08888BFACEA002A0B008020F80C882228BB2A8208A80

Function 00378808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecb3b411864700896b0c08094adabfcea3f5def49b58808b2743885ca84ad28
Instruction ID: 65c18eceeb6d7a82d877eee3cc1ca41ffa57d7473ae4fae47cbd75890446dc5a
Opcode Fuzzy Hash: 8ecb3b411864700896b0c08094adabfcea3f5def49b58808b2743885ca84ad28
Instruction Fuzzy Hash: 06222830A48546CBDF3B8B18C4987BC77A1FB41308F26C46AD64A8BD92DB78DD92C741

Function 003821C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 5242e599189f461e1a6de7c7a2e7a608dfcf9580c15bc5c6be906cf5e35a9e6a
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 73C184362052930ADB6F663A843413FFAA55EA27B131B47DDD8B3CB1D4EE10C969D720

Function 003825FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 5498737c918b1e34e90b3a72a3beeab4881fdaaf499d004d4fd30c258590ba76
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E2C165322052930ADF6F563A843413FBAA55EA27B131B47EDE4B3DB1D5EE10C929D720

Function 00381978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2b84ba12e3487ed2233d1c19762ab3b6109c4ac75c93119588f75b99806507e7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 62C1843220529309DF2F5639C47413EBAA95EA27B131B47EDD4B3CB1D4EE20C96AD720

Function 011605B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e1d3e3de25fc7aed58c0a0ed873a2cc734e6f160d848d67949de0d6af76d86a8
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8941C471D1051CDBCF48CFADC991AAEBBF1AF88201F548299D516AB345D730AB41DB50

Function 01160448 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 8900606eceef6cc31b2f9fcda2efa2267ff67c9fe2d55efafe27349141dbf708
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E9019D78A00209EFCB58DF98C5909AEF7B9FB88310F208599E819A7705D731AE51DB80

Function 011604A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 6c5f5f3e74287d05906c8bf7185983c2366191199cbbbf27304311a350d82ca3
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 97019278A04209EFCB58DF98C5909AEF7B9FB4C310F208599E809A7741D731AE51DB80

Function 0115EE28 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1833445647.000000000115C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0115C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_115c000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 003D7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003D785B
DeleteObject.GDI32(00000000), ref: 003D786D
DestroyWindow.USER32 ref: 003D787B
GetDesktopWindow.USER32 ref: 003D7895
GetWindowRect.USER32(00000000), ref: 003D789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003D79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003D79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7A35
GetClientRect.USER32(00000000,?), ref: 003D7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003D7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7ABB
GlobalLock.KERNEL32(00000000), ref: 003D7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7AD3
GlobalUnlock.KERNEL32(00000000), ref: 003D7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7AE3
GlobalFree.KERNEL32(00000000), ref: 003D7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003F2CAC,00000000), ref: 003D7B16
GlobalFree.KERNEL32(00000000), ref: 003D7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 003D7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 003D7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003D7D7A

Strings

static, xrefs: 003D7A75, 003D7BCC
AutoIt v3, xrefs: 003D7A2D
, xrefs: 003D7D00
DISPLAY, xrefs: 003D7BDD

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 14c00ce1618323a452f2c2fc1f72ffde411def601f1e94908474b476840dfefe
Instruction ID: 6c03568feceedfb1e977598fa324a2a770b1846c55b057bfe7d8915663837020
Opcode Fuzzy Hash: 14c00ce1618323a452f2c2fc1f72ffde411def601f1e94908474b476840dfefe
Instruction Fuzzy Hash: 27026E72900115EFDB26DFA4DC89EAE7BBDEF48310F108269F905AB2A1D7709D01CB60

Function 003E356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,003EF910), ref: 003E3627
IsWindowVisible.USER32(?), ref: 003E364B

Strings

GETCURRENTLINE, xrefs: 003E38ED
FINDSTRING, xrefs: 003E3776
CHECK, xrefs: 003E386D
SHOWDROPDOWN, xrefs: 003E36E0
EDITPASTE, xrefs: 003E395F
ADDSTRING, xrefs: 003E3716
GETCURRENTCOL, xrefs: 003E3928
TABRIGHT, xrefs: 003E369D
GETLINE, xrefs: 003E399B
TABLEFT, xrefs: 003E3687
CURRENTTAB, xrefs: 003E36BD
ISCHECKED, xrefs: 003E3839
UNCHECK, xrefs: 003E3883
HIDEDROPDOWN, xrefs: 003E3700
SETCURRENTSELECTION, xrefs: 003E37B6
GETCURRENTSELECTION, xrefs: 003E37E3
DELSTRING, xrefs: 003E3749
SELECTSTRING, xrefs: 003E3806
ISVISIBLE, xrefs: 003E3637
SENDCOMMANDID, xrefs: 003E39DA
GETLINECOUNT, xrefs: 003E38C6
ISENABLED, xrefs: 003E366B
GETSELECTED, xrefs: 003E38A3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0b80d67fe27a95432494df5dab739f885dd5c0bef7a9b0d47c4a25506298d15a
Instruction ID: 0f0448aa1331a45c2d916b896cde8ee8a7da4261f19692f38f30fcadce4595c2
Opcode Fuzzy Hash: 0b80d67fe27a95432494df5dab739f885dd5c0bef7a9b0d47c4a25506298d15a
Instruction Fuzzy Hash: A7D1CF702043509BCB0AEF11C45AAAE77E9AF85344F058569F8865F7E3CB35EE4ACB41

Function 003EA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 003EA630
GetSysColorBrush.USER32(0000000F), ref: 003EA661
GetSysColor.USER32(0000000F), ref: 003EA66D
SetBkColor.GDI32(?,000000FF), ref: 003EA687
SelectObject.GDI32(?,00000000), ref: 003EA696
InflateRect.USER32(?,000000FF,000000FF), ref: 003EA6C1
GetSysColor.USER32(00000010), ref: 003EA6C9
CreateSolidBrush.GDI32(00000000), ref: 003EA6D0
FrameRect.USER32(?,?,00000000), ref: 003EA6DF
DeleteObject.GDI32(00000000), ref: 003EA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 003EA731
FillRect.USER32(?,?,00000000), ref: 003EA763
GetWindowLongW.USER32(?,000000F0), ref: 003EA78E

Part of subcall function 003EA8CA: GetSysColor.USER32(00000012), ref: 003EA903
Part of subcall function 003EA8CA: SetTextColor.GDI32(?,?), ref: 003EA907
Part of subcall function 003EA8CA: GetSysColorBrush.USER32(0000000F), ref: 003EA91D
Part of subcall function 003EA8CA: GetSysColor.USER32(0000000F), ref: 003EA928
Part of subcall function 003EA8CA: GetSysColor.USER32(00000011), ref: 003EA945
Part of subcall function 003EA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003EA953
Part of subcall function 003EA8CA: SelectObject.GDI32(?,00000000), ref: 003EA964
Part of subcall function 003EA8CA: SetBkColor.GDI32(?,00000000), ref: 003EA96D
Part of subcall function 003EA8CA: SelectObject.GDI32(?,?), ref: 003EA97A
Part of subcall function 003EA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 003EA999
Part of subcall function 003EA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003EA9B0
Part of subcall function 003EA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 003EA9C5
Part of subcall function 003EA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003EA9ED

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ff527519a9d92e3b00ef80501dcd08f470a459a8c5281c68409129ccb4b4041b
Instruction ID: 077a6ce94cf0156eafc80ccb246686e1501b28c34f4b342dcd8b29c20cb9d0ba
Opcode Fuzzy Hash: ff527519a9d92e3b00ef80501dcd08f470a459a8c5281c68409129ccb4b4041b
Instruction Fuzzy Hash: C0918D72008795AFD7229F64DC48A5B7BBDFF89321F100B29F5629A1E0D7B0E944CB52

Function 00362C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00362CA2
DeleteObject.GDI32(00000000), ref: 00362CE8
DeleteObject.GDI32(00000000), ref: 00362CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00362CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00362D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0039C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0039C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0039C89D

Part of subcall function 00361B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00362036,?,00000000,?,?,?,?,003616CB,00000000,?), ref: 00361B9A

SendMessageW.USER32(?,00001053), ref: 0039C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0039C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0039C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0039C912

Strings

0, xrefs: 0039C731

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 986a822bce7ca011f216d48f7af6a3211f593fa79db41da865db71f2759db27f
Instruction ID: e26b407e7da92c6c6a05bc0dc00d1711e1c1aa01974e0e8128ca08820682128e
Opcode Fuzzy Hash: 986a822bce7ca011f216d48f7af6a3211f593fa79db41da865db71f2759db27f
Instruction Fuzzy Hash: 3D129D30614641EFDF22CF24C884BAABBE5BF45300F569569F895CB6A2C771EC42CB91

Function 003D74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003D74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003D759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003D75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003D75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003D7633
GetClientRect.USER32(00000000,?), ref: 003D763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003D7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003D7692
GetStockObject.GDI32(00000011), ref: 003D76A2
SelectObject.GDI32(00000000,00000000), ref: 003D76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003D76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003D76BF
DeleteDC.GDI32(00000000), ref: 003D76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003D76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 003D770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003D7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003D775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 003D776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003D779B
GetStockObject.GDI32(00000011), ref: 003D77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003D77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003D77BB

Strings

static, xrefs: 003D767D, 003D7795
msctls_progress32, xrefs: 003D773C
AutoIt v3, xrefs: 003D762B
DISPLAY, xrefs: 003D7688

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ab5dadeb29b53afbdf15eda323c4150fde2b35368d74962d317e0c3b243aa4c9
Instruction ID: 37aba0aa763873870e99743a2ce73540a4e49df4eb2eccfb27bd1fb44205bbac
Opcode Fuzzy Hash: ab5dadeb29b53afbdf15eda323c4150fde2b35368d74962d317e0c3b243aa4c9
Instruction Fuzzy Hash: 46A18471A00615BFEB25DBA4DC49FAE777DEB09710F108215FA14AB2E0D7B0AD01CB64

Function 003CAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CAD1E
GetDriveTypeW.KERNEL32(?,003EFAC0,?,\\.\,003EF910), ref: 003CADFB
SetErrorMode.KERNEL32(00000000,003EFAC0,?,\\.\,003EF910), ref: 003CAF59

Strings

RAMDisk, xrefs: 003CAE25
SATA, xrefs: 003CAF0C
PhysicalDrive, xrefs: 003CADA7
Unknown, xrefs: 003CAE1B, 003CAEBF
ATA, xrefs: 003CAED4
1394, xrefs: 003CAEDB
ATAPI, xrefs: 003CAECD
SSA, xrefs: 003CAEE2
Removable, xrefs: 003CAE4D
MMC, xrefs: 003CAF1A
\\.\, xrefs: 003CAD70
SCSI, xrefs: 003CAEC6
SAS, xrefs: 003CAF05
Fibre, xrefs: 003CAEE9
Network, xrefs: 003CAE39
USB, xrefs: 003CAEF0
CDROM, xrefs: 003CAE2F
FileBackedVirtual, xrefs: 003CAF28
SSD, xrefs: 003CAE86
Fixed, xrefs: 003CAE43
Virtual, xrefs: 003CAF21
iSCSI, xrefs: 003CAEFE
RAID, xrefs: 003CAEF7

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a752ec6b6b71912533e09ae695150f896c8e81bc3709907f29179957d14ed4d2
Instruction ID: c0f80f204004e6a5069744047aafc9990cdf08c7dcd52c94c954b9fff9d4ff24
Opcode Fuzzy Hash: a752ec6b6b71912533e09ae695150f896c8e81bc3709907f29179957d14ed4d2
Instruction Fuzzy Hash: 0251B3B0648A0D9B8B02DB20CD82FBD73A4EF48308B30855FF407EB690CA74AD41DB56

Function 003668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00366931
__wcsnicmp.LIBCMT ref: 00366949
__wcsnicmp.LIBCMT ref: 00366961
__wcsnicmp.LIBCMT ref: 00366979
__wcsnicmp.LIBCMT ref: 00366991
__wcsnicmp.LIBCMT ref: 003669A9
__wcsnicmp.LIBCMT ref: 003669C1
__wcsnicmp.LIBCMT ref: 003669D5
__wcsnicmp.LIBCMT ref: 00366A16
__wcsnicmp.LIBCMT ref: 00366A2A
__wcsnicmp.LIBCMT ref: 00366A3E
__wcsnicmp.LIBCMT ref: 00366A52

Strings

#include, xrefs: 003669A3
#notrayicon, xrefs: 00366943
#pragma compile, xrefs: 0036692B
Unterminated group of comments, xrefs: 0039E403
#requireadmin, xrefs: 0036695B
#comments-end, xrefs: 00366A38
#OnAutoItStartRegister, xrefs: 00366973
Bad directive syntax error, xrefs: 0039E31A
#cs, xrefs: 003669CF, 00366A24
#ce, xrefs: 00366A4C
Cannot parse #include, xrefs: 0039E3F0
#include-once, xrefs: 0036698B
#comments-start, xrefs: 003669BB, 00366A10

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d807bfbb5a0a6fdb0106ea7cde538348eab900612a5f2c48feff0276b8f2f086
Instruction ID: eaccd9a74934b103b1d4003874998b834cf8663ee91c132ac638ac538f37f71e
Opcode Fuzzy Hash: d807bfbb5a0a6fdb0106ea7cde538348eab900612a5f2c48feff0276b8f2f086
Instruction Fuzzy Hash: 8181E5B1640305AADF23BB61DC83FBF37A8AF15740F048025FD05AF19AEB61DA45D6A1

Function 003EA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 003EA903
SetTextColor.GDI32(?,?), ref: 003EA907
GetSysColorBrush.USER32(0000000F), ref: 003EA91D
GetSysColor.USER32(0000000F), ref: 003EA928
CreateSolidBrush.GDI32(?), ref: 003EA92D
GetSysColor.USER32(00000011), ref: 003EA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003EA953
SelectObject.GDI32(?,00000000), ref: 003EA964
SetBkColor.GDI32(?,00000000), ref: 003EA96D
SelectObject.GDI32(?,?), ref: 003EA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 003EA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003EA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003EA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003EA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003EAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 003EAA32
DrawFocusRect.USER32(?,?), ref: 003EAA3D
GetSysColor.USER32(00000011), ref: 003EAA4B
SetTextColor.GDI32(?,00000000), ref: 003EAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003EAA67
SelectObject.GDI32(?,003EA5FA), ref: 003EAA7E
DeleteObject.GDI32(?), ref: 003EAA89
SelectObject.GDI32(?,?), ref: 003EAA8F
DeleteObject.GDI32(?), ref: 003EAA94
SetTextColor.GDI32(?,?), ref: 003EAA9A
SetBkColor.GDI32(?,?), ref: 003EAAA4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 597760553e6a28f5228bae860e15082665d1e6468ca0980ea60018519e8ae6b8
Instruction ID: 50d1458001a82b424cee2a74a2b1d6dea80c7ad36ca65aa070025a3583d1a12d
Opcode Fuzzy Hash: 597760553e6a28f5228bae860e15082665d1e6468ca0980ea60018519e8ae6b8
Instruction Fuzzy Hash: 7F514D71900658EFDF229FA5DC88EAE7B79EB48320F114225F911AB2E1D7B1A940DF50

Function 003E89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003E8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E8AD2
CharNextW.USER32(0000014E), ref: 003E8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003E8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003E8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003E8B86
SetWindowTextW.USER32(?,0000014E), ref: 003E8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003E8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 003E8C1F
_memset.LIBCMT ref: 003E8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003E8C8D
_memset.LIBCMT ref: 003E8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 003E8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 003E8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 003E8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 003E8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E8EB4
DrawMenuBar.USER32(?), ref: 003E8EC3
SetWindowTextW.USER32(?,0000014E), ref: 003E8EEB

Strings

0, xrefs: 003E8E55

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: d910119bb59fea0cb71c7bb365c8fae8d01be4776164fbe9d78b7ac1dd4a2a64
Instruction ID: 9c01809681362f92dc6fd8ee9f62f50fadf93a971d1c08ae04aa98e3226b9e81
Opcode Fuzzy Hash: d910119bb59fea0cb71c7bb365c8fae8d01be4776164fbe9d78b7ac1dd4a2a64
Instruction Fuzzy Hash: ECE183709002A8AFDF22DF51DC84EEE7B79EF05710F118266F919AA1D0DB709A81DF60

Function 003E488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003E49CA
GetDesktopWindow.USER32 ref: 003E49DF
GetWindowRect.USER32(00000000), ref: 003E49E6
GetWindowLongW.USER32(?,000000F0), ref: 003E4A48
DestroyWindow.USER32(?), ref: 003E4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003E4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003E4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003E4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 003E4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003E4B09
IsWindowVisible.USER32(?), ref: 003E4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003E4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003E4B58
GetWindowRect.USER32(?,?), ref: 003E4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 003E4B96
GetMonitorInfoW.USER32(00000000,?), ref: 003E4BB0
CopyRect.USER32(?,?), ref: 003E4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 003E4C32

Strings

0, xrefs: 003E4975
tooltips_class32, xrefs: 003E4A96
(, xrefs: 003E4BA3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: af2ae4cbb0ba1d5d0e821e0bd1127f867138a35df030712ffe13fa4f56c1a66e
Instruction ID: e6f3e9d43c9eb8eb0b8c7b7e2224a475f0739ef4e9b977f5debd5132f856826b
Opcode Fuzzy Hash: af2ae4cbb0ba1d5d0e821e0bd1127f867138a35df030712ffe13fa4f56c1a66e
Instruction Fuzzy Hash: 13B19C70604390AFDB15DF65C884B6ABBE8FF88310F008A2DF5999B2A1D771EC05CB55

Function 003627D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003628BC
GetSystemMetrics.USER32(00000007), ref: 003628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003628EF
GetSystemMetrics.USER32(00000008), ref: 003628F7
GetSystemMetrics.USER32(00000004), ref: 0036291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00362939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00362949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0036297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00362990
GetClientRect.USER32(00000000,000000FF), ref: 003629AE
GetStockObject.GDI32(00000011), ref: 003629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 003629D5

Part of subcall function 00362344: GetCursorPos.USER32(?), ref: 00362357
Part of subcall function 00362344: ScreenToClient.USER32(004257B0,?), ref: 00362374
Part of subcall function 00362344: GetAsyncKeyState.USER32(00000001), ref: 00362399
Part of subcall function 00362344: GetAsyncKeyState.USER32(00000002), ref: 003623A7

SetTimer.USER32(00000000,00000000,00000028,00361256), ref: 003629FC

Strings

-es, xrefs: 00362912
AutoIt v3 GUI, xrefs: 00362974

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: -es$AutoIt v3 GUI
API String ID: 1458621304-1956769002
Opcode ID: c98aa02008a376d892e96324968bff2580d577133afe81834fad2bf37e8e5701
Instruction ID: 8945076a3ec82916408305ea3ce2c004ddb4cb636ce93b4c45370a8739cb87f0
Opcode Fuzzy Hash: c98aa02008a376d892e96324968bff2580d577133afe81834fad2bf37e8e5701
Instruction Fuzzy Hash: CCB18071600609DFDF26DFA8DC85BAE77B4FB48310F118225FA15AB2D4CBB49851CB54

Function 0039A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0039A92B
___wtomb_environ.LIBCMT ref: 0039A94D

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

__malloc_crt.LIBCMT ref: 0039A975
__malloc_crt.LIBCMT ref: 0039A992
_free.LIBCMT ref: 0039A9C9
__recalloc_crt.LIBCMT ref: 0039AA02
__recalloc_crt.LIBCMT ref: 0039AA47
_strlen.LIBCMT ref: 0039AA73
__calloc_crt.LIBCMT ref: 0039AA7D
_strlen.LIBCMT ref: 0039AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0039AABA
_free.LIBCMT ref: 0039AAD4
_free.LIBCMT ref: 0039AAE1
_free.LIBCMT ref: 0039AAF3
__invoke_watson.LIBCMT ref: 0039AB0D

Strings

{n8, xrefs: 0039AAAD
{n8, xrefs: 0039A932

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {n8${n8
API String ID: 884005220-1948551085
Opcode ID: 4b225dede8d8cb31e5be122acc44204f3528e27c940b01ba96b16a622605f2f2
Instruction ID: bdf89a6657c6df2ad69b1d61a867ad2a5defe350165ec0668c7de12a337cdd41
Opcode Fuzzy Hash: 4b225dede8d8cb31e5be122acc44204f3528e27c940b01ba96b16a622605f2f2
Instruction Fuzzy Hash: 8961E572904B05AFDF236F64DD0176A77A8FF00721F664365E801AB191DB78D941CBD2

Function 003BA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003BA47A
__swprintf.LIBCMT ref: 003BA51B
_wcscmp.LIBCMT ref: 003BA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003BA583
_wcscmp.LIBCMT ref: 003BA5BF
GetClassNameW.USER32(?,?,00000400), ref: 003BA5F6
GetDlgCtrlID.USER32(?), ref: 003BA648
GetWindowRect.USER32(?,?), ref: 003BA67E
GetParent.USER32(?), ref: 003BA69C
ScreenToClient.USER32(00000000), ref: 003BA6A3
GetClassNameW.USER32(?,?,00000100), ref: 003BA71D
_wcscmp.LIBCMT ref: 003BA731
GetWindowTextW.USER32(?,?,00000400), ref: 003BA757
_wcscmp.LIBCMT ref: 003BA76B

Part of subcall function 0038362C: _iswctype.LIBCMT ref: 00383634

Strings

%s%u, xrefs: 003BA515

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 292361d21e89dd18cc83b7f40f7efc8cdd2345e8a6f23091e9e85a9c099c8b00
Instruction ID: 6e2b0b6292385114928e1dfb3262b5382f731e36f3678dafd7203fcfd68fbdbb
Opcode Fuzzy Hash: 292361d21e89dd18cc83b7f40f7efc8cdd2345e8a6f23091e9e85a9c099c8b00
Instruction Fuzzy Hash: 76A1C471204F06AFD716DF64C885BEAB7E8FF44358F004529FA99C6590DB30EA45CB92

Function 003BAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 003BAF18
_wcscmp.LIBCMT ref: 003BAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 003BAF51
CharUpperBuffW.USER32(?,00000000), ref: 003BAF6E
_wcscmp.LIBCMT ref: 003BAF8C
_wcsstr.LIBCMT ref: 003BAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003BAFD5
_wcscmp.LIBCMT ref: 003BAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 003BB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 003BB055
_wcscmp.LIBCMT ref: 003BB065
GetClassNameW.USER32(00000010,?,00000400), ref: 003BB08D
GetWindowRect.USER32(00000004,?), ref: 003BB0F6

Strings

ThumbnailClass, xrefs: 003BAFE0, 003BB060
@, xrefs: 003BAEF9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ce68e4e7a3e35dc3971abd49b7b6afd6ac7091c920bc369814553a32d7ce988a
Instruction ID: b4b482d3f0c820d0921c4ec5cbb9600f50391e2aa72949d9f4bbd9d0bd594607
Opcode Fuzzy Hash: ce68e4e7a3e35dc3971abd49b7b6afd6ac7091c920bc369814553a32d7ce988a
Instruction Fuzzy Hash: 5081CF711083059FDB12DF14C881BFAB7E8EF44718F04856AFE858A095DB74DE45CB61

Function 003EC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DragQueryPoint.SHELL32(?,?), ref: 003EC627

Part of subcall function 003EAB37: ClientToScreen.USER32(?,?), ref: 003EAB60
Part of subcall function 003EAB37: GetWindowRect.USER32(?,?), ref: 003EABD6
Part of subcall function 003EAB37: PtInRect.USER32(?,?,003EC014), ref: 003EABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 003EC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003EC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003EC6BE
_wcscat.LIBCMT ref: 003EC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 003EC705
SendMessageW.USER32(?,000000B0,?,?), ref: 003EC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 003EC735
SendMessageW.USER32(?,000000B1,?,?), ref: 003EC757
DragFinish.SHELL32(?), ref: 003EC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003EC851

Strings

@GUI_DRAGID, xrefs: 003EC7C9
pbB, xrefs: 003EC79B
@GUI_DRAGFILE, xrefs: 003EC800
@GUI_DROPID, xrefs: 003EC77E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbB
API String ID: 169749273-33125029
Opcode ID: c3328575586857c1007ed862a53f6cd3b17a0fde88e4ddfa8a1bfdbbea8bfdb9
Instruction ID: ea5b79ec9e6f17c6e3483cf75f10191c6b496df521f3720c933e7497498c47fa
Opcode Fuzzy Hash: c3328575586857c1007ed862a53f6cd3b17a0fde88e4ddfa8a1bfdbbea8bfdb9
Instruction Fuzzy Hash: 52616C71108341AFC712EF64DC85DAFBBE8EF89710F404A2EF5919A1E1DB709A49CB52

Function 003BABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003BAC33

Strings

[LAST, xrefs: 003BACE0
[CLASS:, xrefs: 003BAC83
HANDLE=, xrefs: 003BAC2C
ACTIVE, xrefs: 003BAC0E
CLASSNAME=, xrefs: 003BAC70
[REGEXPTITLE:, xrefs: 003BAC5B
REGEXP=, xrefs: 003BAC48
[ALL, xrefs: 003BACD9
[ACTIVE, xrefs: 003BAC20
[HANDLE:, xrefs: 003BAC3F
ALL, xrefs: 003BACC7
LAST, xrefs: 003BABF8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c2e0a29d1076cba2c644fecc610c7e5d5f57241946fab1dc0c5955205ad51fcf
Instruction ID: f46f47d4be9a719d5b68257263f4a9d7883749c7063fff4da03bae8a0f8a7dfc
Opcode Fuzzy Hash: c2e0a29d1076cba2c644fecc610c7e5d5f57241946fab1dc0c5955205ad51fcf
Instruction Fuzzy Hash: EA310431A88A09A7CA12FA50DD03FEE7BB49F10794F70402AF541BA4D5EF656F048656

Function 003D4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 003D5013
LoadCursorW.USER32(00000000,00007F00), ref: 003D501E
LoadCursorW.USER32(00000000,00007F03), ref: 003D5029
LoadCursorW.USER32(00000000,00007F8B), ref: 003D5034
LoadCursorW.USER32(00000000,00007F01), ref: 003D503F
LoadCursorW.USER32(00000000,00007F81), ref: 003D504A
LoadCursorW.USER32(00000000,00007F88), ref: 003D5055
LoadCursorW.USER32(00000000,00007F80), ref: 003D5060
LoadCursorW.USER32(00000000,00007F86), ref: 003D506B
LoadCursorW.USER32(00000000,00007F83), ref: 003D5076
LoadCursorW.USER32(00000000,00007F85), ref: 003D5081
LoadCursorW.USER32(00000000,00007F82), ref: 003D508C
LoadCursorW.USER32(00000000,00007F84), ref: 003D5097
LoadCursorW.USER32(00000000,00007F04), ref: 003D50A2
LoadCursorW.USER32(00000000,00007F02), ref: 003D50AD
LoadCursorW.USER32(00000000,00007F89), ref: 003D50B8
GetCursorInfo.USER32(?), ref: 003D50C8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: acef04a1691ed7d402b6eeaf0244213b63204e27412249d77c8221c22543d2a0
Instruction ID: b294713da227265ecbecd523568f8528cac6d83a90b62e7c538f65537a7cbc70
Opcode Fuzzy Hash: acef04a1691ed7d402b6eeaf0244213b63204e27412249d77c8221c22543d2a0
Instruction Fuzzy Hash: A33113B1D48319AADF119FB69C8996FBFECFF04750F50452BA50CE7280DA78A5048F91

Function 003EA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003EA259
DestroyWindow.USER32(?,?), ref: 003EA2D3

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003EA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003EA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003EA382
DestroyWindow.USER32(00000000), ref: 003EA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00360000,00000000), ref: 003EA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003EA3F4
GetDesktopWindow.USER32 ref: 003EA40D
GetWindowRect.USER32(00000000), ref: 003EA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003EA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003EA444

Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC

Strings

0, xrefs: 003EA26F
tooltips_class32, xrefs: 003EA346, 003EA3D4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 99587a2644709910e87b0aa6785b34e2667f1d0535ae0886753cededeb61bdd2
Instruction ID: 0c9f47ef533fd2e3b1a9f1444ca26df84b0923b839090c3036680a9488225e17
Opcode Fuzzy Hash: 99587a2644709910e87b0aa6785b34e2667f1d0535ae0886753cededeb61bdd2
Instruction Fuzzy Hash: FA719D70140684AFD722DF29CC49F667BE9FB88304F45462DF9859B2E0C7B4E902CB56

Function 003E4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003E4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003E446F

Strings

EXPAND, xrefs: 003E4521
GETTOTALCOUNT, xrefs: 003E4456
CHECK, xrefs: 003E448F
GETITEMCOUNT, xrefs: 003E4551
EXISTS, xrefs: 003E44D8
GETTEXT, xrefs: 003E45C2
COLLAPSE, xrefs: 003E44B5
SELECT, xrefs: 003E4620
ISCHECKED, xrefs: 003E45F2
UNCHECK, xrefs: 003E464B
GETSELECTED, xrefs: 003E457F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a07ea1873a3723ca54f3faf89b0979f9edbd379910f828ba1b4df459c1109461
Instruction ID: a3c21903c3770ffb72aae5cac2318d288445a338e13b09047dbda6be7b6b34b7
Opcode Fuzzy Hash: a07ea1873a3723ca54f3faf89b0979f9edbd379910f828ba1b4df459c1109461
Instruction Fuzzy Hash: B091AB746003108FCB0AEF11C452AAEB7E5AF99354F058969F8965F7E2CB34ED49CB81

Function 003EB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003EB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,003E6B11,?), ref: 003EB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003EB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003EB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003EB9C3
FreeLibrary.KERNEL32(?), ref: 003EB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003EB9DF
DestroyIcon.USER32(?), ref: 003EB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003EBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003EBA17

Part of subcall function 00382EFD: __wcsicmp_l.LIBCMT ref: 00382F86

Strings

.dll, xrefs: 003EB86D
.icl, xrefs: 003EB82A
.exe, xrefs: 003EB84A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5081ac8923bce381a38547af2c6779c3340795653ff40cd3525605cf1eaeadc4
Instruction ID: ba2e5571981742d7de27db7519ab3c54047ea8a525ba8d311e345a486cf4a3d8
Opcode Fuzzy Hash: 5081ac8923bce381a38547af2c6779c3340795653ff40cd3525605cf1eaeadc4
Instruction Fuzzy Hash: 7461C071500269BFEB16DF65CC81FBBB7ACEB08710F108216F915DA1D1DBB4A980DBA0

Function 003CDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003CDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 003CDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003CDCF8
__wsplitpath.LIBCMT ref: 003CDD56
_wcscat.LIBCMT ref: 003CDD6E
_wcscat.LIBCMT ref: 003CDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003CDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDFC
_wcscpy.LIBCMT ref: 003CDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003CDE47

Strings

*.*, xrefs: 003CDE02

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 181bbf33ec8eb13bb0ef57bc5190141ec50472283e2233800cdefe7362d252ce
Instruction ID: 63eb0c0c7a0c361ae459d3cdb654d8b8839f391e8278b833a96d59a02ade4d08
Opcode Fuzzy Hash: 181bbf33ec8eb13bb0ef57bc5190141ec50472283e2233800cdefe7362d252ce
Instruction Fuzzy Hash: D06159765042459FCB11EF60C844EAEB3E8BF89314F04892EF999CB251DB71ED45CB92

Function 003C9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 003C9C7F

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003C9CA0
__swprintf.LIBCMT ref: 003C9CF9
__swprintf.LIBCMT ref: 003C9D12
_wprintf.LIBCMT ref: 003C9DB9
_wprintf.LIBCMT ref: 003C9DD7

Strings

Error: , xrefs: 003C9D81
Line %d (File "%s"):, xrefs: 003C9CF3, 003C9D0C
Incorrect parameters to object property !, xrefs: 003C9D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 003C9DB4
"%s" (%d) : ==> %s:, xrefs: 003C9DD2
^ ERROR , xrefs: 003C9D4E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 32ef6fa84724fe6c131be6202bbdbb8d9a09eda574c937ec69af9e13becda8be
Instruction ID: 6b216ffa711c790f23f49b5a254fc7afdf0b033c1b4401397eb3c7399335a6bb
Opcode Fuzzy Hash: 32ef6fa84724fe6c131be6202bbdbb8d9a09eda574c937ec69af9e13becda8be
Instruction Fuzzy Hash: D4517232900509AACF16FBE0CD46EEEB778AF14304F60406AF505B61A1DB352F59DF65

Function 003CA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

CharLowerBuffW.USER32(?,?), ref: 003CA3CB
GetDriveTypeW.KERNEL32 ref: 003CA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA4C5

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Strings

set cd door , xrefs: 003CA466
open , xrefs: 003CA427
wait, xrefs: 003CA482
close cd wait, xrefs: 003CA4B0
close, xrefs: 003CA3D1
open, xrefs: 003CA3F2
type cdaudio alias cd wait, xrefs: 003CA443
closed, xrefs: 003CA3DF, 003CA3E8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 92405b2ecfdb4ca765f022be9bb20a8bd737eb0668229cb02bbd2338bd909cfb
Instruction ID: 845767d8fdf54337c6f80f7134c570832cf736c1ed9a3076188f922fd455bcdb
Opcode Fuzzy Hash: 92405b2ecfdb4ca765f022be9bb20a8bd737eb0668229cb02bbd2338bd909cfb
Instruction Fuzzy Hash: EB517E711047049FC705EF21C881D6AB3E8FF98758F50896DF89A9B2A1DB71ED09CB52

Function 003BF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0039E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 003BF8DF
LoadStringW.USER32(00000000,?,0039E029,00000001), ref: 003BF8E8

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0039E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 003BF90A
LoadStringW.USER32(00000000,?,0039E029,00000001), ref: 003BF90D
__swprintf.LIBCMT ref: 003BF95D
__swprintf.LIBCMT ref: 003BF96E
_wprintf.LIBCMT ref: 003BFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003BFA2E

Strings

Error: , xrefs: 003BF9E5
%s (%d) : ==> %s: %s %s, xrefs: 003BFA12
Line %d (File "%s"):, xrefs: 003BF957
Line %d:, xrefs: 003BF968
^ ERROR, xrefs: 003BF9C3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a7e8b8beea2cd33cb9d7b9a3d9ed50d2d0e904fe38e9ddfaa6a98764625ef808
Instruction ID: 4f1320faf510fe58d7d0e4d0fb015e85ce04d4582fb347b5b0f466d43973ea45
Opcode Fuzzy Hash: a7e8b8beea2cd33cb9d7b9a3d9ed50d2d0e904fe38e9ddfaa6a98764625ef808
Instruction Fuzzy Hash: 94414F7280020DAACF16FBE0DD86EEEB778AF14304F504065F605BA096EB756F49CB61

Function 003EBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 003EBA56
GetFileSize.KERNEL32(00000000,00000000), ref: 003EBA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 003EBA78
CloseHandle.KERNEL32(00000000), ref: 003EBA85
GlobalLock.KERNEL32(00000000), ref: 003EBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003EBA9D
GlobalUnlock.KERNEL32(00000000), ref: 003EBAA6
CloseHandle.KERNEL32(00000000), ref: 003EBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003EBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,003F2CAC,?), ref: 003EBAD7
GlobalFree.KERNEL32(00000000), ref: 003EBAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 003EBB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 003EBB36
DeleteObject.GDI32(00000000), ref: 003EBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003EBB74

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1264087974062c1a00af0fc93c5968f51abd941c5a72351876d860e96a9fa45c
Instruction ID: 0235d1cf4e1bcb3e1ae1539c16f163627d166b6937a1311645b755cb46bdf555
Opcode Fuzzy Hash: 1264087974062c1a00af0fc93c5968f51abd941c5a72351876d860e96a9fa45c
Instruction Fuzzy Hash: 09413B75500259EFDB239F66DC88EABBBBCEB89711F114268F905DB2A0D7709901CB60

Function 003CD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 003CDA10
_wcscat.LIBCMT ref: 003CDA28
_wcscat.LIBCMT ref: 003CDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003CDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDA63
GetFileAttributesW.KERNEL32(?), ref: 003CDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 003CDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDAA7

Strings

*.*, xrefs: 003CDAE6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: a7dc5b1ce00cddbd85c53ba745e1af958dec1878d10f02184ac40d6122d6e432
Instruction ID: 38349f71ff5e21c6f6c9e022378b1956485782a0fb3d6b11b44d5d3bb4f56507
Opcode Fuzzy Hash: a7dc5b1ce00cddbd85c53ba745e1af958dec1878d10f02184ac40d6122d6e432
Instruction Fuzzy Hash: B8814C765043419FCB66EF64C884E6AB7E8AB89310F15893EF889CB251E730ED45CB52

Function 003EC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003EC1FC
GetFocus.USER32 ref: 003EC20C
GetDlgCtrlID.USER32(00000000), ref: 003EC217
_memset.LIBCMT ref: 003EC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003EC36D
GetMenuItemCount.USER32(?), ref: 003EC38D
GetMenuItemID.USER32(?,00000000), ref: 003EC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003EC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003EC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003EC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003EC489

Strings

0, xrefs: 003EC33A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 853518501655cbf70b723692104815d20e5f1250f42e020bc7cff72916ffcf44
Instruction ID: b75bdd8c52bd0fda7597bb587c35d3579004ab67729188f9ea61d97ade5ee47c
Opcode Fuzzy Hash: 853518501655cbf70b723692104815d20e5f1250f42e020bc7cff72916ffcf44
Instruction Fuzzy Hash: FD818E712183A19FDB22DF16C884A6FBBE8FB88314F014A2DF995972D1C770D906CB52

Function 003D731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003D738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003D739B
CreateCompatibleDC.GDI32(?), ref: 003D73A7
SelectObject.GDI32(00000000,?), ref: 003D73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003D7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003D7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003D7468
SelectObject.GDI32(00000006,?), ref: 003D7470
DeleteObject.GDI32(?), ref: 003D7479
DeleteDC.GDI32(00000006), ref: 003D7480
ReleaseDC.USER32(00000000,?), ref: 003D748B

Strings

(, xrefs: 003D7410

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e87d8fd6aa40fbb3aaacc13fd8e6a0851b0ead05f8592bc6e1064e7468fa942a
Instruction ID: 97546114243909e2fcabf5df30a1f35fe066164ab8f3962686ea705f9e14c265
Opcode Fuzzy Hash: e87d8fd6aa40fbb3aaacc13fd8e6a0851b0ead05f8592bc6e1064e7468fa942a
Instruction Fuzzy Hash: 8B514C76904209EFCB26CFA8DC84AAEBBB9EF48310F14851AF95997250D771AD408B50

Function 00366A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00380957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00366B0C,?,00008000), ref: 00380973

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00366BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00366CFA

Part of subcall function 0036586D: _wcscpy.LIBCMT ref: 003658A5

Part of subcall function 0038363D: _iswctype.LIBCMT ref: 00383645

Strings

AU3!, xrefs: 00366B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0039E421
Unterminated string, xrefs: 0039E7E4
EA06, xrefs: 0039E452
Bad directive syntax error, xrefs: 0039E79D
>>>AUTOIT SCRIPT<<<, xrefs: 0039E496
Error opening the file, xrefs: 0039E43D, 0039E4B8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 4b69944f36f6af28e57be01959c79dd55f4ce349e06dfdb32b97bde626f443a9
Instruction ID: 20958010e23b040b8a751b825ec6b95ce947de89cf65c95ddacaef47433f6ece
Opcode Fuzzy Hash: 4b69944f36f6af28e57be01959c79dd55f4ce349e06dfdb32b97bde626f443a9
Instruction Fuzzy Hash: CA02BE311083419FCB26EF24C891AAFBBE5FF95354F10892DF4959B2A2DB30D949CB52

Function 003C2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003C2DDD
GetMenuItemCount.USER32(00425890), ref: 003C2E66
DeleteMenu.USER32(00425890,00000005,00000000,000000F5,?,?), ref: 003C2EF6
DeleteMenu.USER32(00425890,00000004,00000000), ref: 003C2EFE
DeleteMenu.USER32(00425890,00000006,00000000), ref: 003C2F06
DeleteMenu.USER32(00425890,00000003,00000000), ref: 003C2F0E
GetMenuItemCount.USER32(00425890), ref: 003C2F16
SetMenuItemInfoW.USER32(00425890,00000004,00000000,00000030), ref: 003C2F4C
GetCursorPos.USER32(?), ref: 003C2F56
SetForegroundWindow.USER32(00000000), ref: 003C2F5F
TrackPopupMenuEx.USER32(00425890,00000000,?,00000000,00000000,00000000), ref: 003C2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003C2F7E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 0ff13af35fade2981324e2f61bd7896e7b68913b16ead91b84be95fadeaf0cf9
Instruction ID: 6ccc0cc7b587e832c3c94ae962c3f4538fd7a4c09147ac6123a1e85b536a7f6a
Opcode Fuzzy Hash: 0ff13af35fade2981324e2f61bd7896e7b68913b16ead91b84be95fadeaf0cf9
Instruction Fuzzy Hash: 1771A270600259BEEB229F64DC89FABBF68FF05354F14421AF625EA1E1C7B16C10DB91

Function 003D88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003D88D7
CoInitialize.OLE32(00000000), ref: 003D8904
CoUninitialize.OLE32 ref: 003D890E
GetRunningObjectTable.OLE32(00000000,?), ref: 003D8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 003D8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003F2C0C), ref: 003D8B6F
CoGetObject.OLE32(?,00000000,003F2C0C,?), ref: 003D8B92
SetErrorMode.KERNEL32(00000000), ref: 003D8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003D8C25
VariantClear.OLEAUT32(?), ref: 003D8C35

Strings

,,?, xrefs: 003D88C1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,?
API String ID: 2395222682-1094787077
Opcode ID: 5c0c64602abdc4c21debcb99a27d4c37fc77db65c431f1c487796a8a8624b997
Instruction ID: 746aae8dc4c82b6e3482aa1c36c17a9c74daf26525238c8a751cf51950231374
Opcode Fuzzy Hash: 5c0c64602abdc4c21debcb99a27d4c37fc77db65c431f1c487796a8a8624b997
Instruction Fuzzy Hash: 48C114B2608305AFC701DF64D88496AB7E9FF89348F00491EF98A9B261DB71ED05CB52

Function 003B77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

_memset.LIBCMT ref: 003B786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003B78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003B78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003B78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003B7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 003B792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003B7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003B793A

Strings

SOFTWARE\Classes\, xrefs: 003B780C
\CLSID, xrefs: 003B7822
\IPC$, xrefs: 003B7882

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 36eeee743fa76c6646039fc131b7f8be3bb74e4ed214a8829c6bac3736c974b2
Instruction ID: 9474370826fde9a1d27230c7b9ec28c756a0dbeada095f094e5d15620787df6b
Opcode Fuzzy Hash: 36eeee743fa76c6646039fc131b7f8be3bb74e4ed214a8829c6bac3736c974b2
Instruction Fuzzy Hash: 61411872C1422DABCF22EBA4DC85DEDB7B8FF44314F418169E915AB1A5DB709E04CB90

Function 003E0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

Strings

HKEY_USERS, xrefs: 003E0F32
HKCU, xrefs: 003E0F21
HKCR, xrefs: 003E0ED9
HKU, xrefs: 003E0F43
HKCC, xrefs: 003E0EFF
HKEY_LOCAL_MACHINE, xrefs: 003E0E9A
HKLM, xrefs: 003E0EAF
HKEY_CURRENT_USER, xrefs: 003E0F10
HKEY_CLASSES_ROOT, xrefs: 003E0EC4
HKEY_CURRENT_CONFIG, xrefs: 003E0EEE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 5635db026eba6fd85b378bca01a37397cbc27834a421c97757aa682e9615fe77
Instruction ID: 84a61d1c85112a3de9fa92fa7cfa81084289e26a077c596ab975b0898f7f391d
Opcode Fuzzy Hash: 5635db026eba6fd85b378bca01a37397cbc27834a421c97757aa682e9615fe77
Instruction Fuzzy Hash: BE41B03150439A8BCF1AEF10D8A2AEF3364AF11304F454565FC911B295DB789DAACBA0

Function 003BF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0039E2A0,00000010,?,Bad directive syntax error,003EF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003BF7C2
LoadStringW.USER32(00000000,?,0039E2A0,00000010), ref: 003BF7C9

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

_wprintf.LIBCMT ref: 003BF7FC
__swprintf.LIBCMT ref: 003BF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003BF88D

Strings

Line %d (File "%s"):, xrefs: 003BF833
Line %d:, xrefs: 003BF818
%s (%d) : ==> %s.: %s %s, xrefs: 003BF7F7
Error: , xrefs: 003BF85B
., xrefs: 003BF873

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 7b6ada2ce4853b7387d1ec0b6cb46fef6f70de5f2a68a5cac7e0759be7a21dcd
Instruction ID: bc008beeb485bf39a46aa74906f94a25dd616f096297ed4a6b57c3531926154e
Opcode Fuzzy Hash: 7b6ada2ce4853b7387d1ec0b6cb46fef6f70de5f2a68a5cac7e0759be7a21dcd
Instruction Fuzzy Hash: B6213C3290021EEFCF13AF90CC4AEEE7779BF18304F04486AF5156A1A2EA719658DB51

Function 003C52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Part of subcall function 00367924: _memmove.LIBCMT ref: 003679AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003C5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003C5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003C5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003C5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003C537A

Strings

close PlayMe, xrefs: 003C5341, 003C536E
open , xrefs: 003C52DF
status PlayMe mode, xrefs: 003C532B
play PlayMe, xrefs: 003C5375
alias PlayMe, xrefs: 003C5309
play PlayMe wait, xrefs: 003C5364

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5c965bb7f71f457169cbf1d251d3f40f89602751e635fc96a3572c32502edf73
Instruction ID: e45ef0be6072be581803c245f6ae6a1f44f8efa3fd3e087cfd17244bdc49f000
Opcode Fuzzy Hash: 5c965bb7f71f457169cbf1d251d3f40f89602751e635fc96a3572c32502edf73
Instruction Fuzzy Hash: 29118231A5016979D721B661CC4AFFF7BBCEBD5B84F50042EB411E60D5DEA01D84CAA4

Function 003C46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003C46D2
gethostname.WSOCK32(?,00000100), ref: 003C46EC
gethostbyname.WSOCK32(?), ref: 003C46F9
_wcscpy.LIBCMT ref: 003C4721
_memmove.LIBCMT ref: 003C4734
inet_ntoa.WSOCK32(?), ref: 003C473F
_strcat.LIBCMT ref: 003C474D
_wcscpy.LIBCMT ref: 003C4764
WSACleanup.WSOCK32 ref: 003C4772
_wcscpy.LIBCMT ref: 003C4780

Strings

0.0.0.0, xrefs: 003C471B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d894d4ec1f83ed4283f7690834220d2bb78acfa263f1123b50d5c11474dbd5d1
Instruction ID: 20edce0676322692a08db4af5df5a25c749d8c4fa272f21b0a8a73dbc74a8a7d
Opcode Fuzzy Hash: d894d4ec1f83ed4283f7690834220d2bb78acfa263f1123b50d5c11474dbd5d1
Instruction Fuzzy Hash: 8011D531900214AFCB27BB309C86FDA77BCEB01711F0502BAF855DA091EFB59E858750

Function 003C4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003C4F7A

Part of subcall function 0038049F: timeGetTime.WINMM(?,75C0B400,00370E7B), ref: 003804A3

Sleep.KERNEL32(0000000A), ref: 003C4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 003C4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003C4FEC
SetActiveWindow.USER32 ref: 003C500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003C5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 003C5038
Sleep.KERNEL32(000000FA), ref: 003C5043
IsWindow.USER32 ref: 003C504F
EndDialog.USER32(00000000), ref: 003C5060

Strings

BUTTON, xrefs: 003C4FDE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b3df05cc126145e132f874779a8ed5799d08a00a75e5059587117f619a1ea79f
Instruction ID: c483e73b72d4bac21d754b2f7802e5e924b264e983573ee246d47fe59309a152
Opcode Fuzzy Hash: b3df05cc126145e132f874779a8ed5799d08a00a75e5059587117f619a1ea79f
Instruction Fuzzy Hash: 20215470204644BFE7325B20ECC8F263A6DEB55749F46113CF501CA1E1CAB19E919B66

Function 003CD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

CoInitialize.OLE32(00000000), ref: 003CD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003CD67D
SHGetDesktopFolder.SHELL32(?), ref: 003CD691
CoCreateInstance.OLE32(003F2D7C,00000000,00000001,00418C1C,?), ref: 003CD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003CD74C
CoTaskMemFree.OLE32(?,?), ref: 003CD7A4
_memset.LIBCMT ref: 003CD7E1
SHBrowseForFolderW.SHELL32(?), ref: 003CD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003CD840
CoTaskMemFree.OLE32(00000000), ref: 003CD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003CD87E
CoUninitialize.OLE32(00000001,00000000), ref: 003CD880

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 087ce328a5b96a264dd67fc81942dde9a770e29dcb4b90185c883ffc03dd9672
Instruction ID: e7c9af46e04fd33ff54d975446f107e2be1e60160744028c00d8ef4b072e064d
Opcode Fuzzy Hash: 087ce328a5b96a264dd67fc81942dde9a770e29dcb4b90185c883ffc03dd9672
Instruction Fuzzy Hash: 33B1F975A00109AFDB15DFA4C885EAEBBB9FF48304F1485A9F909EB261DB30ED45CB50

Function 003BC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003BC283
GetWindowRect.USER32(00000000,?), ref: 003BC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003BC2F3
GetDlgItem.USER32(?,00000002), ref: 003BC2FE
GetWindowRect.USER32(00000000,?), ref: 003BC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003BC364
GetDlgItem.USER32(?,000003E9), ref: 003BC372
GetWindowRect.USER32(00000000,?), ref: 003BC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003BC3C6
GetDlgItem.USER32(?,000003EA), ref: 003BC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003BC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 003BC3FE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5bc63f73efca4f3e5d63334ab7ff9499d4651afc3b222d9bc9b679d2c14af982
Instruction ID: 0cc4d3675484d8d0307853c010ad93c73823edccd7a8f888986324696ef948bd
Opcode Fuzzy Hash: 5bc63f73efca4f3e5d63334ab7ff9499d4651afc3b222d9bc9b679d2c14af982
Instruction Fuzzy Hash: 47514571B10205AFDF19CFA9DD95AAEBBBAEB88710F14852DF619D72D0D7B09D008B10

Function 0036201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00361B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00362036,?,00000000,?,?,?,?,003616CB,00000000,?), ref: 00361B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003620D3
KillTimer.USER32(-00000001,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0036216E
DestroyAcceleratorTable.USER32(00000000), ref: 0039BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BD0A
DeleteObject.GDI32(00000000), ref: 0039BD1C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 978596c4a0a4317b8916a04c6c44012a6e8cdd63344d66a6efb6e790501c57a7
Instruction ID: bb28aab3e1e019db7ebe4f3dec72326c906aee24782f1994472ea162c4f511d2
Opcode Fuzzy Hash: 978596c4a0a4317b8916a04c6c44012a6e8cdd63344d66a6efb6e790501c57a7
Instruction Fuzzy Hash: 88618C30201A50DFCB37AF14D988B2AB7F5FB40312F52C529E5429B9B8C7B4A891DF54

Function 003621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC

GetSysColor.USER32(0000000F), ref: 003621D3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ce9ae9ed0905cb4b71766bf660905bbeb69d4b1df5f9c67c68e321c990354f46
Instruction ID: 357a0d9da4ea80a5aa9f6c74d67a81a56fb5f13e11353e677db2405f4f8a1b47
Opcode Fuzzy Hash: ce9ae9ed0905cb4b71766bf660905bbeb69d4b1df5f9c67c68e321c990354f46
Instruction Fuzzy Hash: F5419F311009449FDB235F28EC98BBA3B69EB06321F168765FE658E1E9C7718D42DB21

Function 003CA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,003EF910), ref: 003CA90B
GetDriveTypeW.KERNEL32(00000061,004189A0,00000061), ref: 003CA9D5
_wcscpy.LIBCMT ref: 003CA9FF

Strings

cdrom, xrefs: 003CA927
network, xrefs: 003CA969
removable, xrefs: 003CA93D
ramdisk, xrefs: 003CA97F
unknown, xrefs: 003CA996
fixed, xrefs: 003CA953
all, xrefs: 003CA911

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e98d87326a9310e07bc2da509a46801002bcd0a56805874843dbe9de2e25e5e3
Instruction ID: 53ad8a402c02e5fb258b5fe595a38965cd56abc9d80557abdd29fe9a25e93d35
Opcode Fuzzy Hash: e98d87326a9310e07bc2da509a46801002bcd0a56805874843dbe9de2e25e5e3
Instruction Fuzzy Hash: 8751A0355183049BC706EF14C892FAFB7A9EF84308F15882DF4959B2A2DB319D09CB53

Function 00369837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00369862
__swprintf.LIBCMT ref: 003698AC
__i64tow.LIBCMT ref: 0039F5E6

Strings

True, xrefs: 0039F5A7
False, xrefs: 0039F5AE
%.15g, xrefs: 003698A6
0x%p, xrefs: 0039F5C8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 4e9ea6cbd0b50ab618976af17f63edd6d8c9f14003b081d1817dbe9fcaabc242
Instruction ID: cc2fa0a2fb218c562da61c9b174cae607d5a8a5fd2511ac1a725399ea1effda5
Opcode Fuzzy Hash: 4e9ea6cbd0b50ab618976af17f63edd6d8c9f14003b081d1817dbe9fcaabc242
Instruction Fuzzy Hash: 0C41C571504309AFDB26EF34D842B7A73ECEF06310F2184AEE549DB295EA3199458B10

Function 003E7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E716A
CreateMenu.USER32 ref: 003E7185
SetMenu.USER32(?,00000000), ref: 003E7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E7221
IsMenu.USER32(?), ref: 003E7237
CreatePopupMenu.USER32 ref: 003E7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003E726E
DrawMenuBar.USER32 ref: 003E7276

Strings

F, xrefs: 003E7262
0, xrefs: 003E7160

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 90b945406cc4f1e3dfd43082aba7d58a063386b4f52434290e4ba924abf718b6
Instruction ID: f9a96d6a6b848b31b394177bb134a5ab5474654dced76d3a0a81df6f0fe26a6f
Opcode Fuzzy Hash: 90b945406cc4f1e3dfd43082aba7d58a063386b4f52434290e4ba924abf718b6
Instruction Fuzzy Hash: AA418B74A01255EFDB21DF65E884EDA7BB9FF49300F154628FA059B390D771A910CF90

Function 003E74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003E755E
CreateCompatibleDC.GDI32(00000000), ref: 003E7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003E7578
SelectObject.GDI32(00000000,00000000), ref: 003E7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 003E758B
DeleteDC.GDI32(00000000), ref: 003E7594
GetWindowLongW.USER32(?,000000EC), ref: 003E759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003E75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003E75BE

Strings

static, xrefs: 003E74F6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 551c609da1ed0eaa1dacffac07c8d7c1598db90d4e0a6733e17a6664ba94464a
Instruction ID: dd9727c1ef3430c14b29751d8e86866885766670b765f714f5599b5130b845f3
Opcode Fuzzy Hash: 551c609da1ed0eaa1dacffac07c8d7c1598db90d4e0a6733e17a6664ba94464a
Instruction Fuzzy Hash: D2314B311041A4AFDF229F65DC48FEA3B69EF0A360F114325FA159A0E0C771D811DB64

Function 00386E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00386E3E

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

__gmtime64_s.LIBCMT ref: 00386ED7
__gmtime64_s.LIBCMT ref: 00386F0D
__gmtime64_s.LIBCMT ref: 00386F2A
__allrem.LIBCMT ref: 00386F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00386F9C
__allrem.LIBCMT ref: 00386FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00386FD1
__allrem.LIBCMT ref: 00386FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00387006
__invoke_watson.LIBCMT ref: 00387077

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 0e2aa96672b93929e9d3ad3ad2af52e460d1ddd8028a3ae429bc9c0867a51d97
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: E17118B6A00717ABDB16FF78DC42B5AB3A9AF04324F154269F514DB681E770ED408790

Function 003C2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2542
GetMenuItemInfoW.USER32(00425890,000000FF,00000000,00000030), ref: 003C25A3
SetMenuItemInfoW.USER32(00425890,00000004,00000000,00000030), ref: 003C25D9
Sleep.KERNEL32(000001F4), ref: 003C25EB
GetMenuItemCount.USER32(?), ref: 003C262F
GetMenuItemID.USER32(?,00000000), ref: 003C264B
GetMenuItemID.USER32(?,-00000001), ref: 003C2675
GetMenuItemID.USER32(?,?), ref: 003C26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003C2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C2735

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 38f60f574c66be1445e966f9c3aa66072c0445151f23b3d72795041f6a8d5440
Instruction ID: c92ebf092420adf6e46d6028ca54f78b7e99af665ee9335c4922232fa9e0b23b
Opcode Fuzzy Hash: 38f60f574c66be1445e966f9c3aa66072c0445151f23b3d72795041f6a8d5440
Instruction Fuzzy Hash: 8D617A74900249EFDB22DF64CC88EAFBBB8EB46304F15056DE842E7291D771AD15DB21

Function 003E6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003E6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003E6FA8
GetWindowLongW.USER32(?,000000F0), ref: 003E6FCC
_memset.LIBCMT ref: 003E6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003E6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003E7067

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 6382548fe3a6409434a88b966b73552afa5fc9f800f3794532607a477fe6dabd
Instruction ID: c44a6c44a9602b4559878fe6204464e5f0a16679e6fd5e7c12b6920680024a46
Opcode Fuzzy Hash: 6382548fe3a6409434a88b966b73552afa5fc9f800f3794532607a477fe6dabd
Instruction Fuzzy Hash: 47616C75A00258AFDB12DFA5DC81EEE77B8EB09710F104269FA14EB2E1C771AD41DB50

Function 003B6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003B6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 003B6C18
VariantInit.OLEAUT32(?), ref: 003B6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003B6C4A
VariantCopy.OLEAUT32(?,?), ref: 003B6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003B6CB1
VariantClear.OLEAUT32(?), ref: 003B6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 003B6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003B6CDC
VariantClear.OLEAUT32(?), ref: 003B6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003B6CF9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 503642b5a7a68e1f356157adf28282ae0800ca75e0bd473524abdf81ae1c8d75
Instruction ID: 455aaadac2c57ab99dec0f220e1807d5859aaa1e8b9348c871cb255e6d3ebedf
Opcode Fuzzy Hash: 503642b5a7a68e1f356157adf28282ae0800ca75e0bd473524abdf81ae1c8d75
Instruction Fuzzy Hash: 3B4172319001199FCF12DFA5D885DEEBBBDEF08304F008169E955AB2A1CB74A945CF90

Function 003D5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003D5793
inet_addr.WSOCK32(?,?,?), ref: 003D57D8
gethostbyname.WSOCK32(?), ref: 003D57E4
IcmpCreateFile.IPHLPAPI ref: 003D57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003D5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003D5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 003D58ED
WSACleanup.WSOCK32 ref: 003D58F3

Strings

Ping, xrefs: 003D5816

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 878c8deda215602cb41df8b85bc7d0cddb6baf3d86a0e46b3d487d69df93429f
Instruction ID: f68f8e112e60e7582b3bd21dc39567e5dcf89704a69177f93e63ec3fd6923cb3
Opcode Fuzzy Hash: 878c8deda215602cb41df8b85bc7d0cddb6baf3d86a0e46b3d487d69df93429f
Instruction Fuzzy Hash: 7B5160726047009FDB229F24EC85B6A7BE8EF48710F15852AF956DB3E1DB70E904DB41

Function 003CB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003CB546
GetLastError.KERNEL32 ref: 003CB550
SetErrorMode.KERNEL32(00000000,READY), ref: 003CB5BD

Strings

INVALID, xrefs: 003CB58F
READONLY, xrefs: 003CB588
UNKNOWN, xrefs: 003CB575
NOTREADY, xrefs: 003CB57C
READY, xrefs: 003CB596

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 675e1ae6434c8d5a36f288ae7529787041e2d5b78085b750a87a656984a1ad7f
Instruction ID: 4fd1f8ede322d6ec35c4ea8b2e5d407735ca3b636d81c6563b8658d8f6b4b617
Opcode Fuzzy Hash: 675e1ae6434c8d5a36f288ae7529787041e2d5b78085b750a87a656984a1ad7f
Instruction Fuzzy Hash: 5831A235A40209DFCB12EB68C886FADB7B8EF46310F10812EF505DB291DB719E46CB40

Function 003B8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003B9014
GetDlgCtrlID.USER32 ref: 003B901F
GetParent.USER32 ref: 003B903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 003B903E
GetDlgCtrlID.USER32(?), ref: 003B9047
GetParent.USER32(?), ref: 003B9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 003B9066

Strings

ComboBox, xrefs: 003B8F9C
ListBox, xrefs: 003B8FD1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a76f3e8eff095352e97386b9004477baead8af1d5a716d5464594ea696b2e872
Instruction ID: 66097b0db8f9d8894c910e9bed2750b433406b42a2e6d11080a7b60838521c67
Opcode Fuzzy Hash: a76f3e8eff095352e97386b9004477baead8af1d5a716d5464594ea696b2e872
Instruction Fuzzy Hash: 0721F870A00148BFDF16ABA0CC85EFEBB78EF45310F10421AFA619B2E1DB795815DB20

Function 003B907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003B90FD
GetDlgCtrlID.USER32 ref: 003B9108
GetParent.USER32 ref: 003B9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 003B9127
GetDlgCtrlID.USER32(?), ref: 003B9130
GetParent.USER32(?), ref: 003B914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 003B914F

Strings

ComboBox, xrefs: 003B9087
ListBox, xrefs: 003B90BC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4eb9b38e256c53a715850f7dd550540b25e4dc252bc73eee275fa942ae6e34a0
Instruction ID: c0ef677df9af5fdfb6554325ae050663006b3d435c3d241aa61bc28442032cbb
Opcode Fuzzy Hash: 4eb9b38e256c53a715850f7dd550540b25e4dc252bc73eee275fa942ae6e34a0
Instruction Fuzzy Hash: AF21C575A00148BFDF12ABA4CC85FFEBBB8EF44300F104116BA519B2A6DB759955DB20

Function 003B9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003B916F
GetClassNameW.USER32(00000000,?,00000100), ref: 003B9184
_wcscmp.LIBCMT ref: 003B9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003B9211

Strings

list, xrefs: 003B91F3
largeicons, xrefs: 003B91A5
SHELLDLL_DefView, xrefs: 003B9190
details, xrefs: 003B91BF
smallicons, xrefs: 003B91D9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2c59795b87d88ce78261c8c3677ad36871d86e5f626ace531bbf87e8bb62734f
Instruction ID: 0cf7add47df7fa43250434b98afe61c40f08e17ccd4e354f05c41443cec0abc4
Opcode Fuzzy Hash: 2c59795b87d88ce78261c8c3677ad36871d86e5f626ace531bbf87e8bb62734f
Instruction Fuzzy Hash: CE110D7A6883077AFA133624DC06FE7379C9B15764B300457FB00AC8D1EE6169515658

Function 003C7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003C7A6C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 8f69046323c6657448d458679550fcbdcff63b771389fec986dcd79a7c9b73fa
Instruction ID: 8a919983f27f6f705bfc2aef712300a89c12f3ac29e293452b5515f8e0e72796
Opcode Fuzzy Hash: 8f69046323c6657448d458679550fcbdcff63b771389fec986dcd79a7c9b73fa
Instruction Fuzzy Hash: 26B17B7190420A9FDB12DFA5C885FBEB7B8EF09321F218469E901EB291D774AD41CF90

Function 003C11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003C11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C1204
GetWindowThreadProcessId.USER32(00000000), ref: 003C120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 003C122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C12BC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2dfbee637dd2abb5ecdaa749aed41a06e50545d4a027a5e039241e902d52b933
Instruction ID: 54a2c79dd0e5dd300c4e984aa774cfef33a299f9bb0c04edd65e69cdb90ae413
Opcode Fuzzy Hash: 2dfbee637dd2abb5ecdaa749aed41a06e50545d4a027a5e039241e902d52b933
Instruction Fuzzy Hash: 7E31D279600208FFDF329F54ED88F6A37ADEB56311F138629FA01CA1A1DBB49D409B54

Function 0036FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0036FAA6
OleUninitialize.OLE32(?,00000000), ref: 0036FB45
UnregisterHotKey.USER32(?), ref: 0036FC9C
DestroyWindow.USER32(?), ref: 003A45D6
FreeLibrary.KERNEL32(?), ref: 003A463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003A4668

Strings

close all, xrefs: 0036FAA1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3ce72fe5271e583f7831800547455ea47578f9fe3e317b5339355523226a8422
Instruction ID: f9151d903fa88e7a1682ca0294e1c797bbb18a0a783b0532f3acbd0704c09a86
Opcode Fuzzy Hash: 3ce72fe5271e583f7831800547455ea47578f9fe3e317b5339355523226a8422
Instruction Fuzzy Hash: 95A15831701212CFCB2AEF14D995A69F7A4FF56700F1582ADE80AAB265CB70AD16CF50

Function 003D9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003D9167
VariantInit.OLEAUT32(?), ref: 003D9238
VariantInit.OLEAUT32(?), ref: 003D9339
VariantClear.OLEAUT32(?), ref: 003D9343
VariantClear.OLEAUT32(?), ref: 003D93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 003D931C
Null Object assignment in FOR..IN loop, xrefs: 003D91C8, 003D92F6, 003D93AE
,,?, xrefs: 003D91E5

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,?$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1974717164
Opcode ID: f88e17369e59c780aa5890393a9120ab23b7ba0d88ab9d2ffeeb447840429d04
Instruction ID: 9a7209d5ab0b6927d4aeac4aa2599f82439873f2efc1e81d544ffe3786caaafd
Opcode Fuzzy Hash: f88e17369e59c780aa5890393a9120ab23b7ba0d88ab9d2ffeeb447840429d04
Instruction Fuzzy Hash: 2791AE72A00209ABDF26DFA5DC48FAEBBB8EF45710F10855BF515AB280D7709945CFA0

Function 003BA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,003BA439), ref: 003BA377

Strings

TEXT, xrefs: 003BA2AE
REGEXPCLASS, xrefs: 003BA13C
CLASSNN, xrefs: 003BA119
INSTANCE, xrefs: 003BA285
CLASS, xrefs: 003BA0F6
NAME, xrefs: 003BA1A9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 2e439f68fa390b3ddc7802046cc6b2865042b1020919e4e4deee9d3d1206e92a
Instruction ID: b2f44d562d12013f37647763c16515b41dc8d511752d04a60322e2c0f03abed0
Opcode Fuzzy Hash: 2e439f68fa390b3ddc7802046cc6b2865042b1020919e4e4deee9d3d1206e92a
Instruction Fuzzy Hash: 7F91D830A00E05ABDB4AEFA4C482BEDFBB4FF04308F54C519D959AB641DF316999CB91

Function 00362E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00362EAE

Part of subcall function 00361DB3: GetClientRect.USER32(?,?), ref: 00361DDC
Part of subcall function 00361DB3: GetWindowRect.USER32(?,?), ref: 00361E1D
Part of subcall function 00361DB3: ScreenToClient.USER32(?,?), ref: 00361E45

GetDC.USER32 ref: 0039CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0039CD45
SelectObject.GDI32(00000000,00000000), ref: 0039CD53
SelectObject.GDI32(00000000,00000000), ref: 0039CD68
ReleaseDC.USER32(?,00000000), ref: 0039CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0039CDFB

Strings

U, xrefs: 0039CCD0

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4b9fe9aefeeadda315f910b0cc4fa64cf9d7c52278f56eca25b74c8f625a1221
Instruction ID: 5d835b087b54c05bd90f21f32c112e53b38f840d26886d731459ff26c5b70301
Opcode Fuzzy Hash: 4b9fe9aefeeadda315f910b0cc4fa64cf9d7c52278f56eca25b74c8f625a1221
Instruction Fuzzy Hash: 0B71D031900605DFCF239F64C884AAA7BB9FF49320F15927AED595A2AAC7318C41DF60

Function 003D1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003D1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003D1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003D1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003D1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003D1B10
InternetCloseHandle.WININET(00000000), ref: 003D1B57

Part of subcall function 003D2483: GetLastError.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D2498
Part of subcall function 003D2483: SetEvent.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D24AD

Strings

, xrefs: 003D1B01

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 53c4a9b028f1bea7d5d25f9b2963faa6dbd0fec0cca92561975e85fe77d888c3
Instruction ID: 3c6c7a278c04b11905eefa6eea3639b0b315e8e75dd66b54c78fbd307499695b
Opcode Fuzzy Hash: 53c4a9b028f1bea7d5d25f9b2963faa6dbd0fec0cca92561975e85fe77d888c3
Instruction Fuzzy Hash: E5413DB2501219BFEB129F60DC85FBB7BACEB08354F004127FD059A281E7B49E449BA0

Function 003D8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,003EF910), ref: 003D8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003EF910), ref: 003D8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003D8ED6
SysFreeString.OLEAUT32(?), ref: 003D8F00

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 279c036fcccabd4663b2e4de3e35100f01436d9c3187a6f7e29342abfb6dcaf6
Instruction ID: e261311493107671eeb3c727b162029f0bb1fb4a8966abbc905c7bbbbdfe2f88
Opcode Fuzzy Hash: 279c036fcccabd4663b2e4de3e35100f01436d9c3187a6f7e29342abfb6dcaf6
Instruction Fuzzy Hash: B7F16872A00209EFCF16DF94D884EAEB7B9FF48314F11819AF905AB251DB31AE45CB50

Function 003DF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003DF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003DF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003DF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003DF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003DF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003DFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003DFA7C
CloseHandle.KERNEL32(?), ref: 003DFAAB
CloseHandle.KERNEL32(?), ref: 003DFB22

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a767ee8617c44b14203bd53fd3d5ff24cd6b9cc67e86b59c4b9cdacf15d62e26
Instruction ID: b3ddf490465bbf4c46deee1d52a7c8888b75ce806d351f920417eee7b0c6efc5
Opcode Fuzzy Hash: a767ee8617c44b14203bd53fd3d5ff24cd6b9cc67e86b59c4b9cdacf15d62e26
Instruction Fuzzy Hash: 0CE1A1326043409FC716EF24D891B6ABBE5AF85354F14856EF89A9F3A2CB30DC45CB52

Function 003C4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003C3697,?), ref: 003C468B

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003C3697,?), ref: 003C46A4

Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32

lstrcmpiW.KERNEL32(?,?), ref: 003C4D40
_wcscmp.LIBCMT ref: 003C4D5A
MoveFileW.KERNEL32(?,?), ref: 003C4D75

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4860282c96c2e9cc82b6189064afad8deec07f5f6bb4e0c4251b8560939ff783
Instruction ID: c518a42cdcab5a9d56a96c0dac2c18090ab6b936ae15b6982e32f8d4e2760f91
Opcode Fuzzy Hash: 4860282c96c2e9cc82b6189064afad8deec07f5f6bb4e0c4251b8560939ff783
Instruction Fuzzy Hash: 905165B20083859BC726EB60D895EDFB3ECAF85350F40492EF585D7152EF70A688C756

Function 003E8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003E86FF

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3d5b3973efbb315cc1e2829bbfba29125807551af4db03e176f4e148184664b6
Instruction ID: 0524806be2f364ec5b5395a8147dd65dd199e8f0b018ec60b1b487f5f893ae3e
Opcode Fuzzy Hash: 3d5b3973efbb315cc1e2829bbfba29125807551af4db03e176f4e148184664b6
Instruction Fuzzy Hash: 0D51B530A002E4BFDF229F26CC85FAD7B68AB05310F614715FA59EA1E0CF71A980DB40

Function 00362B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0039C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0039C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0039C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0039C370
DestroyIcon.USER32(00000000), ref: 0039C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0039C39C
DestroyIcon.USER32(?), ref: 0039C3AB

Part of subcall function 003EA4AF: DeleteObject.GDI32(00000000), ref: 003EA4E8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6f626ad5321cce1e3dc8feec1b4b446415ca4b996d52a736e80e362d696e13c6
Instruction ID: 3bba8f2ecf74d22c9e3f017e1edc3b86fea46967909e6d64f232d77293b5ec6e
Opcode Fuzzy Hash: 6f626ad5321cce1e3dc8feec1b4b446415ca4b996d52a736e80e362d696e13c6
Instruction Fuzzy Hash: 14517C74610605AFDF22DF64CC85FAB3BB9EB08310F118628F9429B2D0D7B0AD90DB50

Function 003B966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003BA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003BA84C
Part of subcall function 003BA82C: GetCurrentThreadId.KERNEL32 ref: 003BA853
Part of subcall function 003BA82C: AttachThreadInput.USER32(00000000,?,003B9683,?,00000001), ref: 003BA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 003B968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003B96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003B96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003B96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003B96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003B96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003B96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003B96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003B96FB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d385d4f59669eb905b94bdc3aba50691ce363c402c33170c0663b6c2ff2541e5
Instruction ID: 5d61e4cf4015083de972b247b9499f2ac73a87fb6daf043890d7de454b75d611
Opcode Fuzzy Hash: d385d4f59669eb905b94bdc3aba50691ce363c402c33170c0663b6c2ff2541e5
Instruction Fuzzy Hash: AD11CEB1910618BFF6226B60DC89FAA7F2DEB4C764F100525F344AF1E0C9F25C109AA4

Function 003B8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,003B853C,00000B00,?,?), ref: 003B892A
HeapAlloc.KERNEL32(00000000,?,003B853C,00000B00,?,?), ref: 003B8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003B853C,00000B00,?,?), ref: 003B8946
GetCurrentProcess.KERNEL32(?,00000000,?,003B853C,00000B00,?,?), ref: 003B894E
DuplicateHandle.KERNEL32(00000000,?,003B853C,00000B00,?,?), ref: 003B8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,003B853C,00000B00,?,?), ref: 003B8961
GetCurrentProcess.KERNEL32(003B853C,00000000,?,003B853C,00000B00,?,?), ref: 003B8969
DuplicateHandle.KERNEL32(00000000,?,003B853C,00000B00,?,?), ref: 003B896C
CreateThread.KERNEL32(00000000,00000000,003B8992,00000000,00000000,00000000), ref: 003B8986

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 38b089c8c07d76e951b365c3b8c2d5931f3397ad917bd0b97bea4289f83c2a76
Instruction ID: cfb14c482e2fceb6f6a2920f2038ac54513626d741ee901c6d8e3c831c874592
Opcode Fuzzy Hash: 38b089c8c07d76e951b365c3b8c2d5931f3397ad917bd0b97bea4289f83c2a76
Instruction Fuzzy Hash: F401AC75240348FFE621ABA5DC89F673B6CEB89711F418521FA05DF1D1CAB09800CA20

Function 003D9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 003D9B7B
NULL Pointer assignment, xrefs: 003D9BA4, 003D9EC8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 277c7e15a8cb27a106eb6d0c8148279afd4e8791e6dacce3906ba5c0903ae9e9
Instruction ID: 0855be69574a56336767982d699426c0ff42bf74c5f77b6e3b17c248ef952b76
Opcode Fuzzy Hash: 277c7e15a8cb27a106eb6d0c8148279afd4e8791e6dacce3906ba5c0903ae9e9
Instruction Fuzzy Hash: F4C19372A002199FDF11DF98E884BAEB7F9FB48314F15856BE905AB380E7709D45CB90

Function 003D975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 003B710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?,?,003B7455), ref: 003B7127
Part of subcall function 003B710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7142
Part of subcall function 003B710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7150
Part of subcall function 003B710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?), ref: 003B7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003D9806
_memset.LIBCMT ref: 003D9813
_memset.LIBCMT ref: 003D9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 003D9982
CoTaskMemFree.OLE32(?), ref: 003D998D

Strings

NULL Pointer assignment, xrefs: 003D99DB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: eabd3fc43c0912d0ccba791f3388cdb19cbe9a935ead57d782e95e3c29d713ca
Instruction ID: 0d10bd74bb95c825e84af7af6f581df7de1f77f251985e7d3ae3a9a38b988c40
Opcode Fuzzy Hash: eabd3fc43c0912d0ccba791f3388cdb19cbe9a935ead57d782e95e3c29d713ca
Instruction Fuzzy Hash: 64913B72D00229EBDB12DFA5DC45EDEBBB9EF08310F10815AF519AB291DB715A44CFA0

Function 003E6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003E6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 003E6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003E6E52
_wcscat.LIBCMT ref: 003E6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 003E6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003E6EF2

Strings

SysListView32, xrefs: 003E6DF6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 513bffd6ea81d389509d0cbdbfefa79cb07e558b69e1092bb897b7f639ee89b5
Instruction ID: cc72d41dd03978ca9261e90a77b88afcbed7ff1a9e3d4a25ed0f7abd1a59bfd1
Opcode Fuzzy Hash: 513bffd6ea81d389509d0cbdbfefa79cb07e558b69e1092bb897b7f639ee89b5
Instruction Fuzzy Hash: FE41A370A00398EFDB229F64CC86BEE77A8EF58390F11462AF584EB1D1D6719D848B50

Function 003DE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 003C3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 003C3C7A
Part of subcall function 003C3C55: Process32FirstW.KERNEL32(00000000,?), ref: 003C3C88
Part of subcall function 003C3C55: CloseHandle.KERNEL32(00000000), ref: 003C3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003DE9A4
GetLastError.KERNEL32 ref: 003DE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003DE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 003DEA63
GetLastError.KERNEL32(00000000), ref: 003DEA6E
CloseHandle.KERNEL32(00000000), ref: 003DEAA3

Strings

SeDebugPrivilege, xrefs: 003DE9C2

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b2cdf2f3853cc9661da2b588cbb2dfce228e50019d7d4bda3e3d40891dc8eda3
Instruction ID: edd8972a6712500338d330b3111d2276c7d9c7db700a5cd1400d5a356d7814c0
Opcode Fuzzy Hash: b2cdf2f3853cc9661da2b588cbb2dfce228e50019d7d4bda3e3d40891dc8eda3
Instruction Fuzzy Hash: C9419A712002019FDB26EF14DCA6F6EBBA9AF45314F14841AF9069F3D2CBB4AD04CB91

Function 003C2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003C3033

Strings

warning, xrefs: 003C301C
question, xrefs: 003C2FEC
stop, xrefs: 003C3004
blank, xrefs: 003C2FB5
info, xrefs: 003C2FD4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: aa5714c8f740ec28707291eeefdceb3e7b004056aba4ff96bc762d2a41dfef14
Instruction ID: 7c5eb4ad7aaf2adc91d104f8d18e986a626e176537e8326807bd429d95cc6c6b
Opcode Fuzzy Hash: aa5714c8f740ec28707291eeefdceb3e7b004056aba4ff96bc762d2a41dfef14
Instruction Fuzzy Hash: C6115E32348356BED7176A14DC82FAB779CEF15360B20406EF901EA1C1DBB46F4047A9

Function 003C42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003C4312
LoadStringW.USER32(00000000), ref: 003C4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003C432F
LoadStringW.USER32(00000000), ref: 003C4336
_wprintf.LIBCMT ref: 003C435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003C437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003C4357

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 1007d4d48f3720007a41e954458e8c75ab12fabac36463c89126258c695c3138
Instruction ID: 24e5db4edace00c3725a56904dff37f19fa25064d66af580412674abf0da658c
Opcode Fuzzy Hash: 1007d4d48f3720007a41e954458e8c75ab12fabac36463c89126258c695c3138
Instruction Fuzzy Hash: DD0167F690024CBFD762A790DD89FE6777CD708700F0005A5BB45E6051EA745E854B74

Function 003ED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

GetSystemMetrics.USER32(0000000F), ref: 003ED47C
GetSystemMetrics.USER32(0000000F), ref: 003ED49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003ED6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003ED6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003ED716
ShowWindow.USER32(00000003,00000000), ref: 003ED735
InvalidateRect.USER32(?,00000000,00000001), ref: 003ED75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 003ED77D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 851089de008dee099de00ece473294a8ccd360c2129ea44a8efbe83146911f72
Instruction ID: 2a413346d35eeca90889360edac915c5b765af03a68fb6909673bd991e1d4dbc
Opcode Fuzzy Hash: 851089de008dee099de00ece473294a8ccd360c2129ea44a8efbe83146911f72
Instruction Fuzzy Hash: 99B19935600269EFDF26CF6AC9C57AD7BB1BF04701F098269EC489E2D5D770A950CB90

Function 00362A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 00362ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00362B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 0039C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 0039C286

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b186b17c1d9d8be8e1e03d2218935eecbeaf5ad2261495b216d24398a839db45
Instruction ID: 439a4c3cca785eeda220a9d33cb1249339b6ba0ea8c803c755adf084a0679d89
Opcode Fuzzy Hash: b186b17c1d9d8be8e1e03d2218935eecbeaf5ad2261495b216d24398a839db45
Instruction Fuzzy Hash: 9E41E931A18FC09ACB379B68DC88B7B7B99AB45310F57C91DE0874B9A5CAB19841E710

Function 003C70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003C70DD

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003C7114
EnterCriticalSection.KERNEL32(?), ref: 003C7130
_memmove.LIBCMT ref: 003C717E
_memmove.LIBCMT ref: 003C719B
LeaveCriticalSection.KERNEL32(?), ref: 003C71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003C71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 003C71DE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 5d80a0c1434f1c9464bc4b0833d16a43faff74ce0be5cca06ba3cb8328805cb9
Instruction ID: 48368c320dd152838d2b3c3fdfb8e0eaa79ea8c6882c4d19071ebc4b0e694807
Opcode Fuzzy Hash: 5d80a0c1434f1c9464bc4b0833d16a43faff74ce0be5cca06ba3cb8328805cb9
Instruction Fuzzy Hash: D8316D35900205EFCB51EFA4DC85AABB778EF45310F1581A9E9049F296DB70AE14CB60

Function 003E61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003E61EB
GetDC.USER32(00000000), ref: 003E61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003E61FE
ReleaseDC.USER32(00000000,00000000), ref: 003E620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003E6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003E6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003E902A,?,?,000000FF,00000000,?,000000FF,?), ref: 003E6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003E62B1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8be9614a55d6f17864d0ba245b0022ee90b5aab37154f7b31ae575e6973bb1fb
Instruction ID: a330080a731f490062b9f72b6b40304226fa6b7a733746694c9aa5700dca0eb4
Opcode Fuzzy Hash: 8be9614a55d6f17864d0ba245b0022ee90b5aab37154f7b31ae575e6973bb1fb
Instruction Fuzzy Hash: 0D317C72100260AFEB228F518C8AFEA3BADEF59761F054165FE089E2D1C6B59C41CB60

Function 003BBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 003BBBC4
_memcmp.LIBCMT ref: 003BBBE6
_memcmp.LIBCMT ref: 003BBBFE
_memcmp.LIBCMT ref: 003BBC11
_memcmp.LIBCMT ref: 003BBC2B
_memcmp.LIBCMT ref: 003BBC3E
_memcmp.LIBCMT ref: 003BBC56
_memcmp.LIBCMT ref: 003BBC71

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f69ae3acb0a5b27b103ebd8699b427170c7fe35ee8307913a679e5f27cfc8eba
Instruction ID: a071b21bf9563a8b2a43030591ffdebb50e6de9bc22695d8f5ded941bcbde9f1
Opcode Fuzzy Hash: f69ae3acb0a5b27b103ebd8699b427170c7fe35ee8307913a679e5f27cfc8eba
Instruction Fuzzy Hash: D3214162601609BBE607B7129D42FFBB76D9E1038CB054060FF059AE47EFD4DE1182A1

Function 003CEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

_wcstok.LIBCMT ref: 003CEC94
_wcscpy.LIBCMT ref: 003CED23
_memset.LIBCMT ref: 003CED56

Strings

X, xrefs: 003CED93

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0f8e4f2a1191b2f4c1178207ce1429717cd2fb1508ec851d45392bc6cdb5ad0f
Instruction ID: 6eefa25d1fdd9a268710ceb0a7e89d8e716c0afde9c479b288380d4832490732
Opcode Fuzzy Hash: 0f8e4f2a1191b2f4c1178207ce1429717cd2fb1508ec851d45392bc6cdb5ad0f
Instruction Fuzzy Hash: ECC16E715083419FC766EF64C885F5AB7E4AF85314F01892DF899DB2A2DB70EC45CB82

Function 00361424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94f15b393ff3d816b6dc148c999a323d7ddcb24c7fa3d1af4c225a349371697
Instruction ID: 706b90bc3dfb7cb46fc722ce3c0b18fbda64366b3e52eb45b3c86ac55dcbdbf8
Opcode Fuzzy Hash: d94f15b393ff3d816b6dc148c999a323d7ddcb24c7fa3d1af4c225a349371697
Instruction Fuzzy Hash: 44717D30900109EFCB16CF99CC89ABEBB79FF85310F19C259F915AB255C770AA51CB60

Function 003D6B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f85ff3269de826df85b68759c516a9eead9c7da02592fa42f36e8765ec5c26a8
Instruction ID: 3ef9dced4a071e24a9b3e7b15c16fdf8451d2377b2e185da2e1ae8c541d0f999
Opcode Fuzzy Hash: f85ff3269de826df85b68759c516a9eead9c7da02592fa42f36e8765ec5c26a8
Instruction Fuzzy Hash: E361A172208300ABC712EB64EC82F6FB7E9AF94714F508A1EF5559B292DB70ED04CB51

Function 003EB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(010C5D38), ref: 003EB3EB
IsWindowEnabled.USER32(010C5D38), ref: 003EB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003EB4DB
SendMessageW.USER32(010C5D38,000000B0,?,?), ref: 003EB512
IsDlgButtonChecked.USER32(?,?), ref: 003EB54F
GetWindowLongW.USER32(010C5D38,000000EC), ref: 003EB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003EB589

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b5842d38cc0b429648642247fb33e928f9fa8a947b1308bc2880c93514c9009b
Instruction ID: bf6cffbe150812b1b1a0c0d27be1e129cff9be9121a846c6c4e329ea8120c855
Opcode Fuzzy Hash: b5842d38cc0b429648642247fb33e928f9fa8a947b1308bc2880c93514c9009b
Instruction Fuzzy Hash: 9F718B346042A4AFDB239F56C8D1FBBBBA9EF09300F154269E945972E2C771A940CF50

Function 003DF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003DF448
_memset.LIBCMT ref: 003DF511
ShellExecuteExW.SHELL32(?), ref: 003DF556

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

GetProcessId.KERNEL32(00000000), ref: 003DF5CD
CloseHandle.KERNEL32(00000000), ref: 003DF5FC

Strings

@, xrefs: 003DF525

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: bafd76aa0d0ebd2e895e7b7d0bfa2565f32d1844268f55904f8de45047c88d2d
Instruction ID: bcdc562b8757cc9a55dcf18d39128c73721026ea235b7ff3edbe93303d6358ff
Opcode Fuzzy Hash: bafd76aa0d0ebd2e895e7b7d0bfa2565f32d1844268f55904f8de45047c88d2d
Instruction Fuzzy Hash: DC619075A00619DFCF16EFA4D4819AEBBF5FF49314F14806AE85AAB351CB30AD41CB90

Function 003C0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003C0F8C
GetKeyboardState.USER32(?), ref: 003C0FA1
SetKeyboardState.USER32(?), ref: 003C1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 003C1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 003C104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 003C1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003C10B8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 187a6f7e707e9b19b4a42bec78dabf2ee2638f6df6c2e42e849974d2e736f087
Instruction ID: c8625fc1d9ed665f6f0e49ad284bb040297aea92aaffaf250131cadc1a9e4352
Opcode Fuzzy Hash: 187a6f7e707e9b19b4a42bec78dabf2ee2638f6df6c2e42e849974d2e736f087
Instruction Fuzzy Hash: 7651CFA05046D57DFB3742348C55FBABEA96B07304F09858DE1D4CA8D3C2D9ACD8E751

Function 003C0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003C0DA5
GetKeyboardState.USER32(?), ref: 003C0DBA
SetKeyboardState.USER32(?), ref: 003C0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003C0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003C0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003C0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003C0EC9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 153ff2766004976dec29a969f68c4d34128b2767c58521d885998223fc31581c
Instruction ID: 2f009db5b477ad21b6e93d35450907194b5f3e92229310a909daf833d3e7a168
Opcode Fuzzy Hash: 153ff2766004976dec29a969f68c4d34128b2767c58521d885998223fc31581c
Instruction Fuzzy Hash: 2A5105A0544BD5BDFB3B83748C55F7ABEA95B06300F08898DE1D5DA8C3C395AC88E760

Function 003C55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003C560A
_wcsncpy.LIBCMT ref: 003C563F
_wcsncpy.LIBCMT ref: 003C5671
_wcsncpy.LIBCMT ref: 003C56A4
_wcsncpy.LIBCMT ref: 003C56E6
_wcsncpy.LIBCMT ref: 003C5720
_wcsncpy.LIBCMT ref: 003C574F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 181e2463982d6bfe5539de2334fe06f256dce4e15838f9a9234b8a53ff9cf96e
Instruction ID: add3ac2ef1f3c15f229b22168e4957a07f960fa1781d0cc4e557a637d3856c08
Opcode Fuzzy Hash: 181e2463982d6bfe5539de2334fe06f256dce4e15838f9a9234b8a53ff9cf96e
Instruction Fuzzy Hash: 91417375C1171876CB13FBF48C86ACFB3B89F05310F508996E918E7221EB34A695C7A6

Function 003BD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003BD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003BD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003BD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003BD69D

Strings

,,?, xrefs: 003BD578
DllGetClassObject, xrefs: 003BD610

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,?$DllGetClassObject
API String ID: 753597075-2169313111
Opcode ID: a0aec1666e6d1213ebbcbe5ca786efcda7d304b8e2bc700e2ad1b45d814eb6c8
Instruction ID: f59c35df17f43520a46ec7f7df7f63a045b3479666a66c51b8174c56bf1f1195
Opcode Fuzzy Hash: a0aec1666e6d1213ebbcbe5ca786efcda7d304b8e2bc700e2ad1b45d814eb6c8
Instruction Fuzzy Hash: 9C4192B5600204EFDB16CF54C884BDABBB9EF44318F1581A9EE099F645E7B1DD40CBA0

Function 003C3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003C3697,?), ref: 003C468B

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003C3697,?), ref: 003C46A4

lstrcmpiW.KERNEL32(?,?), ref: 003C36B7
_wcscmp.LIBCMT ref: 003C36D3
MoveFileW.KERNEL32(?,?), ref: 003C36EB
_wcscat.LIBCMT ref: 003C3733
SHFileOperationW.SHELL32(?), ref: 003C379F

Strings

\*.*, xrefs: 003C372D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: c6af9a79f1d2a76d5f57a99b496816427fcfd4e1a4bf919b1f68da7e43602877
Instruction ID: d02c9fef834dc5e23815ae17e19230bae08037f65c784b700c66a5e9dc7b7fad
Opcode Fuzzy Hash: c6af9a79f1d2a76d5f57a99b496816427fcfd4e1a4bf919b1f68da7e43602877
Instruction Fuzzy Hash: 4A417FB1508344AEC753EF64C891EDF77ECAF89340F00496EB499C7251EA34DA89C756

Function 003E7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E7351
IsMenu.USER32(?), ref: 003E7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003E73B1
DrawMenuBar.USER32 ref: 003E73C4

Strings

0, xrefs: 003E729E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1708645f9d319fc0058ac6a8720c130c4c13acb6a88027e6b17d6b661215ea4e
Instruction ID: d134dbc700807f5d3bdf510242196e75022bb8251088be1683fdc1e40487003b
Opcode Fuzzy Hash: 1708645f9d319fc0058ac6a8720c130c4c13acb6a88027e6b17d6b661215ea4e
Instruction Fuzzy Hash: 6F415C75600259EFDB21DF51D884A9ABBF8FB05310F15862AFD059B290C770AD10DFA0

Function 003E0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003E0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E0FFE
FreeLibrary.KERNEL32(00000000), ref: 003E10B5

Part of subcall function 003E0FA5: RegCloseKey.ADVAPI32(?), ref: 003E101B
Part of subcall function 003E0FA5: FreeLibrary.KERNEL32(?), ref: 003E106D
Part of subcall function 003E0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003E1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 003E1058

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f1ddcd235facbfd77223200115a043afe8df0570439768c30cc32524889a860d
Instruction ID: 995aba2f21bc17eed292690256eafb0f9246057cb9ce048bb385cf836106850d
Opcode Fuzzy Hash: f1ddcd235facbfd77223200115a043afe8df0570439768c30cc32524889a860d
Instruction Fuzzy Hash: 7E310F71901159BFDB26DF91DC89EFFB7BCEF08310F000269E511A6191D6745E899AA0

Function 003E62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003E62EC
GetWindowLongW.USER32(010C5D38,000000F0), ref: 003E631F
GetWindowLongW.USER32(010C5D38,000000F0), ref: 003E6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003E6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003E63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003E63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003E63DB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4bfc60c14d37d84ee49da08a838fbbc885e7fbeb662669eff4cf7422026698ff
Instruction ID: 0c9217ecdbe77db21f7627641f2e82dbea3c6ba734e2836b74a5558f54a73120
Opcode Fuzzy Hash: 4bfc60c14d37d84ee49da08a838fbbc885e7fbeb662669eff4cf7422026698ff
Instruction Fuzzy Hash: A93116346402A09FDB22DF1ADC85F5837E5FB5A754F190264F510DF2F2CBB1A8408B51

Function 003BDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDB54
SysAllocString.OLEAUT32(00000000), ref: 003BDB57
SysAllocString.OLEAUT32(?), ref: 003BDB75
SysFreeString.OLEAUT32(?), ref: 003BDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 003BDBA3
SysAllocString.OLEAUT32(?), ref: 003BDBB1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ea6dccf15fbb7f2e98ae07a89b41401b8ec4d15cf89761bc826cfe78e53c85b6
Instruction ID: 6b9cb70e32e6d7c40ad34ce380f735ce4a0410559008c3cff9657f3f90cbd9d3
Opcode Fuzzy Hash: ea6dccf15fbb7f2e98ae07a89b41401b8ec4d15cf89761bc826cfe78e53c85b6
Instruction Fuzzy Hash: 08219236600219AFDF11EFA9DC88CFB73ACEB09364B018565FA14DB6A0E6709D458B60

Function 003D6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003D7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003D61C6
WSAGetLastError.WSOCK32(00000000), ref: 003D61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003D620E
connect.WSOCK32(00000000,?,00000010), ref: 003D6217
WSAGetLastError.WSOCK32 ref: 003D6221
closesocket.WSOCK32(00000000), ref: 003D624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003D6263

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 291a803e8fefe33624876894dd8f06615f91688f1726d48f3fc336ee1edcce62
Instruction ID: 0874b6e8859931b423ed68a422c59770b2f15c469cdbe1156fd8f5a51fe15692
Opcode Fuzzy Hash: 291a803e8fefe33624876894dd8f06615f91688f1726d48f3fc336ee1edcce62
Instruction Fuzzy Hash: C531D572600104AFEF11AF24DC86BBD77ADEF45750F04842AFD159B291DB70AC048BA1

Function 003BF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003BF671
__wcsnicmp.LIBCMT ref: 003BF692
__wcsnicmp.LIBCMT ref: 003BF6AC

Strings

#OnAutoItStartRegister, xrefs: 003BF6A6
#notrayicon, xrefs: 003BF669
#requireadmin, xrefs: 003BF68C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: fe67fe636a66fbf1b4a44baaefcc8d2f6cfa4dd8ef5d02a0febd9dc94a8d04a9
Instruction ID: 5f114c2510c0ced898e4a8f4365868f10f98ed100b7d9e29dc4393698db56a20
Opcode Fuzzy Hash: fe67fe636a66fbf1b4a44baaefcc8d2f6cfa4dd8ef5d02a0febd9dc94a8d04a9
Instruction Fuzzy Hash: F9212572205611AFD223B634AC03FF77398EF55788B11507AFA458A951EB909E42C395

Function 003BDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDC2F
SysAllocString.OLEAUT32(00000000), ref: 003BDC32
SysAllocString.OLEAUT32 ref: 003BDC53
SysFreeString.OLEAUT32 ref: 003BDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 003BDC76
SysAllocString.OLEAUT32(?), ref: 003BDC84

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7a7cd5fabc1b27ab53686c2f1fa4e151c783a7239e884ebac7c5d0c81b078174
Instruction ID: aca72efe8967c5b629f467a6315d59e8c68a0450ad798c92abb19f6a3768d297
Opcode Fuzzy Hash: 7a7cd5fabc1b27ab53686c2f1fa4e151c783a7239e884ebac7c5d0c81b078174
Instruction Fuzzy Hash: AD217435604205AF9B15EFA9DC88DFB77ECEB08364B118125FA14CB6E1E6B0DC41CB64

Function 003E75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003E7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003E763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003E764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003E7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003E7665

Strings

Msctls_Progress32, xrefs: 003E7603

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 261774995b98c691d46fcd24c0d42778d7ab97fdcb7080a9aaf8511822c944a4
Instruction ID: 1ca63347fcfabba9b06d61ef5b3d98a5499b4664e2356cc2877e29b6133696d9
Opcode Fuzzy Hash: 261774995b98c691d46fcd24c0d42778d7ab97fdcb7080a9aaf8511822c944a4
Instruction Fuzzy Hash: AB11B6B1150129BFEF118F65CC85EE77F5DEF08798F114215F604A6090C7729C21DBA4

Function 00389AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00389AE6

Part of subcall function 00383187: EncodePointer.KERNEL32(00000000), ref: 0038318A
Part of subcall function 00383187: __initp_misc_winsig.LIBCMT ref: 003831A5
Part of subcall function 00383187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00389EA0
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00389EB4
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00389EC7
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00389EDA
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00389EED
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00389F00
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00389F13
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00389F26
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00389F39
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00389F4C
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00389F5F
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00389F72
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00389F85
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00389F98
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00389FAB
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00389FBE

__mtinitlocks.LIBCMT ref: 00389AEB
__mtterm.LIBCMT ref: 00389AF4

Part of subcall function 00389B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00389AF9,00387CD0,0041A0B8,00000014), ref: 00389C56
Part of subcall function 00389B5C: _free.LIBCMT ref: 00389C5D
Part of subcall function 00389B5C: DeleteCriticalSection.KERNEL32(02B,?,?,00389AF9,00387CD0,0041A0B8,00000014), ref: 00389C7F

__calloc_crt.LIBCMT ref: 00389B19
__initptd.LIBCMT ref: 00389B3B
GetCurrentThreadId.KERNEL32 ref: 00389B42

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 78878b49b7fbbee4099abe6d257dfea8e09c6adfccb2fce2ed563ded34325cad
Instruction ID: 4c995edd790c22a5aab8edfa7e60d6572c0e06003f26e42c97bf292fbed6e2c8
Opcode Fuzzy Hash: 78878b49b7fbbee4099abe6d257dfea8e09c6adfccb2fce2ed563ded34325cad
Instruction Fuzzy Hash: B7F0F0322193115AE63B7775BC037AA2690DF02730F294AEBF820DE0D2FF20880143A4

Function 003EB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003EB644
_memset.LIBCMT ref: 003EB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00426F20,00426F64), ref: 003EB682
CloseHandle.KERNEL32 ref: 003EB694

Strings

oB, xrefs: 003EB63E
doB, xrefs: 003EB64D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oB$doB
API String ID: 3277943733-2474204165
Opcode ID: 244b7d89f2c904f521b3a5dabafcbc18a98352f5f573d4fa25c99a4ad2907fb4
Instruction ID: 8e90c14475dd40336a24aafa8c9cecf98d4e6b6988429cb10abf83470bbb5710
Opcode Fuzzy Hash: 244b7d89f2c904f521b3a5dabafcbc18a98352f5f573d4fa25c99a4ad2907fb4
Instruction Fuzzy Hash: FBF05EB6640350BEEA222761BD46FBB7A9CEB08395F424031BA08E9196D7754C0187AC

Function 0038406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00383F85), ref: 00384085
GetProcAddress.KERNEL32(00000000), ref: 0038408C
EncodePointer.KERNEL32(00000000), ref: 00384097
DecodePointer.KERNEL32(00383F85), ref: 003840B2

Strings

RoUninitialize, xrefs: 00384074
combase.dll, xrefs: 00384080

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 5b1f5e770d6cd72e13dcdb83062702aceafbf81200ab837ab072775ae4168e0a
Instruction ID: e44d5e30d74244cf066a6f0790b4978c2b37953b306b7a34a8413ee089e193c6
Opcode Fuzzy Hash: 5b1f5e770d6cd72e13dcdb83062702aceafbf81200ab837ab072775ae4168e0a
Instruction Fuzzy Hash: D0E012B4681304EFEA32AF60EC49B623AB8B704743F504238F611E90E0CFBA4211CB08

Function 003C64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C660B
_memmove.LIBCMT ref: 003C6546

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

_memmove.LIBCMT ref: 003C65B9
_memmove.LIBCMT ref: 003C66A0
_memmove.LIBCMT ref: 003C66B9
_memmove.LIBCMT ref: 003C66D5

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3fd6988472e4aa1aa35ce34ebe0d23a15edce03bbaf9a95066af34e064a33923
Instruction ID: b0f60ba9f542841947e6e5bd083712e90b64b5818952ae5d395d147d10a55f3c
Opcode Fuzzy Hash: 3fd6988472e4aa1aa35ce34ebe0d23a15edce03bbaf9a95066af34e064a33923
Instruction Fuzzy Hash: DD617A30500A5A9BCF07EF64CC82FFE37A9AF09308F448559F9599B296DB34AD15CB50

Function 003E01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003E0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003E0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003E038C
RegCloseKey.ADVAPI32(00000000), ref: 003E0399

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 176ab74b3453f3b7603b82d15237227a27fede3ab73a628a7be65489e9245790
Instruction ID: f43f1b7c2a427046508181bb61a77da8260fedc16622e610fc9158961c8ceb92
Opcode Fuzzy Hash: 176ab74b3453f3b7603b82d15237227a27fede3ab73a628a7be65489e9245790
Instruction Fuzzy Hash: 68516A311082409FC716EF64C885E6FBBE8FF84314F448A2DF5858B2A2DB71E945CB52

Function 003E5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003E57FB
GetMenuItemCount.USER32(00000000), ref: 003E5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003E585A
GetMenuItemID.USER32(?,?), ref: 003E58C9
GetSubMenu.USER32(?,?), ref: 003E58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 003E5928

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 8d18a2d6c8324c956a46f2fcbbeb61c4e84b462f66eb1f709b024fde9c545a18
Instruction ID: 376637d308939df76eff2d45445ad3ec6e736ae1a0584d38fe2fc9918a531308
Opcode Fuzzy Hash: 8d18a2d6c8324c956a46f2fcbbeb61c4e84b462f66eb1f709b024fde9c545a18
Instruction Fuzzy Hash: CB516035E00665EFCF16EF65C885AAEB7B8EF48314F114169E815BB391CB70AE41CB90

Function 003BEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003BEF06
VariantClear.OLEAUT32(00000013), ref: 003BEF78
VariantClear.OLEAUT32(00000000), ref: 003BEFD3
_memmove.LIBCMT ref: 003BEFFD
VariantClear.OLEAUT32(?), ref: 003BF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003BF078

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 329dbd5deb07ed2b958d0100f8b80dac71aa2c71eec8f3ed39e75a9e67e90a4a
Instruction ID: fe1457a67525b357c3e8dd48b46b6a4490dfdc1e769b777f534c4291820ceb33
Opcode Fuzzy Hash: 329dbd5deb07ed2b958d0100f8b80dac71aa2c71eec8f3ed39e75a9e67e90a4a
Instruction Fuzzy Hash: 4C5169B5A00209EFCB15DF58C880AAAB7B8FF4C314F158569EA59DB351E734E911CFA0

Function 003C220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C22A3
IsMenu.USER32(00000000), ref: 003C22C3
CreatePopupMenu.USER32 ref: 003C22F7
GetMenuItemCount.USER32(000000FF), ref: 003C2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003C2386

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3da28aaeb3da9240eb76496d22ceddc57c4d0b93888eaf29321615804d4e6611
Instruction ID: 633833ce3c366303f943b26b4b28d27779f17fd286865f0e4855e4f95eb07f53
Opcode Fuzzy Hash: 3da28aaeb3da9240eb76496d22ceddc57c4d0b93888eaf29321615804d4e6611
Instruction Fuzzy Hash: F2518938600289DFDF22DF68C988FAEBBE9AF45314F15422DE851EB290D3B49D04CB51

Function 00361765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0036179A
GetWindowRect.USER32(?,?), ref: 003617FE
ScreenToClient.USER32(?,?), ref: 0036181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0036182C
EndPaint.USER32(?,?), ref: 00361876

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 54c5512ea323c71233c823316bfced374e2a8b8f7b5004893842d45bc1ed0f29
Instruction ID: f13bf356fc92b306ac1ec25446765a32ebef41057564b61109611ed93340306e
Opcode Fuzzy Hash: 54c5512ea323c71233c823316bfced374e2a8b8f7b5004893842d45bc1ed0f29
Instruction Fuzzy Hash: 7841B2302047409FDB22DF25DCC4FB67BE8FB4A724F188669F5958B2A1C7B09845DB61

Function 003EB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004257B0,00000000,010C5D38,?,?,004257B0,?,003EB5A8,?,?), ref: 003EB712
EnableWindow.USER32(00000000,00000000), ref: 003EB736
ShowWindow.USER32(004257B0,00000000,010C5D38,?,?,004257B0,?,003EB5A8,?,?), ref: 003EB796
ShowWindow.USER32(00000000,00000004,?,003EB5A8,?,?), ref: 003EB7A8
EnableWindow.USER32(00000000,00000001), ref: 003EB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 003EB7EF

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c6e35b6ae0b2d069b458a409a2137fb600dc492a1922b0c8683a6b4a2f74b9ed
Instruction ID: b1698ae8da1bd7ec1eaa94a5c7bbe782f7ca85e48e75a106cbec804c8f3c9690
Opcode Fuzzy Hash: c6e35b6ae0b2d069b458a409a2137fb600dc492a1922b0c8683a6b4a2f74b9ed
Instruction Fuzzy Hash: CE417434600190EFDB23CF25C499B96BBE1FF45350F1942B9E9488FAE2C771A856CB51

Function 003D709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,003D4E41,?,?,00000000,00000001), ref: 003D70AC

Part of subcall function 003D39A0: GetWindowRect.USER32(?,?), ref: 003D39B3

GetDesktopWindow.USER32 ref: 003D70D6
GetWindowRect.USER32(00000000), ref: 003D70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003D710F

Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

GetCursorPos.USER32(?), ref: 003D713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003D7199

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 0ab3bdb8a480ce39e258adfb2652791f0753abe95ab407b985e2a2f09e124e19
Instruction ID: c8b6390cb8ae7e0cc9519bc97712139bd10db2aaad616d56205ee07021fe3318
Opcode Fuzzy Hash: 0ab3bdb8a480ce39e258adfb2652791f0753abe95ab407b985e2a2f09e124e19
Instruction Fuzzy Hash: A531D272509345AFD721DF14D849F9BB7EAFF88314F000A1AF5859B291DB70EA09CB92

Function 003B8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003B80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003B80C0
Part of subcall function 003B80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003B80CA
Part of subcall function 003B80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003B80D9
Part of subcall function 003B80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003B80E0
Part of subcall function 003B80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003B80F6

GetLengthSid.ADVAPI32(?,00000000,003B842F), ref: 003B88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003B88D6
HeapAlloc.KERNEL32(00000000), ref: 003B88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003B88F6
GetProcessHeap.KERNEL32(00000000,00000000,003B842F), ref: 003B890A
HeapFree.KERNEL32(00000000), ref: 003B8911

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3c8d918262a95e11e5eca19e3aa7990a29b3885820f55ca451f903e554f24c40
Instruction ID: c15c16592f19b227645741f9740745fe5dc1f7e9608f5a3861fb1e2a355cef91
Opcode Fuzzy Hash: 3c8d918262a95e11e5eca19e3aa7990a29b3885820f55ca451f903e554f24c40
Instruction Fuzzy Hash: 43119D71601209FFDF229BA4DC49BFE7BACEB45319F108128E945DB550CB729E04DB60

Function 003B85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003B85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003B85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003B85F8
CloseHandle.KERNEL32(00000004), ref: 003B8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003B8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 003B8646

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4be3e7264e04a3dbff1430b5f859fbf088bd66d9f916776c8fa7a66cb9c86b55
Instruction ID: 8e2ffa918cedae5555949bee5920ee5d7d5cdcacade38d2f3394287cee096c67
Opcode Fuzzy Hash: 4be3e7264e04a3dbff1430b5f859fbf088bd66d9f916776c8fa7a66cb9c86b55
Instruction Fuzzy Hash: 4B11387250124DAFDF128FA4DD49BEA7BADEB48348F054165BE04A61A0C6719E60DB60

Function 003BB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003BB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 003BB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003BB7CD
ReleaseDC.USER32(00000000,00000000), ref: 003BB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003BB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 003BB7FE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 110cd338cedde17b8aa07cac410d8a830018badfe3c83cae0fc089fff9f78daf
Instruction ID: 5a6c3af0f42d9ba041674d840e9cbb2675bf0f48277c5bcfa2c9db7ee0af54fc
Opcode Fuzzy Hash: 110cd338cedde17b8aa07cac410d8a830018badfe3c83cae0fc089fff9f78daf
Instruction Fuzzy Hash: 9C018875E00249FFEB115BA69C85A5EBFBCEF48311F004175FA04AB291DA719D00CF51

Function 00380162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00380193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0038019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003801A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003801B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 003801B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 003801C1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7d9aee579bf85c9785d2a99fdb6754be86cc6ae6583e36400bf1829b534da787
Instruction ID: be299c1bf68662e3222b418616f309ab265967ace5dca6e90feca8e1ff6e2c04
Opcode Fuzzy Hash: 7d9aee579bf85c9785d2a99fdb6754be86cc6ae6583e36400bf1829b534da787
Instruction Fuzzy Hash: A7016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4B941C7F5A864CBE5

Function 003C53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003C53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003C540F
GetWindowThreadProcessId.USER32(?,?), ref: 003C541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C543E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d8969d4662ba8801b5d5db573662c42ab4dc84dfbbb9df1162af396cf14e9b12
Instruction ID: d8f8a611580c1a6375e0c188c4f2ff88865d0be936c4f5ce4c5d10b6ff2b2c85
Opcode Fuzzy Hash: d8969d4662ba8801b5d5db573662c42ab4dc84dfbbb9df1162af396cf14e9b12
Instruction Fuzzy Hash: 0DF01D32241598BFE7325BA29C4EEAB7B7CEBC6B11F000269FA04D50D197E11A0186B5

Function 003C7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003C7243
EnterCriticalSection.KERNEL32(?,?,00370EE4,?,?), ref: 003C7254
TerminateThread.KERNEL32(00000000,000001F6,?,00370EE4,?,?), ref: 003C7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00370EE4,?,?), ref: 003C726E

Part of subcall function 003C6C35: CloseHandle.KERNEL32(00000000,?,003C727B,?,00370EE4,?,?), ref: 003C6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 003C7281
LeaveCriticalSection.KERNEL32(?,?,00370EE4,?,?), ref: 003C7288

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5dcd690cfa5e0869155a159ffaca1f318c18183fec779dc06d93bf1932f7d4b9
Instruction ID: 8bcc5ef57a53276aa1f82857bede745d1b0fd117c980d016d6526de025309ac2
Opcode Fuzzy Hash: 5dcd690cfa5e0869155a159ffaca1f318c18183fec779dc06d93bf1932f7d4b9
Instruction Fuzzy Hash: D3F03A3A540652AFD7231B64ED8CAEA773DEF45702F110A35F602990E0CBB65901CB50

Function 003B8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B899D
UnloadUserProfile.USERENV(?,?), ref: 003B89A9
CloseHandle.KERNEL32(?), ref: 003B89B2
CloseHandle.KERNEL32(?), ref: 003B89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003B89C3
HeapFree.KERNEL32(00000000), ref: 003B89CA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: be6537131d4d31244034727dde5c43d3c6da3037d99b1584062560295b422f8b
Instruction ID: 77d57e52c63b2e6ac818ebc984d61c6fe9b62518031c46ac105a4f7155e0cf64
Opcode Fuzzy Hash: be6537131d4d31244034727dde5c43d3c6da3037d99b1584062560295b422f8b
Instruction Fuzzy Hash: AEE0C236004049FFDA121FE1EC4C91ABB6DFB89362B108330F219890F0CBB29460DB50

Function 003B7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B7702
CLSIDFromProgID.OLE32(?,?,00000000,003EFB80,000000FF,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B7727
_memcmp.LIBCMT ref: 003B7748

Strings

,,?, xrefs: 003B753D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,?
API String ID: 314563124-1094787077
Opcode ID: 816948abb45dba9eddecce29c219eec0bb158a7c4f141c87f68976bba7242d54
Instruction ID: b19f66157f973490f2283245980b17e2bc29bffdf320a842a5670a39c37cccbc
Opcode Fuzzy Hash: 816948abb45dba9eddecce29c219eec0bb158a7c4f141c87f68976bba7242d54
Instruction Fuzzy Hash: F6810D75A00109EFCB05DFA4C984EEEB7B9FF89315F214558F606AB250DB71AE06CB60

Function 003D85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003D8613
CharUpperBuffW.USER32(?,?), ref: 003D8722
VariantClear.OLEAUT32(?), ref: 003D889A

Part of subcall function 003C7562: VariantInit.OLEAUT32(00000000), ref: 003C75A2
Part of subcall function 003C7562: VariantCopy.OLEAUT32(00000000,?), ref: 003C75AB
Part of subcall function 003C7562: VariantClear.OLEAUT32(00000000), ref: 003C75B7

Strings

AUTOIT.ERROR, xrefs: 003D8728
Incorrect Parameter format, xrefs: 003D864B, 003D880D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: a64429c8876e4a243e580b140c3ec0c57d33c37e9dd9898c1399f3836a58fcea
Instruction ID: 7cabd69306067ad946b410b535a6c5f43b05b92d01093dce76a3d7fc82d24174
Opcode Fuzzy Hash: a64429c8876e4a243e580b140c3ec0c57d33c37e9dd9898c1399f3836a58fcea
Instruction Fuzzy Hash: 88918C72608301DFC711DF24C48495ABBE8EF89714F14896EF98A8B3A1DB31E905CB92

Function 003C2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

_memset.LIBCMT ref: 003C2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003C2C97

Strings

0, xrefs: 003C2B73

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 5fa3651cc5521820c2008bfd0406cfa733adf06814c31c10b9be90b7fdacda7f
Instruction ID: 9598dd7d267c4897114be43969e7689879fcbfd670f36371303676840a2d783c
Opcode Fuzzy Hash: 5fa3651cc5521820c2008bfd0406cfa733adf06814c31c10b9be90b7fdacda7f
Instruction Fuzzy Hash: A251CC712083019ED726AF28D885F6FB7E8AF99310F058A2DF895D61A0DBB0DC048792

Function 00373137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00373277
_memmove.LIBCMT ref: 00373310
_free.LIBCMT ref: 00373336
_memmove.LIBCMT ref: 003733E9

Strings

_7, xrefs: 00373322
3c7, xrefs: 00373225

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c7$_7
API String ID: 2620147621-4188345352
Opcode ID: a15359bf745260158e3a265793b2511013fe98f286a7f00769e238d175f23ec2
Instruction ID: 120a1fd82065047b4ac1910f3bde8ee21addcef0d13b15d950bb7907ae88e133
Opcode Fuzzy Hash: a15359bf745260158e3a265793b2511013fe98f286a7f00769e238d175f23ec2
Instruction Fuzzy Hash: C3518B716087418FDB3ACF29C581B6BBBE5EF85310F09882DE88987350DB35E905CB82

Function 00376192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00376248
_memmove.LIBCMT ref: 003762E4
_memset.LIBCMT ref: 00376308

Strings

3c7, xrefs: 003762AF
ERCP, xrefs: 003761B3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c7$ERCP
API String ID: 2532777613-2328722621
Opcode ID: 6be3a460dd02b46ea37412c34d6690d0fcf5abb3a91b1bf56fb1336979fd1168
Instruction ID: b8a556ff9b804136ef3fc1acb35c8681d0d419b86437d36485ba28d56a58dd1f
Opcode Fuzzy Hash: 6be3a460dd02b46ea37412c34d6690d0fcf5abb3a91b1bf56fb1336979fd1168
Instruction Fuzzy Hash: 9951A070900B05DBDB26DF65C9927EBB7F8EF04304F20896EE54ADB691E774AA44CB40

Function 003C2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003C27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 003C2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00425890,00000000), ref: 003C286B

Strings

0, xrefs: 003C27B5

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0ae1c41c00d566a9374db9fb7e862348830f8d667c9491e8961e5e0526d0e5d9
Instruction ID: e05482ef70037dcf86b16d9867ee06182ba2334b41b475e405958f4079e33ff3
Opcode Fuzzy Hash: 0ae1c41c00d566a9374db9fb7e862348830f8d667c9491e8961e5e0526d0e5d9
Instruction Fuzzy Hash: 3A417C702043419FDB22EF25D884F5BBBA8AF85314F054A2DF965DB291DB70AC05CB62

Function 003DD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003DD7C5

Part of subcall function 0036784B: _memmove.LIBCMT ref: 00367899

Strings

cdecl, xrefs: 003DD81C
stdcall, xrefs: 003DD847
winapi, xrefs: 003DD836
none, xrefs: 003DD8A0

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 64ff304c43639b79ac6967ba44742f394e6b5412f9a861b01f377bc92c418460
Instruction ID: be98efb75cef753cb87222d16e5fe9b1ca5b298673fdde6da47cb4d313d6e546
Opcode Fuzzy Hash: 64ff304c43639b79ac6967ba44742f394e6b5412f9a861b01f377bc92c418460
Instruction Fuzzy Hash: BC31A172904219ABCF06EF54C8519EEB3B4FF14320B10866AE8759B7D5DB71AD05CB80

Function 003B8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003B8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003B8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 003B8F57

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Strings

ComboBox, xrefs: 003B8E9E
ListBox, xrefs: 003B8ED3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 43d510aa1e222971ab849444b013d91d73132e5f8bd68eaf009d65d1d3055dea
Instruction ID: 14aa81787e5c9e67294c862c5543683558dc0b2aa05774aed7f5b993aa683643
Opcode Fuzzy Hash: 43d510aa1e222971ab849444b013d91d73132e5f8bd68eaf009d65d1d3055dea
Instruction Fuzzy Hash: E621F071A04104BEDB16ABB0DC85DFFB76DDF05328F108629F5219B1E1DF394909D620

Function 003D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003D184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003D18A2
InternetCloseHandle.WININET(00000000), ref: 003D18E9

Part of subcall function 003D2483: GetLastError.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D2498
Part of subcall function 003D2483: SetEvent.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D24AD

Strings

, xrefs: 003D1893

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1c2f5b49488b8db31302a21ecfdbf4fd285c622749a7d3c94b3b4d47e01c68eb
Instruction ID: 0f0c449ee66fbe8907d42d2ddcd652d6b99b2d19f34036058ef62bfbc914eeae
Opcode Fuzzy Hash: 1c2f5b49488b8db31302a21ecfdbf4fd285c622749a7d3c94b3b4d47e01c68eb
Instruction Fuzzy Hash: 2E217FB2500208BFEB22DB65EC85EBB76EDEB48754F10412BF8059A340DA719D0567A1

Function 003E63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003E6461
LoadLibraryW.KERNEL32(?), ref: 003E6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003E647D
DestroyWindow.USER32(?), ref: 003E6485

Strings

SysAnimate32, xrefs: 003E643C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c03772f274167d5163ae2596e1717f3d8cf9277f9ff8ac82eda83526813f7c0b
Instruction ID: fb317abf870343457f114af52dfb8c5c8394c26f0045f6eb5f892ff9bf017f7a
Opcode Fuzzy Hash: c03772f274167d5163ae2596e1717f3d8cf9277f9ff8ac82eda83526813f7c0b
Instruction Fuzzy Hash: B721CF712002A5BFEF124F66DC82EBB37ACEB683A4F114729F910961D0D771DC419B20

Function 003C6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003C6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003C6DEF
GetStdHandle.KERNEL32(0000000C), ref: 003C6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003C6E3B

Strings

nul, xrefs: 003C6E36

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7409460735cd26bf33f7d8aeb3199eac906570d9e2a56f6b5c616d2f8bcdc135
Instruction ID: 30b391039e59a8fc13043d970ca89f5a6c106efdb179e429ee18934f75527c23
Opcode Fuzzy Hash: 7409460735cd26bf33f7d8aeb3199eac906570d9e2a56f6b5c616d2f8bcdc135
Instruction Fuzzy Hash: 0321817560020AABDB219F29DC4AF9A77B8EF44720F204A2DFDA1DB2D0D7709D518B50

Function 003C6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003C6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003C6EBB
GetStdHandle.KERNEL32(000000F6), ref: 003C6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003C6F06

Strings

nul, xrefs: 003C6F01

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7ffa489af9e6e48d8ade4ecfbae17347350768f53302296e93999e6b8e965151
Instruction ID: c043e5d6e257ba6fc2082a71f4bff4c5ccf993d6776bbb0caaf5121b473cb8bf
Opcode Fuzzy Hash: 7ffa489af9e6e48d8ade4ecfbae17347350768f53302296e93999e6b8e965151
Instruction Fuzzy Hash: 87218E795003059BDB219F79DD46FAA77A8AF45720F204A1EF9A0D72D0D770AC518B50

Function 003CAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003CACA8
__swprintf.LIBCMT ref: 003CACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,003EF910), ref: 003CACFF

Strings

%lu, xrefs: 003CACBB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d5fbc7c05545ca48a98046fb25aca820cb59f7cae94ff7346f059ae67be30467
Instruction ID: e4873a8ad682445ff86aeb75af7fa36b420be692b6c8fe791f9c75f616c0758d
Opcode Fuzzy Hash: d5fbc7c05545ca48a98046fb25aca820cb59f7cae94ff7346f059ae67be30467
Instruction Fuzzy Hash: CA216030A00109AFCB11EF65C985EEE7BBCEF49714B008569F909EB252DB71EA41CB61

Function 003C1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C118E
Sleep.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C11C1

Strings

@<, xrefs: 003C119D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @<
API String ID: 2875609808-354047512
Opcode ID: e429829ce7035956cf12c8d61c3fe93485befa2c527257a0d4e03b87a4fa7202
Instruction ID: b0f1f435e29798892461cfc33c75a46dd0582fcb816632f954f9db39b3b5cb18
Opcode Fuzzy Hash: e429829ce7035956cf12c8d61c3fe93485befa2c527257a0d4e03b87a4fa7202
Instruction Fuzzy Hash: B4117C31C0061CDBCF029FA4D899BEEBB78FF0A711F054159EA40F6281CB749950DBA5

Function 003C1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003C1B19

Strings

APPEND, xrefs: 003C1B52
EXISTS, xrefs: 003C1B41
KEYS, xrefs: 003C1B30
REMOVE, xrefs: 003C1B1F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 67b26772f1a5cc90f1f992b08946e5962a12c55c59bde5dd578da2796c072ae9
Instruction ID: 5ed369204e3c270ec8f6a3f269c52e27421baf413c813955601463ef42a3d31d
Opcode Fuzzy Hash: 67b26772f1a5cc90f1f992b08946e5962a12c55c59bde5dd578da2796c072ae9
Instruction Fuzzy Hash: 3C118B349102089FCF09EFA4D8529EEB3B4FF26304B5084A9D814AB292EB325D0ADF50

Function 003DEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003DEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 003DEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003DED6A
CloseHandle.KERNEL32(?), ref: 003DEDEB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f1382425acec286fbba3a6d06134d2b0d3cf8566c274b4c65a4805ea34a9d1d4
Instruction ID: 80cfe6c10feeb007a31ed7f04cc7e92686aa0ef63bc83ad3f18c18e035b3df71
Opcode Fuzzy Hash: f1382425acec286fbba3a6d06134d2b0d3cf8566c274b4c65a4805ea34a9d1d4
Instruction Fuzzy Hash: F88152B16043009FD722EF18D886B2AB7E9AF59710F04891EF9559F3D2DA71AC408B51

Function 003E0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003E0183
RegCloseKey.ADVAPI32(?,?), ref: 003E01AF
RegCloseKey.ADVAPI32(00000000), ref: 003E01BC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b2ec9005fdafc5e3fe516cdc5df72aca0d9c214c1cda5070505050fb15c474fc
Instruction ID: b56d4c06c590a449241c291f873ab227db1fb457493e661e29cad25d081c3461
Opcode Fuzzy Hash: b2ec9005fdafc5e3fe516cdc5df72aca0d9c214c1cda5070505050fb15c474fc
Instruction Fuzzy Hash: 51515D71208244AFD716EF54C881F6AB7E9FF84314F408A2DF5958B2A2DB71ED44CB52

Function 003DD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003DD927
GetProcAddress.KERNEL32(00000000,?), ref: 003DD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 003DD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 003DDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003DDA21

Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7e286c04e03e7b8fee20c5d81d3292f173c95ca74f4d6ec9e1e78a4ccb9c05b9
Instruction ID: dbaec1b07539e4d3ec4c016e540d148a2c7ecdd856b0ae26b8d21db4ecf69390
Opcode Fuzzy Hash: 7e286c04e03e7b8fee20c5d81d3292f173c95ca74f4d6ec9e1e78a4ccb9c05b9
Instruction Fuzzy Hash: 0C511636A00209DFCB12EFA8D4949ADB7F8EF19320B05C16AE855AB352D731AD45CF90

Function 003CE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003CE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003CE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003CE687

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003CE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003CE6B4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e5900e3a52f9106bcb028f209245dafd2698d901bba4d962eaa8be945d9ffb59
Instruction ID: 1259f4c50b623f0d473334d96adb807cb4af9d824877be4dfa3634d63cafeb44
Opcode Fuzzy Hash: e5900e3a52f9106bcb028f209245dafd2698d901bba4d962eaa8be945d9ffb59
Instruction Fuzzy Hash: 4151FB35A00205DFCB16EF64C981AAEBBF9EF09314F1484A9E909AF365CB31ED15DB50

Function 003EA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19c4389e071883da456547849b8c72f5ac072599b5de5d72b00046c792ebb31
Instruction ID: b68b191bb3f0d31290d6aabb6cacdf6ac0946b6811f311c64e1ab2ed785b1dc7
Opcode Fuzzy Hash: a19c4389e071883da456547849b8c72f5ac072599b5de5d72b00046c792ebb31
Instruction Fuzzy Hash: A141F9359049A4AFD722DF35CC88FE9BBA8EB09310F164365F816A72E0C770BD41DA51

Function 00362344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00362357
ScreenToClient.USER32(004257B0,?), ref: 00362374
GetAsyncKeyState.USER32(00000001), ref: 00362399
GetAsyncKeyState.USER32(00000002), ref: 003623A7

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 228b5621eaf85de4347ca92a2c2609ec985d0ba81412b12df33121f4b726866b
Instruction ID: 09c722ec55f47f616409745a836232665f062037b4718b9751b9e6d963911129
Opcode Fuzzy Hash: 228b5621eaf85de4347ca92a2c2609ec985d0ba81412b12df33121f4b726866b
Instruction Fuzzy Hash: 19418039604619FFCF278F68C844AEEBB78BB05360F21835AF829962D0C7349950DB91

Function 003B63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 003B6433
TranslateMessage.USER32(?), ref: 003B645C
DispatchMessageW.USER32(?), ref: 003B6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B6475

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 117d209abdab0fd68b2699b6a911bdfda7b8a4b7164d460b5db77c6ad3aa9045
Instruction ID: 4a80da508d733d2516dc40980a4d414bb7be264d4c619dec004de08ebbd280fa
Opcode Fuzzy Hash: 117d209abdab0fd68b2699b6a911bdfda7b8a4b7164d460b5db77c6ad3aa9045
Instruction Fuzzy Hash: BE310631600A42DFDB328F71CC46BF67BACAB01308F550175E625C78A2E7789845CB60

Function 003B8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003B8A30
PostMessageW.USER32(?,00000201,00000001), ref: 003B8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003B8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 003B8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003B8AF8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a7fed25b820ec47777a1b7bf8320122c03c787f43d239f6f509581d5872f8c40
Instruction ID: 79d3397cd51049d19cce5fc0168d15d4a3a7e4bb9ec2705c2e31106621492d72
Opcode Fuzzy Hash: a7fed25b820ec47777a1b7bf8320122c03c787f43d239f6f509581d5872f8c40
Instruction Fuzzy Hash: 3A31D171500259EFDF15CF68D98CADE7BB9EB04319F108229FA24EA6D0C7B09910CB90

Function 003BB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003BB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003BB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003BB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003BB27F
_wcsstr.LIBCMT ref: 003BB289

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 59596d55ffd186a08d57d86d579eaf58df9f05dedf7fb8737111d86028fcb7fc
Instruction ID: e12cdc944abdb379aad504944a4471e9d9a7d147eb34a897ac49c48ef3f89dba
Opcode Fuzzy Hash: 59596d55ffd186a08d57d86d579eaf58df9f05dedf7fb8737111d86028fcb7fc
Instruction Fuzzy Hash: A821D331204240ABEB276B799C49ABFBB9CDF49710F014179F904DE5A1EFA1DC409360

Function 003EB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

GetWindowLongW.USER32(?,000000F0), ref: 003EB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003EB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003EB1CF
GetSystemMetrics.USER32(00000004), ref: 003EB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003D0E90,00000000), ref: 003EB216

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d16e6a01f3fcd3c6430345962bc00b33b40bea01008572fdea16d59e74b39c81
Instruction ID: 0de6004efe1229762fcf3ccf6bc777da8a4ad59d530286f7944aaa03909c6221
Opcode Fuzzy Hash: d16e6a01f3fcd3c6430345962bc00b33b40bea01008572fdea16d59e74b39c81
Instruction Fuzzy Hash: A42171716106A5AFCB229F399C44A6B77A8EB06371F114B34A922D71E0D77098219B90

Function 003B9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003B9320

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003B9352
__itow.LIBCMT ref: 003B936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003B9392
__itow.LIBCMT ref: 003B93A3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 508a329101f04af043cd65c4b3a39fb1b93c1abd2a9ef7c54d5b2495cdf826aa
Instruction ID: 0bfe4002464c99d5af2dc685e2fd76dd910cb9766f8d0ae3ffa854e7c7dd51a1
Opcode Fuzzy Hash: 508a329101f04af043cd65c4b3a39fb1b93c1abd2a9ef7c54d5b2495cdf826aa
Instruction Fuzzy Hash: 4521B335700208BBDB12AA658CC5FEE7BADEF49718F044026FB499B2D1D6B089458791

Function 003D5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003D5A6E
GetForegroundWindow.USER32 ref: 003D5A85
GetDC.USER32(00000000), ref: 003D5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 003D5ACD
ReleaseDC.USER32(00000000,00000003), ref: 003D5B08

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f5d8ff0d39d4ce73ed9f21486c0a100a1ab8d2de6e1ed826c6675051d5173e28
Instruction ID: ce9cae060b9622a7de74bca99de91c47a6a254f83f01340b29167f3d30d3d33c
Opcode Fuzzy Hash: f5d8ff0d39d4ce73ed9f21486c0a100a1ab8d2de6e1ed826c6675051d5173e28
Instruction Fuzzy Hash: 1A216F76A00114AFDB15EF65D884A9ABBE9EF48350F14C57AF809DB362DA70AD00CB90

Function 003612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0036134D
SelectObject.GDI32(?,00000000), ref: 0036135C
BeginPath.GDI32(?), ref: 00361373
SelectObject.GDI32(?,00000000), ref: 0036139C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c3d26ad101a40c7a8ea82601e61f771f9aaf99c793ebc03f3690447b30005cd5
Instruction ID: f721bf70ff9c17989c1679ea05acfdfedc3e377f3a84c045a573eafead12d079
Opcode Fuzzy Hash: c3d26ad101a40c7a8ea82601e61f771f9aaf99c793ebc03f3690447b30005cd5
Instruction Fuzzy Hash: E721B634900608DFDB22AF25DD447697BE8FB00321F688225F4119A6B4D3F099A2DF54

Function 003C4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003C4ABA
__beginthreadex.LIBCMT ref: 003C4AD8
MessageBoxW.USER32(?,?,?,?), ref: 003C4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003C4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003C4B0A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f3b936e7a28e1aac29512795dab40494194f392cdc78f300060437d29d86debe
Instruction ID: d32aebb53d1d132502b42f87f484b4bea7deba3bb5249125dd87635b496dd778
Opcode Fuzzy Hash: f3b936e7a28e1aac29512795dab40494194f392cdc78f300060437d29d86debe
Instruction Fuzzy Hash: 0E11E576A04248BFC7229BA89C44F9A7BACEB45320F1442A9F814D7290D6B18D008BA0

Function 003B8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003B821E
GetLastError.KERNEL32(?,003B7CE2,?,?,?), ref: 003B8228
GetProcessHeap.KERNEL32(00000008,?,?,003B7CE2,?,?,?), ref: 003B8237
HeapAlloc.KERNEL32(00000000,?,003B7CE2,?,?,?), ref: 003B823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003B8255

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 187100892d96c7fd731cfad6d0df89a7ee88fad2f25148ab67be5127d535c177
Instruction ID: de87e76b83465c29f7d948a5b4b6d677381eda645e3065af68e4978951ef06f6
Opcode Fuzzy Hash: 187100892d96c7fd731cfad6d0df89a7ee88fad2f25148ab67be5127d535c177
Instruction Fuzzy Hash: B4018671201645FFDB224FA5DC88DA77F6CEF86754B504929F909CB1A0DB718C00CA60

Function 003B710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?,?,003B7455), ref: 003B7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?), ref: 003B7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B716C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2c9d260473cefd4c6a7990e541e08d0c09a963d38525c67516ab2b092a1f98fa
Instruction ID: d89b245a5a0ff8ead020d4300d7bf7bdcb9955f123b87211f8ef3db83968e9a8
Opcode Fuzzy Hash: 2c9d260473cefd4c6a7990e541e08d0c09a963d38525c67516ab2b092a1f98fa
Instruction Fuzzy Hash: 19018FB6601204BFDB224F68DC84BEA7BADEF84795F154164FE08E6220D771ED409BA0

Function 003C5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003C526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003C5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 436607fe8cffad72030be8a6fa7ed8b5ab3a692b1c66731868255ef2eb7fd463
Instruction ID: ec49a125320b679ab694fe7908bc2ef7aa130e0b7da0358066b0695ac88af366
Opcode Fuzzy Hash: 436607fe8cffad72030be8a6fa7ed8b5ab3a692b1c66731868255ef2eb7fd463
Instruction Fuzzy Hash: C7016D31D01A1DDBCF11EFE4E888AEDBBBCFB09311F410969E941F6180CB70699087A1

Function 003B810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003B8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003B812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8157

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: be0fad539cbf30bcfd862fd4df7c8577a2815987a8f5535827cdf186b532bf05
Instruction ID: 3dec80d18446eb5596bce03d1da17ca7c668572c92a76689aec95df98b66ae62
Opcode Fuzzy Hash: be0fad539cbf30bcfd862fd4df7c8577a2815987a8f5535827cdf186b532bf05
Instruction Fuzzy Hash: B3F06875201344AFD7220F65DCC8EA73BACFF85758F010125F645D6190CBA1DD41DA60

Function 003BC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003BC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 003BC20E
MessageBeep.USER32(00000000), ref: 003BC226
KillTimer.USER32(?,0000040A), ref: 003BC242
EndDialog.USER32(?,00000001), ref: 003BC25C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 961e5a5d150b83896d27833405c3601eece31f100f21126e3b9d7d721bf9d898
Instruction ID: 8a7224d1ac4fbe4760b7b72a45dc866b459a1bf3626a9b33f00e9cd82b708c06
Opcode Fuzzy Hash: 961e5a5d150b83896d27833405c3601eece31f100f21126e3b9d7d721bf9d898
Instruction Fuzzy Hash: 0701A7304143089BEF325B50DD8EBD6777CBB0070AF000769A682998E0D7F069448B50

Function 003613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003613BF
StrokeAndFillPath.GDI32(?,?,0039B888,00000000,?), ref: 003613DB
SelectObject.GDI32(?,00000000), ref: 003613EE
DeleteObject.GDI32 ref: 00361401
StrokePath.GDI32(?), ref: 0036141C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f72d2b7a0a768bdb3b35681808e52b4e24c61f1efd4a37f49558a4006f8fd324
Instruction ID: 5061036940e350964a46e4356e9256b747742f54df32a268b7877602719cab31
Opcode Fuzzy Hash: f72d2b7a0a768bdb3b35681808e52b4e24c61f1efd4a37f49558a4006f8fd324
Instruction Fuzzy Hash: 89F0B630104A48EFDB336F26EC897683FA8AB01326F58C635E429495F5C7B149A6DF54

Function 003CC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003CC432
CoCreateInstance.OLE32(003F2D6C,00000000,00000001,003F2BDC,?), ref: 003CC44A

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

CoUninitialize.OLE32 ref: 003CC6B7

Strings

.lnk, xrefs: 003CC3C6, 003CC3EE, 003CC3F8

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cc88e9b085818a6ccca30d502cc16709b139880c05962db566b2e9cee0808589
Instruction ID: c84769c0d7fa6587ca0c00cdc7161cb083123352c7492ab80a305a3a5e031a83
Opcode Fuzzy Hash: cc88e9b085818a6ccca30d502cc16709b139880c05962db566b2e9cee0808589
Instruction Fuzzy Hash: 27A13BB1104205AFD701EF54C891EABB7ECEF99358F00892DF1959B1A2DB71EA09CB52

Function 00372CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 00367A51: _memmove.LIBCMT ref: 00367AAB

__swprintf.LIBCMT ref: 00372ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00372D66

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ac5c6511717b1da7ebf3b682f7eb9e828cf061597104a6fd57e5f4747408820e
Instruction ID: c5fae3a565d101d6bad38709f6a30271984b243a52bd922dc7f8591e1bbcc26b
Opcode Fuzzy Hash: ac5c6511717b1da7ebf3b682f7eb9e828cf061597104a6fd57e5f4747408820e
Instruction Fuzzy Hash: 73914B711082019FC726EF24C896C6FB7E8EF96710F04891DF4969B2A5EB34ED44CB62

Function 003CB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

CoInitialize.OLE32(00000000), ref: 003CB9BB
CoCreateInstance.OLE32(003F2D6C,00000000,00000001,003F2BDC,?), ref: 003CB9D4
CoUninitialize.OLE32 ref: 003CB9F1

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

Strings

.lnk, xrefs: 003CB99D, 003CB9AB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 87e7422acbfa78fe99b5f2a0ae482755ae74efe98f4185bb797f79d85ff18316
Instruction ID: 52442a5187f0c9064384edc8981866e4759ddbd522276359683a9c671f8822ec
Opcode Fuzzy Hash: 87e7422acbfa78fe99b5f2a0ae482755ae74efe98f4185bb797f79d85ff18316
Instruction Fuzzy Hash: 91A153756042059FCB02DF14C885E6ABBE9FF89314F05899DF8999B3A2CB31EC45CB91

Function 003BB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003BB4BE

Strings

AutoIt3GUI, xrefs: 003BB436
%?, xrefs: 003BB561
Container, xrefs: 003BB43B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%?
API String ID: 3565006973-1141368171
Opcode ID: 1af65fd6752d3bb6997d43af25b560ac593e2952a580ffe52ffe833bb680bb66
Instruction ID: 3b7ecbe60d3ceba10490633bc9dace6c25e3e331ebd2bf94a43c3b36a7a401f9
Opcode Fuzzy Hash: 1af65fd6752d3bb6997d43af25b560ac593e2952a580ffe52ffe833bb680bb66
Instruction Fuzzy Hash: 37915D706006019FDB25DF64C884BAAB7F9FF49714F10856EFA4ACB691DBB0E845CB50

Function 0038501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003850AD

Part of subcall function 003900F0: __87except.LIBCMT ref: 0039012B

Strings

pow, xrefs: 00385085, 003850A2

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f4a3f382d813fb2e39639ed687f5a7d1546eecae13f594c0b460be40bef1b12c
Instruction ID: d1310af86ccc8edf35f1cb9d3bfe593d392d87145e4919a1a835a9c86e09be13
Opcode Fuzzy Hash: f4a3f382d813fb2e39639ed687f5a7d1546eecae13f594c0b460be40bef1b12c
Instruction Fuzzy Hash: D9516DA590C7028ADF1B7B28CD4537E3BA89B40700F218DD9E4D58A2A9DF348DD4DB86

Function 003A8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A862B
_memmove.LIBCMT ref: 003A8685

Strings

_7, xrefs: 003A86FF, 003ADFDC, 003ADFF8
3c7, xrefs: 003A860C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _memmove
String ID: 3c7$_7
API String ID: 4104443479-4188345352
Opcode ID: 93c5ba728ecbd03d4ccd13f24ec226b4c43d3f34187238ea43a0bd30561442e9
Instruction ID: a38e27e558d97082891e8bdddb7d811c8dfc8a9dfd22c95de50022ca9dc5f7a7
Opcode Fuzzy Hash: 93c5ba728ecbd03d4ccd13f24ec226b4c43d3f34187238ea43a0bd30561442e9
Instruction Fuzzy Hash: 21518D70D00609DFCB26CF68C884AAEBBB1FF46304F158529E85AE7650EB30A955CF51

Function 003B97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003B9296,?,?,00000034,00000800,?,00000034), ref: 003C14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003B983F

Part of subcall function 003C1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003B92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003C14B1

Part of subcall function 003C13DE: GetWindowThreadProcessId.USER32(?,?), ref: 003C1409
Part of subcall function 003C13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003B925A,00000034,?,?,00001004,00000000,00000000), ref: 003C1419
Part of subcall function 003C13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003B925A,00000034,?,?,00001004,00000000,00000000), ref: 003C142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003B98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003B98F9

Strings

@, xrefs: 003B9911

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cdf5629b3c612170638ca3fb86d11d6c6ad20cf9703339c09c62ae78d2dde226
Instruction ID: 8fc99c374fd8045e18211fe96fef7031ad4f7338a21c27b041e13541089314d0
Opcode Fuzzy Hash: cdf5629b3c612170638ca3fb86d11d6c6ad20cf9703339c09c62ae78d2dde226
Instruction Fuzzy Hash: C3413076900118BFDB15DFA4CC85FDEBBB8EB09300F004199FA45BB191DA716E45DBA0

Function 003E7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003EF910,00000000,?,?,?,?), ref: 003E79DF
GetWindowLongW.USER32 ref: 003E79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003E7A0C

Strings

SysTreeView32, xrefs: 003E79B1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 03df1d3d4832c33776beb92756758bf3ac81c7e417196bca2fc89ebc95d7ec17
Instruction ID: 62ff8cd1a161ac8653f54bfada8214142949df2c7dccc6e7e53ddc963a16d6da
Opcode Fuzzy Hash: 03df1d3d4832c33776beb92756758bf3ac81c7e417196bca2fc89ebc95d7ec17
Instruction Fuzzy Hash: 3D31FC3120465AAFDB228E39CC41BEB77A9EF49324F218725F875A72E1D730EC508B50

Function 003E73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003E7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003E7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 003E7499

Strings

SysMonthCal32, xrefs: 003E742C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fce8a823c14b72c6d5555bb28ba76d24aa893a859eb02f5e915112cd8a6dc335
Instruction ID: d8fa18e74133994fdb98ea3895a8cfb5e8d4aecfa3decc62c6f3407bb906be4c
Opcode Fuzzy Hash: fce8a823c14b72c6d5555bb28ba76d24aa893a859eb02f5e915112cd8a6dc335
Instruction Fuzzy Hash: 95219132500268AFDF228E55CC46FEA3B69EF48724F110214FE156B1D0DAB5AC919BA0

Function 003E7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003E7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003E7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003E7C5F

Strings

msctls_updown32, xrefs: 003E7BC4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d02d331da6f164282f8b3fc923d874f01066502f6e40d9a2a5bc5ab5f35a2f02
Instruction ID: 4f60e0127528c0729cdc4ea582ea03d11262ccb97b9a31a321b5ee64840913ef
Opcode Fuzzy Hash: d02d331da6f164282f8b3fc923d874f01066502f6e40d9a2a5bc5ab5f35a2f02
Instruction Fuzzy Hash: B7219CB1204259AFDB22DF24DCC1DA737ACEB4A394B150159F9019B3A1CB71EC118A60

Function 003E6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003E6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003E6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003E6D70

Strings

Listbox, xrefs: 003E6D08

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f479828a492b402016140b637e49f85fa59392383073b40db8a20a2b0a73a48c
Instruction ID: c25ae76c78a5fcaebe6fcf98afad806ea5246afbb54ed5bff4b31b840ae7ec97
Opcode Fuzzy Hash: f479828a492b402016140b637e49f85fa59392383073b40db8a20a2b0a73a48c
Instruction Fuzzy Hash: 66218332600168BFDF228F55CC45FBB37AAEF997A0F518224F9455B1D1C6719C5187A0

Function 003D39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 003D3A66

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 003D3A58
%?, xrefs: 003D39F4
, $, xrefs: 003D3AA6

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%?
API String ID: 3506404897-1727123861
Opcode ID: b077433487cbfdba5b7139745364edee5110b9defc4834bacf3bc0166b148f7d
Instruction ID: b3d51eee7e8d1ccd8fee0688ad858e30f9e03d16d84bf90d6310dd3799062ab9
Opcode Fuzzy Hash: b077433487cbfdba5b7139745364edee5110b9defc4834bacf3bc0166b148f7d
Instruction Fuzzy Hash: 6C219372B00219AFCF12EF64DC82AEE77B5AF44300F50445AF545AB286DB74EE41CB66

Function 003E770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003E7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003E7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003E7794

Strings

msctls_trackbar32, xrefs: 003E7749

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fd1e4986c4099553fbabeecd051fe70b7b14bd50e186d88471b8d70858694780
Instruction ID: 83c3e37bded4ad23f741d3ee9c85be24492b3b7552a1d423e608d1af19ab3036
Opcode Fuzzy Hash: fd1e4986c4099553fbabeecd051fe70b7b14bd50e186d88471b8d70858694780
Instruction Fuzzy Hash: BE113A72244248BFEF215F61CC01FE7776CEF89B54F124228F641A60D0C272E851CB10

Function 00386B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00386B93
__calloc_crt.LIBCMT ref: 00386BAC

Strings

@BB, xrefs: 00386BC3
A, xrefs: 00386BD1

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __calloc_crt
String ID: A$@BB
API String ID: 3494438863-782587721
Opcode ID: c4017c12f4d4e618c95e1431312ed6273fdb10ad8f748a1a6a77210f19d68cd4
Instruction ID: bc02692332c5bc6255f6f44652f87d09d2bfbfe4fef34e0322f75b65a7704740
Opcode Fuzzy Hash: c4017c12f4d4e618c95e1431312ed6273fdb10ad8f748a1a6a77210f19d68cd4
Instruction Fuzzy Hash: 3FF0A475304712CBE737AF16BC52AA22795E700338F9000A6E500CE1C0EB3488824B98

Function 00389B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00389B94

Part of subcall function 00389C0B: __mtinitlocknum.LIBCMT ref: 00389C1D
Part of subcall function 00389C0B: EnterCriticalSection.KERNEL32(00000000,?,00389A7C,0000000D), ref: 00389C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00389BA4

Part of subcall function 00389100: ___addlocaleref.LIBCMT ref: 0038911C
Part of subcall function 00389100: ___removelocaleref.LIBCMT ref: 00389127
Part of subcall function 00389100: ___freetlocinfo.LIBCMT ref: 0038913B

Strings

8A, xrefs: 00389B85
8A, xrefs: 00389B8A, 00389B9F, 00389BAB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8A$8A
API String ID: 547918592-441909865
Opcode ID: 19a88e42b1ab8b896635e6aa6b53cd8e3c0e69192d23999425ec9bf3baff86fc
Instruction ID: 8306589bb07c6e58d7d099d9fb76362ef3b2cff88125ea0e9f969e2f0af86406
Opcode Fuzzy Hash: 19a88e42b1ab8b896635e6aa6b53cd8e3c0e69192d23999425ec9bf3baff86fc
Instruction Fuzzy Hash: CBE0863954B300A5D613F7A5AA077A866505B00B21F6441DBF445590C1CE781540871F

Function 00364C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00364B83,?), ref: 00364C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00364C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00364C50
kernel32.dll, xrefs: 00364C3F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f4236449bf2477f572d6ee0fe1ca7561fe0d2d262b9163173be41d6895b05407
Instruction ID: dc7cb42b9083b1a2b37b22af9957d13d25aa819f27534e198be95f72e85fe3e5
Opcode Fuzzy Hash: f4236449bf2477f572d6ee0fe1ca7561fe0d2d262b9163173be41d6895b05407
Instruction Fuzzy Hash: 79D05B30910723DFD7355F31D94864677D9AF05351F11C93ED496DA2A4E7B4D4C0C650

Function 00364C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00364BD0,?,00364DEF,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00364C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00364C1D
kernel32.dll, xrefs: 00364C0C

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 97008a653b51b185932be2a196bb503862c0f4fbcfdfae59fe205e6ace80249f
Instruction ID: fd8fcbb23a8e2709afa77a29285a4c4be43e9f948906a483dcb83b74d4511fba
Opcode Fuzzy Hash: 97008a653b51b185932be2a196bb503862c0f4fbcfdfae59fe205e6ace80249f
Instruction Fuzzy Hash: A0D01230911713DFD7216F71D948647B6DAEF09351F11CD3ED486DA2A4E6F4D480C654

Function 003E0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,003E1039), ref: 003E0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003E0E07

Strings

advapi32.dll, xrefs: 003E0DF0
RegDeleteKeyExW, xrefs: 003E0E01

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 7ef443137ae57e50f7884acb28757ef2a926965c57914b5ddc21276dc6a48508
Instruction ID: abbb3468989213447fc16c44979599b77f6d1762a88838d0363605829d5e4271
Opcode Fuzzy Hash: 7ef443137ae57e50f7884acb28757ef2a926965c57914b5ddc21276dc6a48508
Instruction Fuzzy Hash: 87D0C231400B26DFC3224FB1C848382B2DAAF40341F118D3ED486D6190D7F4D8D0C604

Function 003D90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,003D8CF4,?,003EF910), ref: 003D90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003D9100

Strings

GetModuleHandleExW, xrefs: 003D90FA
kernel32.dll, xrefs: 003D90E9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 29206296b4b67380f91501006844953e566fec64170d2fc8382bb357a4742173
Instruction ID: 5e652dd15887d81e51f44bfac44828cca7873abda4e2a21319e3dedd20ec9885
Opcode Fuzzy Hash: 29206296b4b67380f91501006844953e566fec64170d2fc8382bb357a4742173
Instruction Fuzzy Hash: 9AD01735510723CFDB229F32E85874676E8AF05351F13CA3FD48ADA690EAB4C880CA90

Function 003A1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003A1718
__swprintf.LIBCMT ref: 003A1749

Strings

WIN_XPe, xrefs: 003A1788
%.3d, xrefs: 003A1723

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6f3150c54c8ee4f933f0c96beb7160bb406626ee7d0a476928db07201388cde1
Instruction ID: 7bdf92f2429b0020381a5085dad51bfac6222465f8651f8de341f10a677dd8ff
Opcode Fuzzy Hash: 6f3150c54c8ee4f933f0c96beb7160bb406626ee7d0a476928db07201388cde1
Instruction Fuzzy Hash: 32D01776844218FACB139A90D8888F9737CEB1A701F242562F906E2480E2668B94EA25

Function 003B717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6546b8b7e508d59faf13d46df6153334af70be74d63cdaf6bf240564dde1a2fc
Instruction ID: 75c7434478536c31fe61a8054f759a715756ab06fe74d10f4ec6de7b5e2c204e
Opcode Fuzzy Hash: 6546b8b7e508d59faf13d46df6153334af70be74d63cdaf6bf240564dde1a2fc
Instruction Fuzzy Hash: 44C18174A04216EFCB15CFA5C884EAEBBF5FF88308B154598E909EB651D730DD41DB90

Function 003DE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003DE0BE
CharLowerBuffW.USER32(?,?), ref: 003DE101

Part of subcall function 003DD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003DD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003DE301
_memmove.LIBCMT ref: 003DE314

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 647c7f982fb356f90a515ed64ac01dce7a99ca04be1797309107cf846f73d949
Instruction ID: 713bf34ec8d645bd54d3951bab64149f0bae6587d0dbe6285491ac7b77ce3654
Opcode Fuzzy Hash: 647c7f982fb356f90a515ed64ac01dce7a99ca04be1797309107cf846f73d949
Instruction Fuzzy Hash: 75C14876608301DFC716EF28C480A6ABBE4FF89714F14896EF8999B351D731E946CB81

Function 003D8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003D80C3
CoUninitialize.OLE32 ref: 003D80CE

Part of subcall function 003BD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003BD5D4

VariantInit.OLEAUT32(?), ref: 003D80D9
VariantClear.OLEAUT32(?), ref: 003D83AA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 14a1c6f989fbb5efbaf33b3123f26f37419eb3cb8d45208858a13f1abf0ce441
Instruction ID: f1c1336f6a5de5d6913a32b4fce5dfec0d2499668b48889e310cf81e8984f0e8
Opcode Fuzzy Hash: 14a1c6f989fbb5efbaf33b3123f26f37419eb3cb8d45208858a13f1abf0ce441
Instruction Fuzzy Hash: 77A1497A6047019FCB12DF54D481B2AB7E8BF89714F04885AF9999B3A1CB30FD05CB41

Function 003B687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003B688E
SysAllocString.OLEAUT32(00000000), ref: 003B6937
VariantCopy.OLEAUT32 ref: 003B6966
VariantClear.OLEAUT32(?), ref: 003B698D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0f01bac91a81e44f8f5059ac7305ce17cae3d5ba4a6450a51419bf05e86f8500
Instruction ID: 5fd3f07705aa7404cbcfd91b577db3e07fc4c27bed1a727175aed8afb8a8ae94
Opcode Fuzzy Hash: 0f01bac91a81e44f8f5059ac7305ce17cae3d5ba4a6450a51419bf05e86f8500
Instruction Fuzzy Hash: F251CA747003419ECF26AF65D892AB9B3E99F44314F20C81FE686DBA93DB78D8448701

Function 003E97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(010CEC68,?), ref: 003E9863
ScreenToClient.USER32(00000002,00000002), ref: 003E9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 003E9903

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b830fefbf6cc2a3f7b719ab1961d8f776b3772340d6302b1c4dbd42ae735e7b3
Instruction ID: 5134029084ab330596af01d64ca70d4e89d5928108c044c289e3101504fb0efc
Opcode Fuzzy Hash: b830fefbf6cc2a3f7b719ab1961d8f776b3772340d6302b1c4dbd42ae735e7b3
Instruction Fuzzy Hash: 16515F34A00258EFCF22DF25D880AAE7BB5FF45360F15826AF8559B2E1D770AD41CB90

Function 003B9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003B9AD2
__itow.LIBCMT ref: 003B9B03

Part of subcall function 003B9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003B9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 003B9B6C
__itow.LIBCMT ref: 003B9BC3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 5425c34b36e4636b67c41664fe13cdd88f10a2b150b98e9aabc455879d555e48
Instruction ID: 8a2407781863a176dc340eee350bc567ca61c560ebe7fee79a90469c347dabd9
Opcode Fuzzy Hash: 5425c34b36e4636b67c41664fe13cdd88f10a2b150b98e9aabc455879d555e48
Instruction Fuzzy Hash: 5A419670A00308ABDF16EF54D845BFE7BB9EF44718F40406AFA05AB291DB709E44CBA1

Function 003D69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003D69D1
WSAGetLastError.WSOCK32(00000000), ref: 003D69E1

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003D6A45
WSAGetLastError.WSOCK32(00000000), ref: 003D6A51

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e59a33313aad496c02c3aeea1157b7c2de1a8d666b4660a8ca7ada9e77855f49
Instruction ID: d2fce5d8bf8180337b7281bc9c1da5545343c04853619bef49ec19fed75ac7de
Opcode Fuzzy Hash: e59a33313aad496c02c3aeea1157b7c2de1a8d666b4660a8ca7ada9e77855f49
Instruction Fuzzy Hash: 30419175640200AFEB62AF64DC87F2A77E89F19B54F04C519FA59AF3C2DAB09D008791

Function 003D641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003EF910), ref: 003D64A7
_strlen.LIBCMT ref: 003D64D9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4f276de79914e1ee34c3d4f274fe0a98d5613d84eb7c55081cac6abfe5429693
Instruction ID: 07842bdea16d38c6951b41292ea44df737e763c0363147d1518ca3e5b6ad5450
Opcode Fuzzy Hash: 4f276de79914e1ee34c3d4f274fe0a98d5613d84eb7c55081cac6abfe5429693
Instruction Fuzzy Hash: A041A572500104AFCB16EBA4EC96FAEB7ADAF05310F108156F9259F396DB30AD44CB50

Function 003CB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003CB89E
GetLastError.KERNEL32(?,00000000), ref: 003CB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003CB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003CB915

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 87ce63e72a26213b37a502a0f8c4fb65c51326079498e032720430676d44f13a
Instruction ID: 605ec88d26b1d58e6d398734a678d0d5cd68e5cf8cd74f5e1ed01faa63d6b293
Opcode Fuzzy Hash: 87ce63e72a26213b37a502a0f8c4fb65c51326079498e032720430676d44f13a
Instruction Fuzzy Hash: CE41E439600A50DFCB12EF55C485B59BBE9AF4A310F19C099ED4AAF366CB31ED01CB91

Function 003E8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003E88DE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0cb032ac193d95e787913ea2043585810ccaf0e084699ca3965e5fee99c2bc80
Instruction ID: 4c762f31e3f71fa64dd272ad166239cd3a1fe16ff801daa35e73f02f70148e12
Opcode Fuzzy Hash: 0cb032ac193d95e787913ea2043585810ccaf0e084699ca3965e5fee99c2bc80
Instruction Fuzzy Hash: 21310530E001A8AFEF239B56DC45BB837A4EB05310F914711F919EA1E2CF7199409752

Function 003EAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003EAB60
GetWindowRect.USER32(?,?), ref: 003EABD6
PtInRect.USER32(?,?,003EC014), ref: 003EABE6
MessageBeep.USER32(00000000), ref: 003EAC57

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3cdf84c19debc7080002520037a000ab62f553785599845fa21e1be3430981f5
Instruction ID: c1c2e4f7149f725506be329786eb6ff6e2b7218674bc5fdb9eba2694e143e278
Opcode Fuzzy Hash: 3cdf84c19debc7080002520037a000ab62f553785599845fa21e1be3430981f5
Instruction Fuzzy Hash: 244160306009A9DFCB22DF5AD884B697BF5FB49310F2582A9E415DF2A0D770B841CB92

Function 003C0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003C0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 003C0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003C0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003C0BFB

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a3551ca53a04dc927c556bedddb6c7dab961431832586f3c67eeb25c5b853a8d
Instruction ID: 891f362f0a52270a289d1800fcfec849ce1630620c325cd2fb3e5cfe17366544
Opcode Fuzzy Hash: a3551ca53a04dc927c556bedddb6c7dab961431832586f3c67eeb25c5b853a8d
Instruction Fuzzy Hash: 93312630A40688EEFB3ACB258C05FFABBA9AB45328F04435EE595D61D1C3B5CD409761

Function 003C0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 003C0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 003C0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 003C0CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 003C0D33

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 581af58913d5856a0db9862c9b20c694e2db37709578169e227271b7059ad1f3
Instruction ID: 5ba73dddf51b2fef59ed215289d82cd8bf0dfc30aec5eb8b96a2cb97837f28c6
Opcode Fuzzy Hash: 581af58913d5856a0db9862c9b20c694e2db37709578169e227271b7059ad1f3
Instruction Fuzzy Hash: B3314630940798EEFF3A8B648C08FFEBB6AAB45314F04832EE491EA5D1C3799D458751

Function 003961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003961FB
__isleadbyte_l.LIBCMT ref: 00396229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00396257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0039628D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ce2e31214ff0f8ae3403930c8e52ed13806e26a0a026e7b952c94d904c514b7f
Instruction ID: b0deb9e1048abb936c43deeb1fab6caeee7d7a9cd5e1f49dd7962c8796079bb3
Opcode Fuzzy Hash: ce2e31214ff0f8ae3403930c8e52ed13806e26a0a026e7b952c94d904c514b7f
Instruction Fuzzy Hash: 7831D230606246AFDF239F75CC46BAA7BB9FF41310F164529E8A48B191D730E950D790

Function 003E4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003E4F02

Part of subcall function 003C3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003C365B
Part of subcall function 003C3641: GetCurrentThreadId.KERNEL32 ref: 003C3662
Part of subcall function 003C3641: AttachThreadInput.USER32(00000000,?,003C5005), ref: 003C3669

GetCaretPos.USER32(?), ref: 003E4F13
ClientToScreen.USER32(00000000,?), ref: 003E4F4E
GetForegroundWindow.USER32 ref: 003E4F54

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c77e18608f8a0e3b2ab7f4c8daa791f3cdd032e6425cfb36833d064bc4376680
Instruction ID: 415c53682aede030c64b5a58ff253fb393b06c0d6865644bd50aeffbba88da44
Opcode Fuzzy Hash: c77e18608f8a0e3b2ab7f4c8daa791f3cdd032e6425cfb36833d064bc4376680
Instruction Fuzzy Hash: 79313EB1D00108AFCB11EFA5C885EEFB7FDEF99304F10816AE415EB241DA719E058BA1

Function 003C3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003C3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 003C3C88
Process32NextW.KERNEL32(00000000,?), ref: 003C3CA8
CloseHandle.KERNEL32(00000000), ref: 003C3D52

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c5fcd3a72658cdfad1a823cf1043b5bce63a55b9ceeca3e4ac074c0af888d9c9
Instruction ID: bc0be360c47f38ff69d43939e56ec0b594218c26fb5e7971a6e426566c9c7340
Opcode Fuzzy Hash: c5fcd3a72658cdfad1a823cf1043b5bce63a55b9ceeca3e4ac074c0af888d9c9
Instruction Fuzzy Hash: B63191721083459FD312EF50C885FAFBBE8AF95354F50492DF482CA1A1EB719E49CB92

Function 003EC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

GetCursorPos.USER32(?), ref: 003EC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0039B9AB,?,?,?,?,?), ref: 003EC4E7
GetCursorPos.USER32(?), ref: 003EC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0039B9AB,?,?,?), ref: 003EC56E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2d2db81ebe1832f61f2de21a8af3b0174257f4e903aae730d2a57b6680988f0a
Instruction ID: 27b1a84bf19492f4f8d5f4a8bcdd01b1e26aa2cb1ee72ce5847d183cacb5d3b1
Opcode Fuzzy Hash: 2d2db81ebe1832f61f2de21a8af3b0174257f4e903aae730d2a57b6680988f0a
Instruction Fuzzy Hash: 0B31E5356100A8AFCF228F5AC898EFE7BB9EB0A310F404265F9058B2E1C7316D51DF94

Function 003B8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003B8121
Part of subcall function 003B810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003B812B
Part of subcall function 003B810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B813A
Part of subcall function 003B810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8141
Part of subcall function 003B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003B86A3
_memcmp.LIBCMT ref: 003B86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003B86FC
HeapFree.KERNEL32(00000000), ref: 003B8703

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5633f21f8b878a6ea5f25fb9b80706cab89cfaef4740ca94ac3d3ad2da027e28
Instruction ID: 778f7bd52824da59d3c2d1b715e2d14220dabf62240565e4b0127dc7bc1a7322
Opcode Fuzzy Hash: 5633f21f8b878a6ea5f25fb9b80706cab89cfaef4740ca94ac3d3ad2da027e28
Instruction Fuzzy Hash: 14219D71E01208EFDB11DFA8C949BEEB7BCEF45308F158059E644AB280DB70AE05CB90

Function 0038098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 003809AE

Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50

_fprintf.LIBCMT ref: 003809E5
OutputDebugStringW.KERNEL32(?), ref: 003B5DBB

Part of subcall function 00384AAA: _flsall.LIBCMT ref: 00384AC3

__setmode.LIBCMT ref: 00380A1A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 95f176a1a321d98cdba8a291daee49e444044b9aef80549b1639346872360dbc
Instruction ID: 4c4aa11221df62732956886dc9de5610a1cd186710fd376aeb509d1a75d442d2
Opcode Fuzzy Hash: 95f176a1a321d98cdba8a291daee49e444044b9aef80549b1639346872360dbc
Instruction Fuzzy Hash: 87112731504345AFDB0BB3B49C469FE77AC9F45320F2041AAF2059F582EF31594647A1

Function 003D1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003D17A3

Part of subcall function 003D182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003D184C
Part of subcall function 003D182D: InternetCloseHandle.WININET(00000000), ref: 003D18E9

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 34669b47abb6e6395a4834fbde25ec4d611bcaf8111465b398d40711c37a38b7
Instruction ID: d7f394dfbe5db68975d2ccfb29ed7c11badb8bacc8a785ce506e62069ceb38be
Opcode Fuzzy Hash: 34669b47abb6e6395a4834fbde25ec4d611bcaf8111465b398d40711c37a38b7
Instruction Fuzzy Hash: 40215076200605BFEB239F60EC41BBABBADFB88710F10412BF9559A790D7719911A7A0

Function 003C3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003EFAC0), ref: 003C3A64
GetLastError.KERNEL32 ref: 003C3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 003C3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003EFAC0), ref: 003C3ADF

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9fc40e69e62bd2551219e72b4c633200e01c63d7d3e43ff7a02fba8ff07a7380
Instruction ID: 60d69606e79a169f1abfac810804f0a83c0e09875a0af3e556ee4dd94dae4ce1
Opcode Fuzzy Hash: 9fc40e69e62bd2551219e72b4c633200e01c63d7d3e43ff7a02fba8ff07a7380
Instruction Fuzzy Hash: 4421A3795082019FC311EF28C881DAA77E8EE59364F108A2DF4D9CB2E1D771DE55CB82

Function 003BDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003BF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,003BDCD3,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?), ref: 003BF0CB
Part of subcall function 003BF0BC: lstrcpyW.KERNEL32(00000000,?,?,003BDCD3,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BF0F1
Part of subcall function 003BF0BC: lstrcmpiW.KERNEL32(00000000,?,003BDCD3,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?), ref: 003BF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BDCEC
lstrcpyW.KERNEL32(00000000,?,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,003BEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 003BDD46

Strings

cdecl, xrefs: 003BDD3D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b4338e81be37394d02ddac738619dbb5dda2ce3435a007b2d2654c1d28bce0de
Instruction ID: 81fb0fb4bd7a86e2e68f1ab0a29e5187f93446291d6ef546cda275661c3279e1
Opcode Fuzzy Hash: b4338e81be37394d02ddac738619dbb5dda2ce3435a007b2d2654c1d28bce0de
Instruction Fuzzy Hash: FB11B13A200305EFCB26AF34CC459BA77A8FF45314B40816AFA46CB6A0FB719840C794

Function 003950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00395101

Part of subcall function 0038571C: __FF_MSGBANNER.LIBCMT ref: 00385733
Part of subcall function 0038571C: __NMSG_WRITE.LIBCMT ref: 0038573A
Part of subcall function 0038571C: RtlAllocateHeap.NTDLL(010B0000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 72f518f065c23274d6e11fded1b5ba4329e4c9012f7f85a7e3f14db929260007
Instruction ID: 58b545ada0af4e5d04efcfa53454f37c530f43f5bbe2b7c1e68cb7d51261dcb5
Opcode Fuzzy Hash: 72f518f065c23274d6e11fded1b5ba4329e4c9012f7f85a7e3f14db929260007
Instruction Fuzzy Hash: 3311A072A00B15AFCF333F74AC4575E3B989B543A1F21496AF9449E290DF74C9C18790

Function 003D6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50

gethostbyname.WSOCK32(?,?,?), ref: 003D6399
WSAGetLastError.WSOCK32(00000000), ref: 003D63A4
_memmove.LIBCMT ref: 003D63D1
inet_ntoa.WSOCK32(?), ref: 003D63DC

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d7bae89d0e52483d7b585d7da9cb865be788cf0e5fd49cbb6b9f86b80d30822a
Instruction ID: 1f094e983a96c8ef84b1e4ae9e5032c27f16d4359a5b9ba6721e387bbeb1f0fe
Opcode Fuzzy Hash: d7bae89d0e52483d7b585d7da9cb865be788cf0e5fd49cbb6b9f86b80d30822a
Instruction Fuzzy Hash: 88116372500109AFCB16FBA4DD86DEE77BCAF08310B148176F505EB2A1DB30AE14CB61

Function 003B8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003B8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8BA4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 69c3e380c528f19fdfd701c53ee466847ab6e0dfaa7967b3fd957d501c15e749
Instruction ID: c60d3d8697f958c287a2759482cb4991112a3e90c575011972b70797977314f3
Opcode Fuzzy Hash: 69c3e380c528f19fdfd701c53ee466847ab6e0dfaa7967b3fd957d501c15e749
Instruction Fuzzy Hash: 37110A79901218FFDB11DBA5C885EDDBB78EB48710F204195EA00B7290DA716E11DB94

Function 00361290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DefDlgProcW.USER32(?,00000020,?), ref: 003612D8
GetClientRect.USER32(?,?), ref: 0039B5FB
GetCursorPos.USER32(?), ref: 0039B605
ScreenToClient.USER32(?,?), ref: 0039B610

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9bb906280c07b666f6ea768927964fbdcca49e53c2b5554c0130e95997b20a9b
Instruction ID: cd058ac25bc09e7554dac1677ee68160d9a411963ddd3b00943bda8b0d21a763
Opcode Fuzzy Hash: 9bb906280c07b666f6ea768927964fbdcca49e53c2b5554c0130e95997b20a9b
Instruction Fuzzy Hash: 36114F35600459EFCF12EF98D8959FE77B8FB06300F408955F941EB180C770BA518BA5

Function 003BD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003BD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003BD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003BD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003BD897

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2b15aa868698b9806fe4fd11dafd723f167f0826b9dadf68708ff6d6f0ce7562
Instruction ID: 09477abdc93150647722cba2f2bb71758a97f2d3676be8414340c53e9f0f53f4
Opcode Fuzzy Hash: 2b15aa868698b9806fe4fd11dafd723f167f0826b9dadf68708ff6d6f0ce7562
Instruction Fuzzy Hash: 70115E75605704DFE3218F51DC48F92BBBCEB00B05F108569A616D6890E7B1E5499FA1

Function 00396FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00396FDB

Part of subcall function 003976C2: __fltout2.LIBCMT ref: 003976EB

__cftog_l.LIBCMT ref: 00397001
__cftoe_l.LIBCMT ref: 00397033

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: c652ac84ad067a4a66f08cb5b8fbda01b031fcf7b2a87d3ac497c63b4f4275e5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 42014C7245914ABBCF175F84CC42CEE3F66BB18350F598415FE18581B1D236C9B1AB81

Function 003EB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003EB2E4
ScreenToClient.USER32(?,?), ref: 003EB2FC
ScreenToClient.USER32(?,?), ref: 003EB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003EB33B

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: edc81e27cd0057cff6901f7a44cffd0cbcd2d9748e4eae9688e981afcebf3e4d
Instruction ID: 76e46f260a7c56d6ab5b8888768e2feeabcfe4faba8b6803008ec09125475590
Opcode Fuzzy Hash: edc81e27cd0057cff6901f7a44cffd0cbcd2d9748e4eae9688e981afcebf3e4d
Instruction Fuzzy Hash: A11143B9D00249EFDB51CFA9D8849EEFBB9FB08310F108166E914E3260D775AA558F50

Function 003C6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 003C6BE6

Part of subcall function 003C76C4: _memset.LIBCMT ref: 003C76F9

_memmove.LIBCMT ref: 003C6C09
_memset.LIBCMT ref: 003C6C16
LeaveCriticalSection.KERNEL32(?), ref: 003C6C26

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c18d7b1a294ef5e207a0abb8fde0580d7ac0ff7e75ec1469441112cfaaf64dd1
Instruction ID: 5eb219b98a38f61203f4fcaa3fa06c0c142fc896cc23b4bae77101fb931482fb
Opcode Fuzzy Hash: c18d7b1a294ef5e207a0abb8fde0580d7ac0ff7e75ec1469441112cfaaf64dd1
Instruction Fuzzy Hash: C3F05E3A200204ABCF026F55DC85E8ABF29EF45320F04C0A5FE089E267D771E911CBB4

Function 00362218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00362231
SetTextColor.GDI32(?,000000FF), ref: 0036223B
SetBkMode.GDI32(?,00000001), ref: 00362250
GetStockObject.GDI32(00000005), ref: 00362258
GetWindowDC.USER32(?,00000000), ref: 0039BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0039BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0039BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0039BEC2
GetPixel.GDI32(00000000,?,?), ref: 0039BEE2
ReleaseDC.USER32(?,00000000), ref: 0039BEED

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 17b4ae16c5f67fc08baabcbe3dc77ac84299d80f2e30f8c5f232ea9036d9939b
Instruction ID: a3e97541c687a5ac1743140fc49feb3c6f4710e6a2fb765b24eb380c4af83279
Opcode Fuzzy Hash: 17b4ae16c5f67fc08baabcbe3dc77ac84299d80f2e30f8c5f232ea9036d9939b
Instruction Fuzzy Hash: 11E03031504184AEEF225F64FC4D7D87B19EB15332F018366FA69480E187B14580DB11

Function 003B8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003B871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003B82E6), ref: 003B8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003B82E6), ref: 003B872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003B82E6), ref: 003B8736

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bbd4bd74cf3b9b840c485c0be1d4eaf17f206b6b4bcbd8220d6409bae523b80f
Instruction ID: 5bc798ad9a2b688d7f1a1b3e5f02055bd6ba51b1dade7969f20c33904ee34579
Opcode Fuzzy Hash: bbd4bd74cf3b9b840c485c0be1d4eaf17f206b6b4bcbd8220d6409bae523b80f
Instruction Fuzzy Hash: DCE086366122529FD7315FB0AD4DB963BACEF90795F158828B385CD0C0DA749841C750

Function 00366240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%?, xrefs: 0036624E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID:
String ID: %?
API String ID: 0-3131337030
Opcode ID: b5aba188987f4fe0ba0dce88cc32837ec2e43114aa513d7b0be7fcd8ac140d91
Instruction ID: 2994db34890fd90290f9627f9541a729eed95920c4cdc959f6d197a80e213c01
Opcode Fuzzy Hash: b5aba188987f4fe0ba0dce88cc32837ec2e43114aa513d7b0be7fcd8ac140d91
Instruction Fuzzy Hash: 89B1D4758001099BCF17EF94C8969FEBBB8FF44394F50C126E502AB299DB309E85CB95

Function 003DAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 003DAFAE

Strings

xbB, xrefs: 003DB010
xbB, xrefs: 003DAFE4

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: __itow_s
String ID: xbB$xbB
API String ID: 3653519197-2672806994
Opcode ID: 68078a8303f6706dcede5d41ab812c996ef0763df50a2573e45af330e8b86868
Instruction ID: b2f04057feac0911b7a626e9fc6a8de2837c46baaf81b539e4fbf16c7b32a171
Opcode Fuzzy Hash: 68078a8303f6706dcede5d41ab812c996ef0763df50a2573e45af330e8b86868
Instruction Fuzzy Hash: 69B17E72A00109EFCB16EF54D891EBABBB9FF59300F15805AF9459B392EB70D941CB60

Function 003CAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

__wcsnicmp.LIBCMT ref: 003CB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003CB0F6

Strings

LPT, xrefs: 003CB027

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: ce4178681eb67d346a32725ad56db766e398a21def2ed6f8ab38170d0f49b3a1
Instruction ID: a00c297c6c6ae947560fa3bfd7f22bddc72ee220f267f322fb0ab24ac40410b8
Opcode Fuzzy Hash: ce4178681eb67d346a32725ad56db766e398a21def2ed6f8ab38170d0f49b3a1
Instruction Fuzzy Hash: 69615D75A00215EFCB16DF94C892FAEB7B8EB08310F15806EF956EB291D770AE44CB50

Function 00372957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00372968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00372981

Strings

@, xrefs: 00372975

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 12325cd6b2c60818e23b6e23a493d7602eba0a331acff127af347602f43001f7
Instruction ID: 1d6bd6415ed87fbd3e4f474e0c90000a95211274b922992a7c70f5d03d3fc920
Opcode Fuzzy Hash: 12325cd6b2c60818e23b6e23a493d7602eba0a331acff127af347602f43001f7
Instruction Fuzzy Hash: B05155B24087449BD321EF20D886BABBBECFF89344F41895DF2D8450A5DF318528CB66

Function 003C9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00364F0B: __fread_nolock.LIBCMT ref: 00364F29

_wcscmp.LIBCMT ref: 003C9824
_wcscmp.LIBCMT ref: 003C9837

Strings

FILE, xrefs: 003C9770

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: da0437dc110fa31c40c77900b36fadef917e61abddf43c1122119af3add7d83b
Instruction ID: 59a6b92258ae428b4c784bb7334ded044bfd754d193912f40322a78becad1da2
Opcode Fuzzy Hash: da0437dc110fa31c40c77900b36fadef917e61abddf43c1122119af3add7d83b
Instruction Fuzzy Hash: 3841DB71A00309BADF229BA5CC49FEFB7BDDF85710F01446AF904EB185D6719E048B65

Function 003A0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003A057F

Strings

DdB, xrefs: 0036A151
DdB, xrefs: 0036A317

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClearVariant
String ID: DdB$DdB
API String ID: 1473721057-1576950555
Opcode ID: c8c598f0a38f1d1b03bab06910fedb050de12bd653f2aaf911dce94ff046895b
Instruction ID: a6ed08982816c587d95862d6a9aae34e970d59d9420a0b56d7361569a88c7fd8
Opcode Fuzzy Hash: c8c598f0a38f1d1b03bab06910fedb050de12bd653f2aaf911dce94ff046895b
Instruction Fuzzy Hash: 855121786087418FD766DF18C480A1ABBF1FB99344F96885DE8859B324D332EC81CF96

Function 003D258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003D259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003D25D4

Strings

|, xrefs: 003D25A5

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 880b4894460f23e918a7f78e74c4da53eabd2d7c29e45b3626cf60460bb4f9c8
Instruction ID: b1748c5b32ac76d98da0baee56c20ff033ef56caa4f8a864591abf7a9b9cb9a5
Opcode Fuzzy Hash: 880b4894460f23e918a7f78e74c4da53eabd2d7c29e45b3626cf60460bb4f9c8
Instruction Fuzzy Hash: D6311A71800219ABCF02EFA1DC85EEEBFB8FF18314F10405AF955AA265DB319955DB60

Function 003E7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 003E7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003E7B76

Strings

', xrefs: 003E7ACA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 20ac758d4af508b5d1b0a44db469d641b07b6c14575019f6b11c7bd43c9e8110
Instruction ID: 3f1531183d23ce4646805f9d8b0c41561ff64eb5b8e59e12b986c930f54972d3
Opcode Fuzzy Hash: 20ac758d4af508b5d1b0a44db469d641b07b6c14575019f6b11c7bd43c9e8110
Instruction Fuzzy Hash: 83411B74A0525A9FDB15CF65D881BEABBB9FF08300F11427AE904EB391E770A951CF90

Function 003E6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003E6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003E6B53

Strings

static, xrefs: 003E6AB3

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2276e58a0fe68402f24fb263b7a719bb82bd6817ad21515ff430fc7642068fd5
Instruction ID: 01479ae36c9f9fcf19e3f9e3e4a25e80024d40c7046e78f7039f076d22b173a4
Opcode Fuzzy Hash: 2276e58a0fe68402f24fb263b7a719bb82bd6817ad21515ff430fc7642068fd5
Instruction Fuzzy Hash: B731CF71200254AEDB129F26CC81BFB73ADFF987A0F108629F9A5D7190DB70AC81C760

Function 003C28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C294C

Strings

0, xrefs: 003C290A

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ec6aafd5cc7af0c6a56bf450e986d315118cfd4caa3c460aef1ca7c6094cc79c
Instruction ID: 46539e966b7e1c037ac61daeb3da4c902b627d2da75ef221561618e818a33c9e
Opcode Fuzzy Hash: ec6aafd5cc7af0c6a56bf450e986d315118cfd4caa3c460aef1ca7c6094cc79c
Instruction Fuzzy Hash: CA31BD31A00305EBEB2ADF58C885FAFBBB8EF45350F16002DE985EA1A0D7B09D54CB51

Function 003E66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003E6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E676C

Strings

Combobox, xrefs: 003E672E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2747675a9372dc5c601b315e03592bd36d371db18f0cbf63c7aca280370ce654
Instruction ID: 3d494aa78a2674d19ffdd01a0637290a09798585e67521f29ab1a338f6427b7a
Opcode Fuzzy Hash: 2747675a9372dc5c601b315e03592bd36d371db18f0cbf63c7aca280370ce654
Instruction Fuzzy Hash: C711B6713002586FEF228F55CC81EFB376AEB543A8F114225F9149B2D0D671DC5187A0

Function 003E6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91

GetWindowRect.USER32(00000000,?), ref: 003E6C71
GetSysColor.USER32(00000012), ref: 003E6C8B

Strings

static, xrefs: 003E6C4E

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6058ae61c73646a4bc6b68faaabd327ea96f6bd5f9394c6eed1387bd70800e84
Instruction ID: 2d249cebef2edb121c710c6bec0d1649db31afefdb3d89928a6e4654918e78b9
Opcode Fuzzy Hash: 6058ae61c73646a4bc6b68faaabd327ea96f6bd5f9394c6eed1387bd70800e84
Instruction Fuzzy Hash: 7E218972610259AFDF05DFA9CC46AFA7BB8FB08304F104628F995D2280E730E850DB60

Function 003E6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003E69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003E69B1

Strings

edit, xrefs: 003E6986

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5e2359e1e3feebeb0cc03d77cd57388059756d9e186da786225b3b53651ac82b
Instruction ID: 884fa5feeca3d85b95f0d4340e9ca3925afa5571bff329821de2bc8604323d77
Opcode Fuzzy Hash: 5e2359e1e3feebeb0cc03d77cd57388059756d9e186da786225b3b53651ac82b
Instruction Fuzzy Hash: C4119D711001A8AFEB128E659C82AEB3669EB663B4F514724F9A0961E1C771DC509760

Function 003C29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003C2A41

Strings

0, xrefs: 003C2A18

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: fe494ac76d96a9122054999614a50f869d0aaecd0292aa2cda02cc6f046d931a
Instruction ID: ea24e4fb2844b129b8fd696d0a2a66eb74d6ee09d0b44da3a2046affcaa0de06
Opcode Fuzzy Hash: fe494ac76d96a9122054999614a50f869d0aaecd0292aa2cda02cc6f046d931a
Instruction Fuzzy Hash: 9411083AA01518AFCF32EB98DC44FAB77BCAB45300F064039E855E7290DB70AD0AC795

Function 003D21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003D222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003D2255

Strings

<local>, xrefs: 003D221D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ea5e95168a905da0ecde5c27664e7631a742d01d901c1cc0be4f9f5a79c44126
Instruction ID: 4e8edb08eac8f48308ed58d8fc80a5c3e822c14eeeac6c55d6957a850b0d9896
Opcode Fuzzy Hash: ea5e95168a905da0ecde5c27664e7631a742d01d901c1cc0be4f9f5a79c44126
Instruction Fuzzy Hash: D2110272501265BEDB268F11AC84EFBFBACFF26351F10862BF90446640D2705990D6F0

Function 0037092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00363C14,004252F8,?,?,?), ref: 0037096E

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

_wcscat.LIBCMT ref: 003A4CB7

Strings

SB, xrefs: 003709AE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SB
API String ID: 257928180-3983915703
Opcode ID: 005c0801b90214b17c6f4fcf6b31d508b9887dfc7c8d11d95a45e29dc3445357
Instruction ID: 7315992da958bb8e8b16e9d4d4ab1a3c23a9ff7fea0552b4385f18796465ee5e
Opcode Fuzzy Hash: 005c0801b90214b17c6f4fcf6b31d508b9887dfc7c8d11d95a45e29dc3445357
Instruction Fuzzy Hash: 4B11E531A052189ACB12FB74C802EDE73F8EF09350B40C5A6BA48DB195EBB496844B14

Function 003B8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003B8E73

Strings

ComboBox, xrefs: 003B8E12
ListBox, xrefs: 003B8E3D

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 13eb8e29695fafbea7c5658c848325e15219b115143d83bf2c2b05e416cabf05
Instruction ID: 2d31360ddf744b3652359c522eb3927acec43800e94aa0da7ec39f1eae7cd56a
Opcode Fuzzy Hash: 13eb8e29695fafbea7c5658c848325e15219b115143d83bf2c2b05e416cabf05
Instruction Fuzzy Hash: 24012471605228ABCB16FBA4CC819FE736CEF01320B104A19F9715B6E1DF319808C660

Function 003B8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 003B8D6B

Strings

ComboBox, xrefs: 003B8D0A
ListBox, xrefs: 003B8D35

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6d94b374fa2f0abdf54fdee40bc6de289b0996ee530022838485d6ead604c5dc
Instruction ID: 653a26673d7c33c44e57d93521ded935adaa0aa98d9e35969caf601c69d6833d
Opcode Fuzzy Hash: 6d94b374fa2f0abdf54fdee40bc6de289b0996ee530022838485d6ead604c5dc
Instruction Fuzzy Hash: 5501F271B41508ABCB17EBA0C992EFE73ACDF15300F10002EB9026B6E1DE249E08D671

Function 003B8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 003B8DEE

Strings

ComboBox, xrefs: 003B8D8F
ListBox, xrefs: 003B8DBA

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cdf6132a38119be29a2e965d6b74dff76efc82b02635fedade89a1ec2312b9da
Instruction ID: 5134c1d01654e9e8e230317003c9b26551574df0972275876a3701a343945761
Opcode Fuzzy Hash: cdf6132a38119be29a2e965d6b74dff76efc82b02635fedade89a1ec2312b9da
Instruction Fuzzy Hash: E3012671B45108BBCF13EBA4C992EFE73ACCF21304F10402AB901AB6D2DE258E08D671

Function 003BC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003BC534

Part of subcall function 003BC816: _memmove.LIBCMT ref: 003BC860
Part of subcall function 003BC816: VariantInit.OLEAUT32(00000000), ref: 003BC882
Part of subcall function 003BC816: VariantCopy.OLEAUT32(00000000,?), ref: 003BC88C

VariantClear.OLEAUT32(?), ref: 003BC556

Strings

d}A, xrefs: 003BC517

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}A
API String ID: 2932060187-735431763
Opcode ID: 353175da059a3566167b33c11df88f4dff068dc0551ce9d0e6922e69ef1a3fc8
Instruction ID: 189d5d19045e8fbaf5d52fc7a489cccaaccc922b93c03619368bf55e9d55031b
Opcode Fuzzy Hash: 353175da059a3566167b33c11df88f4dff068dc0551ce9d0e6922e69ef1a3fc8
Instruction Fuzzy Hash: 7111FAB19007089FC721DFAAD8C49DAB7F8FB08314B50862FE58AD7651E771AA44CF90

Function 003C4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003C4F46
_wcscmp.LIBCMT ref: 003C4F58

Strings

#32770, xrefs: 003C4F52

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 60ce87ff259e2b3178113e6f6eb6e51d10f75e181b5d46c18476902616482991
Instruction ID: 96837803a5a51cfffb10cb8debc2d8c2558013f16f3f7af9938bd93dd1e236fa
Opcode Fuzzy Hash: 60ce87ff259e2b3178113e6f6eb6e51d10f75e181b5d46c18476902616482991
Instruction Fuzzy Hash: 62E092326002282AD720AA99AC49FE7FBACEB45B60F01016BFD04D7151D9709B458BE4

Function 0039B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0039B314: _memset.LIBCMT ref: 0039B321

Part of subcall function 00380940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0039B2F0,?,?,?,0036100A), ref: 00380945

IsDebuggerPresent.KERNEL32(?,?,?,0036100A), ref: 0039B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0036100A), ref: 0039B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0039B2FE

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 8d85533ed8d975ae662a2afd674d57d8e7904306660bb327c6e864706f990115
Instruction ID: d35f21fa7d16cdec57c69859374dd6cafb3434ad6ed6fda06f299a5aa10b4d72
Opcode Fuzzy Hash: 8d85533ed8d975ae662a2afd674d57d8e7904306660bb327c6e864706f990115
Instruction Fuzzy Hash: 8AE06D782007408FDB32DF28E648342BAE8AF00704F008A7DE496CB2D0E7F4E408CBA1

Function 003B7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003B7C82

Part of subcall function 00383358: _doexit.LIBCMT ref: 00383362

Strings

Error allocating memory., xrefs: 003B7C7B
AutoIt, xrefs: 003B7C76

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 72da8c84365b98e4eb0d9033b94e48bf132c870666f7d347e039690c970a75d9
Instruction ID: 2a21e76e0269d331145360434996a667a21cb6c3dccd123ad811602d70a64856
Opcode Fuzzy Hash: 72da8c84365b98e4eb0d9033b94e48bf132c870666f7d347e039690c970a75d9
Instruction Fuzzy Hash: 52D05E323C836837D21732B9AC07FDA7A888F05F56F144466FB18AE5D389D6998142ED

Function 003A1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 003A1775

Part of subcall function 003DBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,003A195E,?), ref: 003DBFFE
Part of subcall function 003DBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003DC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003A196D

Strings

WIN_XPe, xrefs: 003A1788

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 51288a6b098ac58857904c098e7daf878c8ce6310a3f3bde82dd3f85f7db5b3d
Instruction ID: 4d4d90395e2818c632199c0688090993c9bf0f229018270359951952774a008e
Opcode Fuzzy Hash: 51288a6b098ac58857904c098e7daf878c8ce6310a3f3bde82dd3f85f7db5b3d
Instruction Fuzzy Hash: 3DF0C971800109DFDB27DB91CA84AECBBFCEB09301F552095E142A6590D7724F85DF64

Function 003E5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003E596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003E5981

Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

Strings

Shell_TrayWnd, xrefs: 003E5967

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b6e4dedabe1020cd57273653b776672bf31bde4c5a96328eed82b36d0965e62a
Instruction ID: ce929a98e844ed08f54984c0c7fe34e9c490117d6fde123694fd66adeb71f74b
Opcode Fuzzy Hash: b6e4dedabe1020cd57273653b776672bf31bde4c5a96328eed82b36d0965e62a
Instruction Fuzzy Hash: 7ED0C931384351BBE675AB709C8BFD66A59AB50B55F100929B249AE1D0CAE4A840C658

Function 003E5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003E59AE
PostMessageW.USER32(00000000), ref: 003E59B5

Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

Strings

Shell_TrayWnd, xrefs: 003E59A7

Memory Dump Source

Source File: 00000000.00000002.1832730147.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1832662663.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832823249.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832905342.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1832930016.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_PK5pHX4Gu5.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 366c5114612f7ec8b428676750c5aa941f7f43ae8865bbf0661fa42eff87e07c
Instruction ID: 84e231b2c468f738997c523c5ae52bbac75b81aaf2d1763aea9cd3865517e98f
Opcode Fuzzy Hash: 366c5114612f7ec8b428676750c5aa941f7f43ae8865bbf0661fa42eff87e07c
Instruction Fuzzy Hash: B5D0A9313803007BE675AB309C8BFC26A18AB40B00F000829B205EE1D0CAE0A800C658

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PK5pHX4Gu5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut38BA.tmp

C:\Users\user\AppData\Local\Temp\aut457B.tmp

C:\Users\user\AppData\Local\Temp\aut815C.tmp

C:\Users\user\AppData\Local\Temp\saccule

C:\Users\user\AppData\Local\biopsies\palladiums.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
PK5pHX4Gu5.exe

Function 00363B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 003649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00364E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 003C9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0036301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00363041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0036708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00363633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00363A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00363766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre