Edit tour

Windows Analysis Report
LMxd0gpIxe.exe

Overview

General Information

Sample name:	LMxd0gpIxe.exe renamed because original name is a hash value
Original sample name:	15c74162d5e448d5691900c39f7c8c9939204bcff280eb316fdd6802a3a28f3a.exe
Analysis ID:	1588366
MD5:	92fff178a6c268dd0af4bc3b420fb0f3
SHA1:	5c4b1183dfbab7cf9f03eaa1db63603a63596d51
SHA256:	15c74162d5e448d5691900c39f7c8c9939204bcff280eb316fdd6802a3a28f3a
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

LMxd0gpIxe.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\LMxd0gpIxe.exe" MD5: 92FFF178A6C268DD0AF4BC3B420FB0F3)

RegSvcs.exe (PID: 2872 cmdline: "C:\Users\user\Desktop\LMxd0gpIxe.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
00000001.00000002.2926410839.0000000002815000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LMxd0gpIxe.exe PID: 6600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: LMxd0gpIxe.exe PID: 6600	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: LMxd0gpIxe.exe PID: 6600	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 2872	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2872	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.LMxd0gpIxe.exe.35e0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LMxd0gpIxe.exe.35e0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LMxd0gpIxe.exe.35e0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32641:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3273d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32839:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x328ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32941:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LMxd0gpIxe.exe.35e0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f7d3:$s2: GetPrivateProfileString 0x2eea1:$s3: get_OSFullName 0x304d3:$s5: remove_Key 0x306aa:$s5: remove_Key 0x315db:$s6: FtpWebRequest 0x32623:$s7: logins 0x32b95:$s7: logins 0x358a6:$s7: logins 0x35958:$s7: logins 0x372ad:$s7: logins 0x364f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Multi AV Scanner detection for submitted file

Source: LMxd0gpIxe.exe	ReversingLabs: Detection: 63%
Source: LMxd0gpIxe.exe	Virustotal: Detection: 73%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: LMxd0gpIxe.exe

Joe Sandbox ML: detected

Source: LMxd0gpIxe.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: LMxd0gpIxe.exe, 00000000.00000003.1695278496.0000000003670000.00000004.00001000.00020000.00000000.sdmp, LMxd0gpIxe.exe, 00000000.00000003.1695971931.0000000003810000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LMxd0gpIxe.exe, 00000000.00000003.1695278496.0000000003670000.00000004.00001000.00020000.00000000.sdmp, LMxd0gpIxe.exe, 00000000.00000003.1695971931.0000000003810000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058445A
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058C6D1 FindFirstFileW,FindClose,	0_2_0058C6D1
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0058C75C
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058EF95
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058F0F2
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058F3F3
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005837EF
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00583B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00583B12
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058BCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic	TCP traffic: 192.168.2.4:60366 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.4:53734 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005922EE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000001.00000002.2926410839.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: LMxd0gpIxe.exe, 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000001.00000002.2926410839.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LMxd0gpIxe.exe, 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00594164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00594164

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00594164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00594164

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00593F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00593F66

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0058001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0058001C

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005ACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_005ACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00523B3A
Source: LMxd0gpIxe.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LMxd0gpIxe.exe, 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_234d79e4-a
Source: LMxd0gpIxe.exe, 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3c309b8c-e

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00523633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00523633
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_005AC1AC
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_005AC498
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC57D SendMessageW,NtdllDialogWndProc_W,	0_2_005AC57D
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_005AC5FE
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC860 NtdllDialogWndProc_W,	0_2_005AC860
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC88F NtdllDialogWndProc_W,	0_2_005AC88F
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC8BE NtdllDialogWndProc_W,	0_2_005AC8BE
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC909 NtdllDialogWndProc_W,	0_2_005AC909
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AC93E ClientToScreen,NtdllDialogWndProc_W,	0_2_005AC93E
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005ACA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_005ACA7C
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005ACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_005ACABC
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00521290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00521290
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00521287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,	0_2_00521287
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AD3B8 NtdllDialogWndProc_W,	0_2_005AD3B8
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_005AD43E
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0052167D NtdllDialogWndProc_W,	0_2_0052167D
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005216DE GetParent,NtdllDialogWndProc_W,	0_2_005216DE
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005216B5 NtdllDialogWndProc_W,	0_2_005216B5
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005AD78C NtdllDialogWndProc_W,	0_2_005AD78C
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0052189B NtdllDialogWndProc_W,	0_2_0052189B
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005ABC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_005ABC5D
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005ABF30 NtdllDialogWndProc_W,	0_2_005ABF30
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005ABF8C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_005ABF8C

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0058A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0058A1EF

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00578310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74755590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00578310

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005851BD

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0052E6A0	0_2_0052E6A0
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054D975	0_2_0054D975
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0052FCE0	0_2_0052FCE0
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005421C5	0_2_005421C5
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005562D2	0_2_005562D2
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005A03DA	0_2_005A03DA
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0055242E	0_2_0055242E
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005425FA	0_2_005425FA
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0057E616	0_2_0057E616
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005366E1	0_2_005366E1
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0055878F	0_2_0055878F
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005A0857	0_2_005A0857
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00556844	0_2_00556844
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00538808	0_2_00538808
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00588889	0_2_00588889
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054CB21	0_2_0054CB21
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00556DB6	0_2_00556DB6
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00536F9E	0_2_00536F9E
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00533030	0_2_00533030
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054F1D9	0_2_0054F1D9
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00543187	0_2_00543187
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00521287	0_2_00521287
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00541484	0_2_00541484
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00535520	0_2_00535520
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00547696	0_2_00547696
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00535760	0_2_00535760
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00541978	0_2_00541978
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00559AB5	0_2_00559AB5
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005A7DDB	0_2_005A7DDB
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00541D90	0_2_00541D90
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054BDA6	0_2_0054BDA6
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0052DF00	0_2_0052DF00
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00533FE0	0_2_00533FE0
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0119F958	0_2_0119F958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00B0A620	1_2_00B0A620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00B0D978	1_2_00B0D978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00B04A80	1_2_00B04A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00B09E60	1_2_00B09E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00B03E68	1_2_00B03E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_00B041B0	1_2_00B041B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06022438	1_2_06022438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06021288	1_2_06021288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_06023BD8	1_2_06023BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_060234F0	1_2_060234F0

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: String function: 00548900 appears 42 times
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: String function: 00540AE3 appears 70 times
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: String function: 00527DE1 appears 36 times

Source: LMxd0gpIxe.exe, 00000000.00000003.1696770322.0000000003793000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LMxd0gpIxe.exe
Source: LMxd0gpIxe.exe, 00000000.00000003.1694974262.00000000038ED000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LMxd0gpIxe.exe
Source: LMxd0gpIxe.exe, 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs LMxd0gpIxe.exe

Source: LMxd0gpIxe.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0058A06A GetLastError,FormatMessageW,

0_2_0058A06A

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005781CB AdjustTokenPrivileges,CloseHandle,		0_2_005781CB
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005787E1

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0058B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0058B333

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0059EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0059EE0D

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0058C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0058C397

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00524E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00524E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

File created: C:\Users\user\AppData\Local\Temp\autA0AC.tmp

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000001.00000002.2926410839.00000000028DF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: LMxd0gpIxe.exe	ReversingLabs: Detection: 63%
Source: LMxd0gpIxe.exe	Virustotal: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\LMxd0gpIxe.exe "C:\Users\user\Desktop\LMxd0gpIxe.exe"
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LMxd0gpIxe.exe"
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LMxd0gpIxe.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: LMxd0gpIxe.exe, 00000000.00000003.1695278496.0000000003670000.00000004.00001000.00020000.00000000.sdmp, LMxd0gpIxe.exe, 00000000.00000003.1695971931.0000000003810000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LMxd0gpIxe.exe, 00000000.00000003.1695278496.0000000003670000.00000004.00001000.00020000.00000000.sdmp, LMxd0gpIxe.exe, 00000000.00000003.1695971931.0000000003810000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00647A10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00647A10

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0052C4C6 push A30052BAh; retn 0052h	0_2_0052C50D
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058848F push FFFFFF8Bh; iretd	0_2_00588491
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054E70F push edi; ret	0_2_0054E711
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054E828 push esi; ret	0_2_0054E82A
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00548945 push ecx; ret	0_2_00548958
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054EA03 push esi; ret	0_2_0054EA05
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054EAEC push edi; ret	0_2_0054EAEE
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00522F12 push es; retf	0_2_00522F13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 1_2_0602CB60 push es; ret	1_2_0602CB70

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005248D7
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_005A5376

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00543187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00543187

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: LMxd0gpIxe.exe PID: 6600, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

API/Special instruction interceptor: Address: 119F57C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: LMxd0gpIxe.exe, 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.0000000002815000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-101782

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0058445A
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058C6D1 FindFirstFileW,FindClose,	0_2_0058C6D1
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0058C75C
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058EF95
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0058F0F2
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058F3F3
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_005837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005837EF
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00583B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00583B12
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0058BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0058BCBC

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005249A0

Source: RegSvcs.exe, 00000001.00000002.2926410839.0000000002815000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000001.00000002.2926410839.0000000002815000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: LMxd0gpIxe.exe, 00000000.00000003.1670420523.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe
Source: RegSvcs.exe, 00000001.00000002.2927639033.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	API call chain: ExitProcess graph end node	graph_0-100780
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	API call chain: ExitProcess graph end node	graph_0-100534
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	API call chain: ExitProcess graph end node	graph_0-103499

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 1_2_00B07068 CheckRemoteDebuggerPresent,

1_2_00B07068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00593F09 BlockInput,

0_2_00593F09

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00523B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00523B3A

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00555A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00555A7C

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00647A10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_00647A10

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0119E1B8 mov eax, dword ptr fs:[00000030h]	0_2_0119E1B8
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0119F7E8 mov eax, dword ptr fs:[00000030h]	0_2_0119F7E8
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0119F848 mov eax, dword ptr fs:[00000030h]	0_2_0119F848

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005780A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_005780A9

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0054A155
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_0054A124 SetUnhandledExceptionFilter,		0_2_0054A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 63A008

Jump to behavior

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005787B1 LogonUserW,

0_2_005787B1

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00523B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00523B3A

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005248D7

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00584C53 mouse_event,

0_2_00584C53

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LMxd0gpIxe.exe"

Jump to behavior

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00577CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00577CAF

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0057874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0057874B

Source: LMxd0gpIxe.exe, 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LMxd0gpIxe.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_0054862B cpuid

0_2_0054862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00554E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00554E87

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00561E06 GetUserNameW,

0_2_00561E06

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_00553F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00553F3A

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe

Code function: 0_2_005249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LMxd0gpIxe.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2872, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: LMxd0gpIxe.exe	Binary or memory string: WIN_81
Source: LMxd0gpIxe.exe	Binary or memory string: WIN_XP
Source: LMxd0gpIxe.exe	Binary or memory string: WIN_XPe
Source: LMxd0gpIxe.exe	Binary or memory string: WIN_VISTA
Source: LMxd0gpIxe.exe	Binary or memory string: WIN_7
Source: LMxd0gpIxe.exe	Binary or memory string: WIN_8
Source: LMxd0gpIxe.exe, 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2926410839.0000000002815000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LMxd0gpIxe.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2872, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LMxd0gpIxe.exe.35e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LMxd0gpIxe.exe PID: 6600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2872, type: MEMORYSTR

Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00596283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00596283
Source: C:\Users\user\Desktop\LMxd0gpIxe.exe	Code function: 0_2_00596747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00596747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LMxd0gpIxe.exe	63%	ReversingLabs	Win32.Trojan.AutoitInject
LMxd0gpIxe.exe	73%	Virustotal		Browse
LMxd0gpIxe.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	LMxd0gpIxe.exe, 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000001.00000002.2926410839.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028A8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000001.00000002.2926410839.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.2926410839.00000000028C2000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588366
Start date and time:	2025-01-11 01:24:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LMxd0gpIxe.exe renamed because original name is a hash value
Original Sample Name:	15c74162d5e448d5691900c39f7c8c9939204bcff280eb316fdd6802a3a28f3a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 20.3.187.198, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\LMxd0gpIxe.exe
File Type:	data
Category:	dropped
Size (bytes):	154276
Entropy (8bit):	7.909366410420752
Encrypted:	false
SSDEEP:	3072:9CG+K7EJLRkNC8SemRqP/BXFuUg7uMySgR4mMvalOuXALWEf+WFAjec4Ri:9CRK7QkApenP/B18uMySJmBJXA6Ef+W4
MD5:	03594F126C16F5C020C1FA2B070D60D6
SHA1:	DD1D73B50F175D5A5E508CCB45A993C17084F900
SHA-256:	2C80B58C29B2504D2D5CAA4C6C5461DC082B7F1CA0BF76CEB5F1AB2BC8B505EB
SHA-512:	A917DDFB3D07421D7BA95A80DD300697666841789816880626E9A1C58170A80731C8F88969FFBED723053D7D26FCADC5B065FFCD4CEFB3964A5FDF63BEBC7CDF
Malicious:	false
Reputation:	low
Preview:	EA06......t..iQ.Shu]_6.E..&UJU..8.. ....X.L..ZX..j`...,.X.V..j..q...h..u..Z..t...[6..nr...>.[d3...g+..k.Ht.3..Hj.8.r.G..,f...Q ..;......5..L..-.qS..M...lJ1T......v....D.....5...5..........a.D.'....%t...Qir...P.1.^.X,5@..].`._<.8.......-.q:...0.....v.:.O......W.,.^JM..:.X.ms....6.......,m@....a.7\|.I...e.U..Y=q_...s.......M\|.Jm...a..3.p....,L..${CQ.}nsZ...U.n.....-U......y._%..<....h$\..W.Y...;....!.O.<..~.K.qx.M..cL....L....R.._.a..M.7w...Bd...K..^.}.[m..~/6.dN...V.S.#..ret......#....ox.L"q.w....J...i:.M..)=Ja6.~.......br..gS.X._.v.u2.`.O.~.Gw3~.L...{.J..$........n......J.7.P..5..!.c.....`..V.XE.....a.......y'..@B+........].;mz.a3pI.nkc.[3...s...G&0...W...aP-.Fy..K..:$r.@....N.7.P.......pp....aT.R..j.>....\|.]....r=]J/....K.4..lmh....a..Tw`..Re....4G.k8...m.G.M.N..T..L..'...^.8.Y..X.v.%.Wg.9..'uzD....j.....A.l%q.%y...h.J..7C..)..-.y.....,..1.G.ti...T.N.....b....d.q2..).Y0.aC.VfUJu..:.Nf4i...O.J$s*5..r.I)TJ.b.N.Q.t}.2....!....e^..7.8..q5..-1.

C:\Users\user\AppData\Local\Temp\carryover

Download File

Process:	C:\Users\user\Desktop\LMxd0gpIxe.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.679210992396976
Encrypted:	false
SSDEEP:	6144:kY7D2VX7SYNp0NMW2VDLkpb+9yZTOdjUPqvrox/1wYeL/VBiU/D1jPQU4P8AkYvr:zdmozy/rHdGhB
MD5:	21A8394C600BBB50B6332A6E27411749
SHA1:	BA6ACBBC88FE0DB9926FBE7A2876676E2D70D82B
SHA-256:	379CE867BB6C52ADBF2FDFC4EF0C63713A63E05C1B4C0C2419E925E02CCB67CB
SHA-512:	73A05DF82585B34BAA26344FFBB1A23C1F7A81463F7D298A421149EEA265B19C6A5C87553F6C3D711F6C3AC6D5A98A5063B92207583379E750F580462A3ACAE8
Malicious:	false
Reputation:	low
Preview:	.b.N2F4Q@MCU..FE.82TJDJ8.N1F4QDMCUT2FEK82TJDJ8SN1F4QDMCUT2FE.82TD[.6S.8...E..t.Z/6kH@;-6+Us-P(Z>0m!0t@3+kQ\t....>!U#.\IGgUT2FEK8b.JD.9PN...4DMCUT2FE.80UAEA8S.2F4YDMCUT2(.H82tJDJ.PN1FtQDmCUT0FEO82TJDJ8WN1F4QDMCuP2FGK82TJDH8..1F$QD]CUT2VEK(2TJDJ8CN1F4QDMCUT2^.H8aTJDJ.PNwC4QDMCUT2FEK82TJDJ8SN5F8QDMCUT2FEK82TJDJ8SN1F4QDMCUT2FEK82TJDJ8SN1F4QDMCUT2FeK8:TJDJ8SN1F4QLmCU.2FEK82TJDJ8}:T>@QDM7.W2FeK82.IDJ:SN1F4QDMCUT2FEk824d69J0N1FrTDMC.W2FCK82.IDJ8SN1F4QDMCU.2F.eJW8%'J8_N1F4Q@MCWT2F.H82TJDJ8SN1F4Q.MC.T2FEK82TJDJ8SN1Fd.GMCUT2.EK80TOD..QN.s5QGMCUU2FCK82TJDJ8SN1F4QDMCUT2FEK82TJDJ8SN1F4QDMCUT2FEK82TW.....yx\|,zG!R...".;..Y..A..>.!.?Y..tK....m1L..N.I...J...0.07-K......&? J%."{='.V....ykL...@Z.>.....+M..}....p..x^0....F..(W_z+4:T6`b'R06$.W.3FEK8......X>..iNLK` >...~V2n...JQDM'UT24EK8STJD.8SN^F4QMCU*2FE582T.DJ8.N1F.QDMfUT2+EK8.TJD48SN.;;^...<'..EK82T.....#....z...7.5cPl...\....1..B+.#q....<./..D.Z@...JBSP7DBO;>iD....o3B0TFJGVX.H....u.b..j...E..../.NFEK82T.DJ.SN1.Q.MCU.2.E.2TJ.8.N.F...M

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.8740077587620725
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	LMxd0gpIxe.exe
File size:	678'400 bytes
MD5:	92fff178a6c268dd0af4bc3b420fb0f3
SHA1:	5c4b1183dfbab7cf9f03eaa1db63603a63596d51
SHA256:	15c74162d5e448d5691900c39f7c8c9939204bcff280eb316fdd6802a3a28f3a
SHA512:	b424ade6133e5f46bf17552e44e80791216d26d10adf67833ba167e76e4c3e131b59be5420ea976367fb9ef397f93b88bf78595bbae957d954999090786c44fc
SSDEEP:	12288:IquErHF6xC9D6DmR1J98w4oknqOOCyQfq3DlU8STGTl8xUhjM5:Jrl6kD68JmlotQfADlvTl80ja
TLSH:	EFE4F18D5C2D48ABE4D5BE31D827387031A26DA3CC449A8E65B6BC4FF5A701118FDC6E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	b17169ecc6c4718d

Static PE Info

General

Entrypoint:	0x527a10
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6752DE4C [Fri Dec 6 11:21:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004D2000h
lea edi, dword ptr [esi-000D1000h]
push edi
jmp 00007FBBB09BBF9Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBBB09BBF7Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FBBB09BBF9Dh
jne 00007FBBB09BBFBAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBBB09BBFB1h
dec eax
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FBBB09BBF66h
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FBBB09BBFE4h
xor ecx, ecx
sub eax, 03h
jc 00007FBBB09BBFA3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FBBB09BC007h
sar eax, 1
mov ebp, eax
jmp 00007FBBB09BBF9Dh
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBBB09BBF5Eh
inc ecx
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FBBB09BBF50h
add ebx, ebx
jne 00007FBBB09BBF99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FBBB09BBF81h
jne 00007FBBB09BBF9Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FBBB09BBF76h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FBBB09BBFA0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1772b0	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x128000	0x4f2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1776d4	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x127bf4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xd1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xd2000	0x56000	0x55e00	0c9e5b3ac99a6ce01bd2977e941e0f05	False	0.9871724890829694	data	7.93532194340387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x128000	0x50000	0x4f800	84f2baac5b78bee1a0740007d95070e8	False	0.7558194526336478	data	7.697924049494884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x12845c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x128588	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x1286b4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x1287e0	0x16b70	Device independent bitmap graphic, 150 x 300 x 32, image size 90000	English	Great Britain	0.1676268271711092
RT_MENU	0xde340	0x50	data	English	Great Britain	1.1375
RT_STRING	0xde390	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xde924	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xdefb0	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xdf440	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xdfa3c	0x65c	data	English	Great Britain	0.9981572481572482
RT_STRING	0xe0098	0x466	data	English	Great Britain	0.9698046181172292
RT_STRING	0xe0500	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x13f354	0x37a25	data			1.0003335132549578
RT_GROUP_ICON	0x176d80	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x176d98	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x176db0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x176dc8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x176de0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x176ec0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:25:03.796153069 CET	49730	80	192.168.2.4	208.95.112.1
Jan 11, 2025 01:25:03.801027060 CET	80	49730	208.95.112.1	192.168.2.4
Jan 11, 2025 01:25:03.801111937 CET	49730	80	192.168.2.4	208.95.112.1
Jan 11, 2025 01:25:03.802077055 CET	49730	80	192.168.2.4	208.95.112.1
Jan 11, 2025 01:25:03.806832075 CET	80	49730	208.95.112.1	192.168.2.4
Jan 11, 2025 01:25:04.263281107 CET	80	49730	208.95.112.1	192.168.2.4
Jan 11, 2025 01:25:04.304645061 CET	49730	80	192.168.2.4	208.95.112.1
Jan 11, 2025 01:25:23.124526978 CET	53734	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:23.129362106 CET	53	53734	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:23.129440069 CET	53734	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:23.134432077 CET	53	53734	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:23.598325014 CET	53734	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:23.603559017 CET	53	53734	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:23.603660107 CET	53734	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:25.624521971 CET	60366	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:25.629373074 CET	53	60366	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:25.629446983 CET	60366	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:25.634645939 CET	53	60366	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:26.077828884 CET	60366	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:26.088314056 CET	53	60366	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:26.088990927 CET	60366	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:26:07.428945065 CET	80	49730	208.95.112.1	192.168.2.4
Jan 11, 2025 01:26:07.429032087 CET	49730	80	192.168.2.4	208.95.112.1
Jan 11, 2025 01:26:44.282134056 CET	49730	80	192.168.2.4	208.95.112.1
Jan 11, 2025 01:26:44.286947012 CET	80	49730	208.95.112.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:25:03.782633066 CET	49421	53	192.168.2.4	1.1.1.1
Jan 11, 2025 01:25:03.790152073 CET	53	49421	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:23.124067068 CET	53	60187	1.1.1.1	192.168.2.4
Jan 11, 2025 01:25:25.624079943 CET	53	64435	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:25:03.782633066 CET	192.168.2.4	1.1.1.1	0x73f9	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:25:03.790152073 CET	1.1.1.1	192.168.2.4	0x73f9	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	208.95.112.1	80	2872	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:25:03.802077055 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 01:25:04.263281107 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:25:03 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	19:24:59
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\LMxd0gpIxe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LMxd0gpIxe.exe"
Imagebase:	0x520000
File size:	678'400 bytes
MD5 hash:	92FFF178A6C268DD0AF4BC3B420FB0F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1700553412.00000000035E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:25:01
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LMxd0gpIxe.exe"
Imagebase:	0x480000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2925388179.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2926410839.0000000002815000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	174

Executed Functions

Function 00523B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00523B68
IsDebuggerPresent.KERNEL32 ref: 00523B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,005E52F8,005E52E0,?,?), ref: 00523BEB

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Part of subcall function 0053092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00523C14,005E52F8,?,?,?), ref: 0053096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00523C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005D7770,00000010), ref: 0055D281
SetCurrentDirectoryW.KERNEL32(?,005E52F8,?,?,?), ref: 0055D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005D4260,005E52F8,?,?,?), ref: 0055D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0055D346

Part of subcall function 00523A46: GetSysColorBrush.USER32(0000000F), ref: 00523A50
Part of subcall function 00523A46: LoadCursorW.USER32(00000000,00007F00), ref: 00523A5F
Part of subcall function 00523A46: LoadIconW.USER32(00000063), ref: 00523A76
Part of subcall function 00523A46: LoadIconW.USER32(000000A4), ref: 00523A88
Part of subcall function 00523A46: LoadIconW.USER32(000000A2), ref: 00523A9A
Part of subcall function 00523A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00523AC0
Part of subcall function 00523A46: RegisterClassExW.USER32(?), ref: 00523B16

Part of subcall function 005239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00523A03
Part of subcall function 005239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00523A24
Part of subcall function 005239D5: ShowWindow.USER32(00000000,?,?), ref: 00523A38
Part of subcall function 005239D5: ShowWindow.USER32(00000000,?,?), ref: 00523A41

Part of subcall function 0052434A: _memset.LIBCMT ref: 00524370
Part of subcall function 0052434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00524415

Strings

%[, xrefs: 00523C44
This is a third-party compiled AutoIt script., xrefs: 0055D279
runas, xrefs: 0055D33A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%[
API String ID: 529118366-1425557641
Opcode ID: 62fcfc5289e31b58a2ed8adc64b47f9bf69ddf20e667eacc0f1cf1c0c5c44c2f
Instruction ID: a44fc02c57c23bdb3c85f7b29dc5a53b74c39b86a3093ac2ca5ea67b65e1dc8b
Opcode Fuzzy Hash: 62fcfc5289e31b58a2ed8adc64b47f9bf69ddf20e667eacc0f1cf1c0c5c44c2f
Instruction Fuzzy Hash: 44513835D08159AACF15EBF4FC49AED7F78BF9A304F004066F551B61E1EA744A09DB20

Function 00523633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 005236D2
KillTimer.USER32(?,00000001), ref: 005236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0052371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0052372A
CreatePopupMenu.USER32 ref: 0052373E
PostQuitMessage.USER32(00000000), ref: 0052374D

Strings

TaskbarCreated, xrefs: 00523725
%[, xrefs: 0055D081, 0055D0CF

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%[
API String ID: 157504867-3028661578
Opcode ID: 3444cdc9bd31aa2101995ac686f7e82b27f019ca79c6c885003be741fa875aa2
Instruction ID: 33a0258d3b897f3ea177f84b0396cbf33cc03eb95dd31d98d44172e5699fae68
Opcode Fuzzy Hash: 3444cdc9bd31aa2101995ac686f7e82b27f019ca79c6c885003be741fa875aa2
Instruction Fuzzy Hash: 19417BB2100555BBCF285F64FC4DB793F98FF12300F140425FA82962F1E669AE09A761

Function 005249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005249CD

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

GetCurrentProcess.KERNEL32(?,005AFAEC,00000000,00000000,?), ref: 00524A9A
IsWow64Process.KERNEL32(00000000), ref: 00524AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00524AE7
FreeLibrary.KERNEL32(00000000), ref: 00524AF2
GetSystemInfo.KERNEL32(00000000), ref: 00524B23
GetSystemInfo.KERNEL32(00000000), ref: 00524B2F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 6eb641d4a43794fc0230aa94ee4f8c6d82a8fbe037cd12df2425c43f88b43746
Instruction ID: 4ad3055bf0d727d1dbbb0184e710e287d495473786e508019d6cfd712117e3ea
Opcode Fuzzy Hash: 6eb641d4a43794fc0230aa94ee4f8c6d82a8fbe037cd12df2425c43f88b43746
Instruction Fuzzy Hash: 0891C4319897D1DEC731CB6894901AEBFF5BF3A301B444DAED0CB93A81D220A50CDB69

Function 00524E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00524E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00524D8E,?,?,00000000,00000000), ref: 00524EB0
LoadResource.KERNEL32(?,00000000,?,?,00524D8E,?,?,00000000,00000000,?,?,?,?,?,?,00524E2F), ref: 0055D937
SizeofResource.KERNEL32(?,00000000,?,?,00524D8E,?,?,00000000,00000000,?,?,?,?,?,?,00524E2F), ref: 0055D94C
LockResource.KERNEL32(00524D8E,?,?,00524D8E,?,?,00000000,00000000,?,?,?,?,?,?,00524E2F,00000000), ref: 0055D95F

Strings

SCRIPT, xrefs: 00524EA6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 8dab87858b0234e15a50ecf078eb081f4e96ac4d8ba0a1e5917a8881d47b9aa0
Instruction ID: 2d9a63e9f0535642ec956c231844724284115d707d3a5b87a710b48a78b88c42
Opcode Fuzzy Hash: 8dab87858b0234e15a50ecf078eb081f4e96ac4d8ba0a1e5917a8881d47b9aa0
Instruction Fuzzy Hash: F5114876240701BBE7218BA5EC48F677BBEFFC6B11F204268F40686290DB71E8049B61

Function 0052FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%[, xrefs: 0052FCF3
pb^, xrefs: 005649B9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb^$%[
API String ID: 3964851224-1575657069
Opcode ID: 6865c163a799d89becdb897080aee3c7498a009c88a4e93ee89b78b0de4be8ed
Instruction ID: 58aa64ca9160a5fa4d93ded9b6dc81cc2293e9c3ff90aacca00315c645531432
Opcode Fuzzy Hash: 6865c163a799d89becdb897080aee3c7498a009c88a4e93ee89b78b0de4be8ed
Instruction Fuzzy Hash: 629289746083518FD724DF24C494B2ABBE5BF85304F14996DE88A8B3A2D771EC45CF92

Function 00647A10 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00647B4A
GetProcAddress.KERNEL32(?,00640FF9), ref: 00647B68
ExitProcess.KERNEL32(?,00640FF9), ref: 00647B79
VirtualProtect.KERNELBASE(00520000,00001000,00000004,?,00000000), ref: 00647BC7
VirtualProtect.KERNEL32(00520000,00001000), ref: 00647BDC

Memory Dump Source

Source File: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: b9ab5955e5271f7defc3f14e4e1c083b42a7b0c3b0ce0f043560cbea1fcf72c9
Instruction ID: 4d1c7a42a18438da02d6fac36d2a77f040f862bafdcfbc9ba81b3bcaff09b56d
Opcode Fuzzy Hash: b9ab5955e5271f7defc3f14e4e1c083b42a7b0c3b0ce0f043560cbea1fcf72c9
Instruction Fuzzy Hash: 975139B2A5C7524FD7219EB8CCC06E877A6EB1132072C0779C5E2C73C5E7A05E4687A0

Function 0052E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd^, xrefs: 00563AF5
Dd^, xrefs: 0052EAC1
Variable must be of type 'Object'., xrefs: 00563E62
Dd^, xrefs: 00563B2E
Dd^, xrefs: 0052EABA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID: Dd^$Dd^$Dd^$Dd^$Variable must be of type 'Object'.
API String ID: 0-1160235969
Opcode ID: 37fc9cca29bf1789f8a3e0ff9e6875ea0e8bf33139e71c4a5fd87eef504d4add
Instruction ID: d81f9a1e72d190aa30ce4893d3f17772a1b7dd182989e5baaa423dbb8651e119
Opcode Fuzzy Hash: 37fc9cca29bf1789f8a3e0ff9e6875ea0e8bf33139e71c4a5fd87eef504d4add
Instruction Fuzzy Hash: 85A29E75A00225CFCB24CF54E485AAEBFB5FF5A310F248469E945AB391D731ED42CB90

Function 0058445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0055E398), ref: 0058446A
FindFirstFileW.KERNELBASE(?,?), ref: 0058447B
FindClose.KERNEL32(00000000), ref: 0058448B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c18845af6850f1226936388eeb9f94b0f582a941f0c932dd59931ea2af018c03
Instruction ID: 3b8812d4aa2743dba89463929cfa54e0a7bd2963a4a54787ebf44c36f70925af
Opcode Fuzzy Hash: c18845af6850f1226936388eeb9f94b0f582a941f0c932dd59931ea2af018c03
Instruction Fuzzy Hash: 1FE0D8364105016746107B78EC0D5ED7F9CAE16335F100B16FC36D10F0E7B45D04AB95

Function 005309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00530A5B
timeGetTime.WINMM ref: 00530D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00530E53
Sleep.KERNEL32(0000000A), ref: 00530E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00530EFA
DestroyWindow.USER32 ref: 00530F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00530F20
Sleep.KERNEL32(0000000A,?,?), ref: 00564E83
TranslateMessage.USER32(?), ref: 00565C60
DispatchMessageW.USER32(?), ref: 00565C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00565C82

Strings

pb^, xrefs: 00564FAE
@GUI_WINHANDLE, xrefs: 00564F8F
pb^, xrefs: 005657B4
pb^, xrefs: 00564F59
pb^, xrefs: 00565003
@TRAY_ID, xrefs: 0056578F
@GUI_CTRLID, xrefs: 00564F3A
@GUI_CTRLHANDLE, xrefs: 00564FE4
@COM_EVENTOBJ, xrefs: 005654F0

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb^$pb^$pb^$pb^
API String ID: 4212290369-4286532560
Opcode ID: 8e2ad12e9cfe5c7c0e4b9b4ca02b35e64d7ce887708fb04396cacae3f3442fe6
Instruction ID: cb5c99ed1999387d08efde794daf56b45df9a5529c446962a0a4f8c1bc0d2b56
Opcode Fuzzy Hash: 8e2ad12e9cfe5c7c0e4b9b4ca02b35e64d7ce887708fb04396cacae3f3442fe6
Instruction Fuzzy Hash: ACB2C270608742DFD728DF24C898BAEBFE4BF85304F14491DE589972A1DB71E884DB82

Function 00589155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00588F5F: __time64.LIBCMT ref: 00588F69

Part of subcall function 00524EE5: _fseek.LIBCMT ref: 00524EFD

__wsplitpath.LIBCMT ref: 00589234

Part of subcall function 005440FB: __wsplitpath_helper.LIBCMT ref: 0054413B

_wcscpy.LIBCMT ref: 00589247
_wcscat.LIBCMT ref: 0058925A
__wsplitpath.LIBCMT ref: 0058927F
_wcscat.LIBCMT ref: 00589295
_wcscat.LIBCMT ref: 005892A8

Part of subcall function 00588FA5: _memmove.LIBCMT ref: 00588FDE
Part of subcall function 00588FA5: _memmove.LIBCMT ref: 00588FED

_wcscmp.LIBCMT ref: 005891EF

Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589824
Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00589452
_wcsncpy.LIBCMT ref: 005894C5
DeleteFileW.KERNEL32(?,?), ref: 005894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00589511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00589522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00589534

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 6d84283aedb63e4a35d19f3daeac437ebb446bbe1b4d663aa97da644e921ed20
Instruction ID: f442c2035a573258e75c9375f82bcdc91bab61bd1a1088955602635cfed662f2
Opcode Fuzzy Hash: 6d84283aedb63e4a35d19f3daeac437ebb446bbe1b4d663aa97da644e921ed20
Instruction Fuzzy Hash: CBC140B1D00129AADF21EF95CC85AEEBBBDFF85314F0044A6F609E7151EB309A448F65

Function 0052708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00524706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005E52F8,?,005237AE,?), ref: 00524724

Part of subcall function 0054050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00527165), ref: 0054052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0055E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0055E909
RegCloseKey.ADVAPI32(?), ref: 0055E947
_wcscat.LIBCMT ref: 0055E9A0

Strings

\Include\, xrefs: 00527165
\, xrefs: 0055E9C3
Software\AutoIt v3\AutoIt, xrefs: 0052719E
Include, xrefs: 0055E8BF, 0055E900

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 58782fd547473c8750cb88e0ec71794c3f8a90d0b00283d2c6c0b40d51dc62ee
Instruction ID: 1a1f0dbce327989c58ad511fb98d6dda212e155294a83afe5d35b842face27e7
Opcode Fuzzy Hash: 58782fd547473c8750cb88e0ec71794c3f8a90d0b00283d2c6c0b40d51dc62ee
Instruction Fuzzy Hash: C671C0755083529EC308DF65E8959ABBFF8FFA9390F40052EF5858B1A0EB70994CCB52

Function 00523A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00523A50
LoadCursorW.USER32(00000000,00007F00), ref: 00523A5F
LoadIconW.USER32(00000063), ref: 00523A76
LoadIconW.USER32(000000A4), ref: 00523A88
LoadIconW.USER32(000000A2), ref: 00523A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00523AC0
RegisterClassExW.USER32(?), ref: 00523B16

Part of subcall function 00523041: GetSysColorBrush.USER32(0000000F), ref: 00523074
Part of subcall function 00523041: RegisterClassExW.USER32(00000030), ref: 0052309E
Part of subcall function 00523041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 005230AF
Part of subcall function 00523041: LoadIconW.USER32(000000A9), ref: 005230F2

Strings

#, xrefs: 00523AFB
AutoIt v3, xrefs: 00523B05
0, xrefs: 00523AF4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: d1d705582325ce4c76fc443b156bc7bb66279d5f8cfe79bead3687c379863304
Instruction ID: 9ea61ea91074ba10ea3309ffa618dcda17d1235152a677e923bf435c5e7911a7
Opcode Fuzzy Hash: d1d705582325ce4c76fc443b156bc7bb66279d5f8cfe79bead3687c379863304
Instruction Fuzzy Hash: BF217E75D00344AFEB14CFA4EC89B9D7FB0FB29715F00012AF640AA2A1E3B55548EF90

Function 00523766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 005237FB
/ErrorStdOut, xrefs: 0052387D
CMDLINE, xrefs: 00523822
R^, xrefs: 0055D213
/AutoIt3OutputDebug, xrefs: 00523892
/AutoIt3ExecuteLine, xrefs: 005238A7
/AutoIt3ExecuteScript, xrefs: 005238BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005237AE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R^
API String ID: 1825951767-420430719
Opcode ID: 7c52f7eccf190b1819a11b5ce72a2a0a24879c011f732b98f4a9ccb4d26bf2ce
Instruction ID: e361adc1c88c348e9c35146b63894433fa0c50d8de1c8c81fa545ab3650b7f8f
Opcode Fuzzy Hash: 7c52f7eccf190b1819a11b5ce72a2a0a24879c011f732b98f4a9ccb4d26bf2ce
Instruction Fuzzy Hash: 0EA1307690022E9ACB15EBA0EC99AEEBF7CBF56304F440429F415B71D1EF745A08CB60

Function 00523015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00523074
RegisterClassExW.USER32(00000030), ref: 0052309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 005230AF
LoadIconW.USER32(000000A9), ref: 005230F2

Strings

TaskbarCreated, xrefs: 005230A4
+, xrefs: 0052305D
AutoIt v3 GUI, xrefs: 00523090
0, xrefs: 00523056

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 3832b5b84dc5251464c7aeac7f080bbd2cfd09fa4909a70c82a5e7c865b95771
Instruction ID: 05a42980b5ea64d26479ff4a0e2bd1ad1c64f69be5d42210ed9bae3ec5bc1765
Opcode Fuzzy Hash: 3832b5b84dc5251464c7aeac7f080bbd2cfd09fa4909a70c82a5e7c865b95771
Instruction Fuzzy Hash: 78312A71845349AFDB50CFE4EC88A9EBFF4FB1A314F24456AE580AA2A0E3B50548DF51

Function 00523041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00523074
RegisterClassExW.USER32(00000030), ref: 0052309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 005230AF
LoadIconW.USER32(000000A9), ref: 005230F2

Strings

TaskbarCreated, xrefs: 005230A4
+, xrefs: 0052305D
AutoIt v3 GUI, xrefs: 00523090
0, xrefs: 00523056

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 76581b03285c7c21a6c443d2d9598a10fae067dfd02fa2dba97b7bf74426a36d
Instruction ID: 83e433242aa836dea3ea70528477d68f9a1cf297113bf7b419ff68ce30943da9
Opcode Fuzzy Hash: 76581b03285c7c21a6c443d2d9598a10fae067dfd02fa2dba97b7bf74426a36d
Instruction Fuzzy Hash: DB21F7B5D01258AFDB00DFE4EC88BDDBBF4FB19704F10412AF651AA2A0E7B14548AF95

Function 0052F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00540162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00540193
Part of subcall function 00540162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0054019B
Part of subcall function 00540162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005401A6
Part of subcall function 00540162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005401B1
Part of subcall function 00540162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005401B9
Part of subcall function 00540162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005401C1

Part of subcall function 005360F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00536154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0052F9CD
OleInitialize.OLE32(00000000), ref: 0052FA4A
CloseHandle.KERNEL32(00000000), ref: 005645C8

Strings

%[, xrefs: 0052F796, 0052F7A8, 0052F96E, 0052FA51
<W^, xrefs: 0052F930
\T^, xrefs: 0052F7F7
S^, xrefs: 0052F7EB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: <W^$\T^$%[$S^
API String ID: 3094916012-4003361884
Opcode ID: d08322e4586cff166b0c3da61b3e6823af856f69a7b71d47574b6af1d2a35462
Instruction ID: f065399c5e3fd564b4bdf3ff836caa6e2523adab4aac3fbd5a706e8cf2bf84e6
Opcode Fuzzy Hash: d08322e4586cff166b0c3da61b3e6823af856f69a7b71d47574b6af1d2a35462
Instruction Fuzzy Hash: 1C81C0B0901BC58FCB8CDF39A9846197FE5FBA834E750852AD189CF2A1F7704488AF11

Function 0119E938 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0119EA09
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0119EC2F

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 478a57ad005941d6012f4176b6cbe5b6a4c66db6cb736099aec9232e6d1f0c58
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 8FA11870E01209EBDF18CFA4C898BAEBBB5BF48704F108559E212BB280D7759A41CF65

Function 005239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00523A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00523A24
ShowWindow.USER32(00000000,?,?), ref: 00523A38
ShowWindow.USER32(00000000,?,?), ref: 00523A41

Strings

edit, xrefs: 00523A1E
AutoIt v3, xrefs: 005239FB, 00523A00, 00523A01

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 6725b50c2f59d707b9a30cbbec79dc12eee4ad75d2f110a4a5f7c6f1fd214917
Instruction ID: 2c836dbe3a89cbe2e0cc2ffb8cca74e0955ceba2ca2f816a733e8f85687e76de
Opcode Fuzzy Hash: 6725b50c2f59d707b9a30cbbec79dc12eee4ad75d2f110a4a5f7c6f1fd214917
Instruction Fuzzy Hash: C7F03A75A002D07EEA305763AC88E7B3E7DE7D7F54B00002ABB40AA171E2610844EAB0

Function 0052686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00524DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524E0F

_free.LIBCMT ref: 0055E263
_free.LIBCMT ref: 0055E2AA

Part of subcall function 00526A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00526BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0055E039
/vR, xrefs: 0055E084, 0055E0BD
Bad directive syntax error, xrefs: 0055E292

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: /vR$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1458436481
Opcode ID: 61c8a95cd4a81f79fe8bd02042d9d9e3f5a6bbe02d50805ac30d9b65e9f06942
Instruction ID: 2ec3a1cb2447a59c5bb882ebcb85e53778d706332760998538bad39d0c6c0898
Opcode Fuzzy Hash: 61c8a95cd4a81f79fe8bd02042d9d9e3f5a6bbe02d50805ac30d9b65e9f06942
Instruction Fuzzy Hash: BA91617190022A9FCF08EFA4DC569EDBFB8FF49315F10442AF815AB2A1DB709A55CB50

Function 0119E6F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0119E5E8: Sleep.KERNELBASE(000001F4), ref: 0119E5F9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0119E831

Strings

J8SN1F4QDMCUT2FEK82TJD, xrefs: 0119E894, 0119E897

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateFileSleep
String ID: J8SN1F4QDMCUT2FEK82TJD
API String ID: 2694422964-3235976714
Opcode ID: 58f2a68ab7b95a7b218c261ff4c8884ccfa52f38d0abba6e7ddd785d25bd4e27
Instruction ID: ec6ae77e2c8708fecccf25f7ee309bdc6809ac1fce9bd61f33fcea2fa1a37f92
Opcode Fuzzy Hash: 58f2a68ab7b95a7b218c261ff4c8884ccfa52f38d0abba6e7ddd785d25bd4e27
Instruction Fuzzy Hash: 2251A330D05358EAEF15DBE4C854BEEBBB4AF19304F004199E258BB2C1D7B95B44CBA6

Function 0052407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0055D3D7

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

_memset.LIBCMT ref: 005240FC
_wcscpy.LIBCMT ref: 00524150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00524160

Strings

Line: , xrefs: 0055D400

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 0e1075d4062cbc2b1ff36e6d7b7361cebba10c0a1f33c9528041f11635870d7f
Instruction ID: 6dcbd386474e72b8c14695a9284623c758df859f6e34dd178589bd983db7c179
Opcode Fuzzy Hash: 0e1075d4062cbc2b1ff36e6d7b7361cebba10c0a1f33c9528041f11635870d7f
Instruction Fuzzy Hash: 8831C4710087566FD724EB60EC4AFDB7FD8BF96304F10491AF685960E1EB709648CB92

Function 0054541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054547B
_memcpy_s.LIBCMT ref: 005454ED
__read_nolock.LIBCMT ref: 0054554B
__filbuf.LIBCMT ref: 0054556E
_memset.LIBCMT ref: 005455B2

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: e6000b6c37e23a46ce169529d83a71c3d2e084557d930dc05575584f48bac555
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 2051B670A00B05DBCF249FA9D8446FE7FB6BF41329F248729F8259A2D2E7709D549B40

Function 005235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005235A1,SwapMouseButtons,00000004,?), ref: 005235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005235A1,SwapMouseButtons,00000004,?,?,?,?,00522754), ref: 005235F5
RegCloseKey.KERNELBASE(00000000,?,?,005235A1,SwapMouseButtons,00000004,?,?,?,?,00522754), ref: 00523617

Strings

Control Panel\Mouse, xrefs: 005235D2

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9cbd39052419e18658d87617f7f0be5b84bac753c38cf236e10d7dac92e8d854
Instruction ID: dd9c578246d5b9e72abc785a1326f61ac2efe2ac44691957df9ae8c370a821ab
Opcode Fuzzy Hash: 9cbd39052419e18658d87617f7f0be5b84bac753c38cf236e10d7dac92e8d854
Instruction Fuzzy Hash: 2B114871610228BFDB208FA4EC44AAEBBBCFF06740F014469E805D7250E271AE44AB60

Function 0119D5E8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0119DE15
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0119DE39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0119DE5B

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: fc06cc855e8570ef8ec72e99d9c2a3eef7beac430cb5f56239b2c4f6848982d8
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: 8462FD70A14258DBEB28CFA4C850BDEB776EF58300F1091A9D11DEB390E7759E81CB59

Function 0058955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00524EE5: _fseek.LIBCMT ref: 00524EFD

Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589824
Part of subcall function 00589734: _wcscmp.LIBCMT ref: 00589837

_free.LIBCMT ref: 005896A2
_free.LIBCMT ref: 005896A9
_free.LIBCMT ref: 00589714

Part of subcall function 00542D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00549A24), ref: 00542D69
Part of subcall function 00542D55: GetLastError.KERNEL32(00000000,?,00549A24), ref: 00542D7B

_free.LIBCMT ref: 0058971C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 4a2872fe10592e1d84cc1262fcb1ccf713934ef89923d88bffb920594bd4d040
Instruction ID: e2bdc7549961a7f0a4f8e2a9db3d1c9cfec97ce2209b93f424fd78cc36548baa
Opcode Fuzzy Hash: 4a2872fe10592e1d84cc1262fcb1ccf713934ef89923d88bffb920594bd4d040
Instruction Fuzzy Hash: BB515EB1D04219ABDF249F64DC85AAEBB79FF89300F14449EF609A3341DB715A80CF58

Function 0054470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005447A0
__flush.LIBCMT ref: 005447C0
__write.LIBCMT ref: 005447F3
__flsbuf.LIBCMT ref: 00544821

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 87481ade180fe825c11ea3adbff061da60a1d936f77d12349e28c62f74066b83
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 5E41D374A407469BDB18CF69C884AEE7FA5FF81368B24853DE815C7640EB70DD428F40

Function 005244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005244CF

Part of subcall function 0052407C: _memset.LIBCMT ref: 005240FC
Part of subcall function 0052407C: _wcscpy.LIBCMT ref: 00524150
Part of subcall function 0052407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00524160

KillTimer.USER32(?,00000001,?,?), ref: 00524524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00524533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0055D4B9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 19025e88b152ad0cae4533195af282b43781dffb8e46b719e298385e7bdcaa0a
Instruction ID: 475f96e1543448fdf3932e87d75e04423ab5ed463116ad2000545d0a1e4bcff3
Opcode Fuzzy Hash: 19025e88b152ad0cae4533195af282b43781dffb8e46b719e298385e7bdcaa0a
Instruction Fuzzy Hash: 4921F5759047949FEB32CB249859BE6BFECBF16309F04049EE7CA5A181C3B42988DB51

Function 00524C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00524CBA

Strings

EA06, xrefs: 0055D8CC
AU3!P/[, xrefs: 00524CB4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/[$EA06
API String ID: 4104443479-1006748828
Opcode ID: 61f726128085ef999bc9ba229805427cc8ae0f588bd65ecbbd26ee2313abf234
Instruction ID: 78562c308641064c7eb9a476f3a1e6d36494aed9ab33db3c04148fb6f1c63193
Opcode Fuzzy Hash: 61f726128085ef999bc9ba229805427cc8ae0f588bd65ecbbd26ee2313abf234
Instruction Fuzzy Hash: C2418E32A0017957DF219B64F8557BE7F65BF87300F684465EC82A72C6D6209D448FA1

Function 00527285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0055EA39
7523D0D0.COMDLG32(?), ref: 0055EA83

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

Part of subcall function 00540791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005407B0

Strings

X, xrefs: 0055EA51

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: NamePath$7523FullLong_memset
String ID: X
API String ID: 3285060876-3081909835
Opcode ID: 3c728887cd587245830f67b5fa3fb5aa533a2833b84e5ab6502b1885b7754c3c
Instruction ID: e2629ff157f25789c73e7c52ce2b5515f75642e3b9bb1f871777bec4678fadf8
Opcode Fuzzy Hash: 3c728887cd587245830f67b5fa3fb5aa533a2833b84e5ab6502b1885b7754c3c
Instruction Fuzzy Hash: B521C631A002599BCB11DF98D849BEE7FF8BF49315F00405AE908A7281DBB4598D8F91

Function 0053092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00523C14,005E52F8,?,?,?), ref: 0053096E

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

_wcscat.LIBCMT ref: 00564CB7

Strings

S^, xrefs: 005309AE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S^
API String ID: 257928180-4185188088
Opcode ID: 27212091fc82cba3ece1cb65efb0b13fb66c84a8b70b78fe7a98bb21252b3370
Instruction ID: b46dd259d554a53b85278a9a2a0e62200993ddd51b286dc4bf0b9797f0d3312f
Opcode Fuzzy Hash: 27212091fc82cba3ece1cb65efb0b13fb66c84a8b70b78fe7a98bb21252b3370
Instruction Fuzzy Hash: 2C11E532A0131A9BCB00EBA0D809FCD7FF8BF4C350F0048A6B984D32C1EAB096885B10

Function 00588D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00588DAC
__fread_nolock.LIBCMT ref: 00588DC1

Strings

EA06, xrefs: 00588DF3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 576e8529372d389ab2d849daea88eadf9ac1acc35de4bf440b4ab95782d4e6ac
Instruction ID: 9e130e65738853b13ee6ec0275086160b41686e9bd7ce02d6e40f93f10e230e9
Opcode Fuzzy Hash: 576e8529372d389ab2d849daea88eadf9ac1acc35de4bf440b4ab95782d4e6ac
Instruction Fuzzy Hash: 7701F9718042187FDB28DBA8C81AEFE7FF8EB11301F00459BF552D2281E874A6148760

Function 00540DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0054571C: __FF_MSGBANNER.LIBCMT ref: 00545733
Part of subcall function 0054571C: __NMSG_WRITE.LIBCMT ref: 0054573A
Part of subcall function 0054571C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001), ref: 0054575F

std::exception::exception.LIBCMT ref: 00540DEC
__CxxThrowException@8.LIBCMT ref: 00540E01

Part of subcall function 0054859B: RaiseException.KERNEL32(?,?,00000000,005D9E78,?,00000001,?,?,?,00540E06,00000000,005D9E78,00529E8C,00000001), ref: 005485F0

Strings

bad allocation, xrefs: 00540DE1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: b677f63961eed275b2d3447339a0a529b189cc38d28766a70711ac238deed934
Instruction ID: 883f57efb808192da9ae65c795edeb3564a9f329afe21d129969c22bd0bc438f
Opcode Fuzzy Hash: b677f63961eed275b2d3447339a0a529b189cc38d28766a70711ac238deed934
Instruction Fuzzy Hash: 7CF0A93590021A66CB14BA98EC095EE7FECFF41359F10082AF91596291DF709A55C5E1

Function 005898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0058990F

Strings

aut, xrefs: 00589909

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 932107abb558802a4e4b171acdad2587e86184f3b5fad4ce76628a076ddc9263
Instruction ID: f0787e1201dc45722c61218ae871fcc4440f712e2c624e732ecb72afa4d6e8d9
Opcode Fuzzy Hash: 932107abb558802a4e4b171acdad2587e86184f3b5fad4ce76628a076ddc9263
Instruction Fuzzy Hash: B0D05E7954030DABDB609BE4DC0EFEA7B3CEB14701F0006B2BB94911A1EAB095989B91

Function 0059CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a88af59167f200c59dbe613c04f447cd93ea941063c82400b502c26c4c20dda
Instruction ID: 9f5697681199a82ebc4eb57655c2c6f2a00d1ebebceb66f1c23f674bf57013bd
Opcode Fuzzy Hash: 0a88af59167f200c59dbe613c04f447cd93ea941063c82400b502c26c4c20dda
Instruction Fuzzy Hash: BEF103716083419FCB14DF28C484A6ABBE5FF89314F54896EF8999B292D730E945CF82

Function 0052434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00524370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00524415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00524432

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 1120577a4da814c4a520e6b7878a112be63b3053695eace586ea54323a0bacf6
Instruction ID: c7b300913956850c2d125a7609377505bd91946ae48a62e3d2e73313cd1e5168
Opcode Fuzzy Hash: 1120577a4da814c4a520e6b7878a112be63b3053695eace586ea54323a0bacf6
Instruction Fuzzy Hash: CB3150705047118FD725DF64E88469BBFF8FF69309F00092EE6DA86291E771A948CB92

Function 0054571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00545733

Part of subcall function 0054A16B: __NMSG_WRITE.LIBCMT ref: 0054A192
Part of subcall function 0054A16B: __NMSG_WRITE.LIBCMT ref: 0054A19C

__NMSG_WRITE.LIBCMT ref: 0054573A

Part of subcall function 0054A1C8: GetModuleFileNameW.KERNEL32(00000000,005E33BA,00000104,00000000,00000001,00000000), ref: 0054A25A
Part of subcall function 0054A1C8: ___crtMessageBoxW.LIBCMT ref: 0054A308

Part of subcall function 0054309F: ___crtCorExitProcess.LIBCMT ref: 005430A5
Part of subcall function 0054309F: ExitProcess.KERNEL32 ref: 005430AE

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001), ref: 0054575F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ded488e9bd239d86b253b9914eea71b4306ba9c92c6ca94d02810c6285e165d6
Instruction ID: 89a37cc971656014a263fcabaf39cb5742839223a6fca6e8e7475f631e211f0e
Opcode Fuzzy Hash: ded488e9bd239d86b253b9914eea71b4306ba9c92c6ca94d02810c6285e165d6
Instruction Fuzzy Hash: F701C035240A02DBE6142B34EC8AAEE7F48FB923A9B100935F5459B192EF709C009661

Function 005898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00589548,?,?,?,?,?,00000004), ref: 005898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00589548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005898D1
CloseHandle.KERNEL32(00000000,?,00589548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005898D8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 7059cc5e483a7612e2144cb33aaa232476cd5e1026184d522c8f931a9cd77448
Instruction ID: 4cc4ecd8e0ae30f4e637af7fa9f23facc7ee94680a3ba243bdb125dab168b7c4
Opcode Fuzzy Hash: 7059cc5e483a7612e2144cb33aaa232476cd5e1026184d522c8f931a9cd77448
Instruction Fuzzy Hash: E0E08632240214BBDB312B94EC09FDA7F19AB17761F144121FB54790E087B11515A798

Function 00588D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00588D1B

Part of subcall function 00542D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00549A24), ref: 00542D69
Part of subcall function 00542D55: GetLastError.KERNEL32(00000000,?,00549A24), ref: 00542D7B

_free.LIBCMT ref: 00588D2C
_free.LIBCMT ref: 00588D3E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e572bb3280820806cd63a499e0b551fb9ad7511d2bd2374f1c7be07920dd6c79
Instruction ID: 331674ddec1d294179db5e8a9e74b4860a5821e29cfcda55e4dae57ca0473e52
Opcode Fuzzy Hash: e572bb3280820806cd63a499e0b551fb9ad7511d2bd2374f1c7be07920dd6c79
Instruction Fuzzy Hash: 9FE012B1A0261246CB24B578A944AE31BDCAF98396F94091DB80DE7186DE64F8838224

Function 0052A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0055FC01

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e70244bf7ec745a6fcc1dcfd077e52f166095d443eb8e52cc744de9981778340
Instruction ID: 7f3db9b253b94e39989627bce38ae96f2a9f2254fa96c1360af21dcd434165db
Opcode Fuzzy Hash: e70244bf7ec745a6fcc1dcfd077e52f166095d443eb8e52cc744de9981778340
Instruction Fuzzy Hash: C1226870508361DFDB24DF14D494A6ABFE1BF86304F14896DE88A9B3A2D731EC45DB82

Function 005877B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005878DB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 76b9c10d9e16fe5d043c0d2c81e9edef2b37ded06f51e92105b2be256def782e
Instruction ID: 85f5f153ead198109ad4beb41cd1fbf2f3dfcdf93d731acd6ae8d02d7f8ddc06
Opcode Fuzzy Hash: 76b9c10d9e16fe5d043c0d2c81e9edef2b37ded06f51e92105b2be256def782e
Instruction Fuzzy Hash: 6141B9719082099BCB10FFA4D8899AABFA8FF8D304F344859E585A7381DB75DC05DB60

Function 00527A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00527AAB
_memmove.LIBCMT ref: 00527B16

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction ID: 3916ca08aa276afefacdec531e269d29db22cf7e6141a36a5f4ec66a29cb77ac
Opcode Fuzzy Hash: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction Fuzzy Hash: C83184B260461AAFC704DF68D8D1D69BBA9FF493207158629E519CB3D1EB30E960CB90

Function 005247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745EC8D0.UXTHEME ref: 00524834

Part of subcall function 0054336C: __lock.LIBCMT ref: 00543372
Part of subcall function 0054336C: RtlDecodePointer.NTDLL(00000001), ref: 0054337E
Part of subcall function 0054336C: RtlEncodePointer.NTDLL(?), ref: 00543389

Part of subcall function 005248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00524915
Part of subcall function 005248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0052492A

Part of subcall function 00523B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00523B68
Part of subcall function 00523B3A: IsDebuggerPresent.KERNEL32 ref: 00523B7A
Part of subcall function 00523B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005E52F8,005E52E0,?,?), ref: 00523BEB
Part of subcall function 00523B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00523C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00524874

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 1d66d40b93f2a26054d64e50cb60b41b01020ec74a24b3a97b7a9d9f6d9ffcd4
Instruction ID: e019346be97fffd926fe972edf3ee813fe987f7add3c3fa3b63e20446b8dd7e2
Opcode Fuzzy Hash: 1d66d40b93f2a26054d64e50cb60b41b01020ec74a24b3a97b7a9d9f6d9ffcd4
Instruction Fuzzy Hash: C4118E729043529BC704DF68E88990ABFE8FFAA754F10491AF1848B2B1EB709548DB91

Function 005455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0054562C
__lock_file.LIBCMT ref: 0054564D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 09f11003d853e939440af1767ed4f14148c906e4d929446d76cbd43653f2d481
Instruction ID: db9219583bb17a70e508500d25b91330ddb36961b1f3996df203d9189133d9eb
Opcode Fuzzy Hash: 09f11003d853e939440af1767ed4f14148c906e4d929446d76cbd43653f2d481
Instruction Fuzzy Hash: FA01A771C01A0AEBCF12AFA89C0A4EE7F61BFD2369F554115F8141A192EB318A51EF91

Function 005453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

__lock_file.LIBCMT ref: 005453EB

Part of subcall function 00546C11: __lock.LIBCMT ref: 00546C34

__fclose_nolock.LIBCMT ref: 005453F6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 770a77ee7fbd95202b08b2433ca7d7e34973741f97dceca3c00e85507caf3561
Instruction ID: 8c092e269f7f2cde224d2cf63e0f6b101d73820642275fa688b2f7f8439934bb
Opcode Fuzzy Hash: 770a77ee7fbd95202b08b2433ca7d7e34973741f97dceca3c00e85507caf3561
Instruction Fuzzy Hash: C1F09631801A069BDB106F65980D7ED6EA07F8137CF248505A464AB1C2DBBC4945AB52

Function 0119D5E5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0119DE15
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0119DE39
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0119DE5B

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: cedc5b0e8087e238d32591a8e29f6decba3e733ef189ad950fdf577eb0ff11ff
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: BA12DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 00540C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00540CB7

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f4d7ae171862489cddc956dbc40128c953cfd46ca124b96e64f4c0439facaa78
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0331C370A00105DBC718DF58D4C49A9FBB6FB99308B7496A5E90ACB391D631EDC1DBC0

Function 0055FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0055FCB7

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a1690d0e79aef1bed43ad2e5df10fc1a4bc946c3d27e305e8c2ab8800debe9bb
Instruction ID: 4f36c46faf0482d058b10fb77bbc2b6adf42b179e8c8f5fd4a338504c1509e0a
Opcode Fuzzy Hash: a1690d0e79aef1bed43ad2e5df10fc1a4bc946c3d27e305e8c2ab8800debe9bb
Instruction Fuzzy Hash: 9F41F5746043518FDB25DF14D498B1ABFE1BF85318F1988ACE9998B3A2C731EC45CB52

Function 00527B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00527BB3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d98f48875766fa5f8f916d0bfb51603f6c320fcf346c989be66f975dc5ef0650
Instruction ID: 07ecaf58ae070c1de534fd8c75e47f86fe833d945e4ec82be977f972bca3cf94
Opcode Fuzzy Hash: d98f48875766fa5f8f916d0bfb51603f6c320fcf346c989be66f975dc5ef0650
Instruction Fuzzy Hash: 2C212772A04A19EBDB248F11F8526697FB8FF64351F21886FE886C5090EB30C598E705

Function 00524DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00524BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00524BEF

Part of subcall function 0054525B: __wfsopen.LIBCMT ref: 00545266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524E0F

Part of subcall function 00524B6A: FreeLibrary.KERNEL32(00000000), ref: 00524BA4

Part of subcall function 00524C70: _memmove.LIBCMT ref: 00524CBA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 020df9d337a3a9dfdaba05c677acc09fe7e52af5763ca98efee2861accfc28cf
Instruction ID: 05e9e027e360925c301dc050bb3f57b140df191d6225c267df40aa8ec7eca45b
Opcode Fuzzy Hash: 020df9d337a3a9dfdaba05c677acc09fe7e52af5763ca98efee2861accfc28cf
Instruction Fuzzy Hash: B811C432600216ABDF20AF70D81AFAD7FA9BFC6710F108829F941A71C1EA7199049F61

Function 0055FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0055FD91

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f433c035dea3117629f23eb6d011c5942b507c358b482ad20318e6c16b42ce1e
Instruction ID: 3f8e419c4773d9ec3298bcb2d43558e661752d37d5c80b93efcc989223c5dae6
Opcode Fuzzy Hash: f433c035dea3117629f23eb6d011c5942b507c358b482ad20318e6c16b42ce1e
Instruction Fuzzy Hash: 04214474508312DFCB14DF64D444A1ABFE0BF89314F04896CF98A577A2D731E819CB92

Function 00544863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005448A6

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: bc0a4ea3404a5ae87b155893caa4576e32ad90ef9c0b61ac7cb51a134f36484e
Instruction ID: d948834533692ddc3a564b7e0c8e84ab5ada502cd1cb48150e6acd8288ac1917
Opcode Fuzzy Hash: bc0a4ea3404a5ae87b155893caa4576e32ad90ef9c0b61ac7cb51a134f36484e
Instruction Fuzzy Hash: 33F0C23194160AEBDF11AFB48C0E7EE3EA0FF4132DF158414F424AA192CB788951DF51

Function 00524E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524E7E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 2fa5459cc16802dd68f721574cab18092ad623459814db5feef107bcc1c19ebd
Instruction ID: 3e93b1b26ee3d31f5064cbc70d7bb61bc108327c7aff8f9557569272c24fd8ad
Opcode Fuzzy Hash: 2fa5459cc16802dd68f721574cab18092ad623459814db5feef107bcc1c19ebd
Instruction Fuzzy Hash: 1BF03971501722CFEB349F64E494813BFE9BF563293218E3EE2D682660C7329884DF41

Function 00540791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005407B0

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 8c08d9029d7bc7ac3015306dd52bb77f298b42b08ce54c26b1dcea560746b191
Instruction ID: 508e96d1348ee47a42ea61287621954505b371e6bba7166e1464edd29c95de26
Opcode Fuzzy Hash: 8c08d9029d7bc7ac3015306dd52bb77f298b42b08ce54c26b1dcea560746b191
Instruction Fuzzy Hash: 4BE0CD379051295BC720D6989C09FEA7BEDEFCD7A1F0441B6FC0CD7254D9609C8486D0

Function 00588E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00588EC1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 891c9a229ce65b0b7d0c0ec2d24ac35a1af4d20d5cae097693d601790036c776
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 6FE092B0104B045BD7389A24D800BF377E5FB05304F04081DF6AA93242EB6278458759

Function 0054525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00545266

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: bf07238608b3fb92dd844f405f14603f5af31aea0aea64456857a7b497053fc3
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: FBB0927A44420C77CE012A92EC02A893F19AB81768F408021FB0C18162A6B3A6649A89

Function 0119E5E8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 0119E5F9

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: b6146f0dea53386bb0391d4ddcb0e1b998a3897f700982ab85eb5713efe04e80
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: AAE0E67594110DDFDB00DFB4D54969D7BB4FF05301F100161FD01D2281D7309D508A72

Non-executed Functions

Function 005ACABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 005ACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005ACB95
GetWindowLongW.USER32(?,000000F0), ref: 005ACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005ACC00
SendMessageW.USER32 ref: 005ACC29
_wcsncpy.LIBCMT ref: 005ACC95
GetKeyState.USER32(00000011), ref: 005ACCB6
GetKeyState.USER32(00000009), ref: 005ACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005ACCD9
GetKeyState.USER32(00000010), ref: 005ACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005ACD0C
SendMessageW.USER32 ref: 005ACD33
SendMessageW.USER32(?,00001030,?,005AB348), ref: 005ACE37
SetCapture.USER32(?), ref: 005ACE69
ClientToScreen.USER32(?,?), ref: 005ACECE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005ACEF5
ReleaseCapture.USER32 ref: 005ACF00
GetCursorPos.USER32(?), ref: 005ACF3A
ScreenToClient.USER32(?,?), ref: 005ACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 005ACFA3
SendMessageW.USER32 ref: 005ACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 005AD00E
SendMessageW.USER32 ref: 005AD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005AD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 005AD06D
GetCursorPos.USER32(?), ref: 005AD08D
ScreenToClient.USER32(?,?), ref: 005AD09A
GetParent.USER32(?), ref: 005AD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 005AD123
SendMessageW.USER32 ref: 005AD154
ClientToScreen.USER32(?,?), ref: 005AD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005AD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 005AD20C
SendMessageW.USER32 ref: 005AD22F
ClientToScreen.USER32(?,?), ref: 005AD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005AD2B5

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

GetWindowLongW.USER32(?,000000F0), ref: 005AD351

Strings

@GUI_DRAGID, xrefs: 005ACE9C
F, xrefs: 005AD235
pb^, xrefs: 005ACEAF

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb^
API String ID: 302779176-2394457914
Opcode ID: 52894b8b4f14e52673f2018deb299b2999e7ccfe6fecc3a5428d72f4efcc1c3e
Instruction ID: e4df50be49c511fca55a9234a8a27501ef128652cfadf5dc26881f5f7ab91805
Opcode Fuzzy Hash: 52894b8b4f14e52673f2018deb299b2999e7ccfe6fecc3a5428d72f4efcc1c3e
Instruction Fuzzy Hash: 7742CF34204345AFDB24DF64D888AAEBFE5FF4A310F540919F5A6872B0D731D854EBA2

Function 00536F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005371C3
_memset.LIBCMT ref: 00537539
_memmove.LIBCMT ref: 005376AC

Strings

[:<:]], xrefs: 00537479
[:>:]], xrefs: 00537492
\b(?=\w), xrefs: 00573769
3cS, xrefs: 005723A0
_S, xrefs: 005723CB
P\], xrefs: 00571AB8
DEFINE, xrefs: 00572103
Q\E, xrefs: 00537FCB
\b(?<=\w), xrefs: 00573773
]], xrefs: 00571A22

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]]$3cS$DEFINE$P\]$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_S
API String ID: 1357608183-308182256
Opcode ID: 87f686ddd100135ba2ed537c899b19ab877d38dd4e382b767db4eb04ba95f4f4
Instruction ID: dde3f3f2fd47376fcba4c85229d47ee4d0d974edfd4ea486a97c9605e267f7d3
Opcode Fuzzy Hash: 87f686ddd100135ba2ed537c899b19ab877d38dd4e382b767db4eb04ba95f4f4
Instruction Fuzzy Hash: 9693A575E00219DFDB24CF58D881BADBBB1FF48710F24856AE949AB381E7709D81EB50

Function 005248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0055D665
IsIconic.USER32(?), ref: 0055D66E
ShowWindow.USER32(?,00000009), ref: 0055D67B
SetForegroundWindow.USER32(?), ref: 0055D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0055D69B
GetCurrentThreadId.KERNEL32 ref: 0055D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0055D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0055D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0055D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0055D6CF
SetForegroundWindow.USER32(?), ref: 0055D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D6E7
keybd_event.USER32(00000012,00000000), ref: 0055D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D6FC
keybd_event.USER32(00000012,00000000), ref: 0055D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D70A
keybd_event.USER32(00000012,00000000), ref: 0055D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0055D719
keybd_event.USER32(00000012,00000000), ref: 0055D71E
SetForegroundWindow.USER32(?), ref: 0055D721
AttachThreadInput.USER32(?,?,00000000), ref: 0055D748

Strings

Shell_TrayWnd, xrefs: 0055D660

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 1f4d615890844f6954dc3de557504e31a4bcfe5799029c6a6d5106197b69c33f
Instruction ID: 8ecc46a5b30e50acce1a2803aa29dc7af8ab4f02ddaf566afa59490536c9b686
Opcode Fuzzy Hash: 1f4d615890844f6954dc3de557504e31a4bcfe5799029c6a6d5106197b69c33f
Instruction Fuzzy Hash: 94319272A40318BBEB306FA19C49F7F3E6CEB59B51F104026FE04EA1D1C6B05905ABB1

Function 00578310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057882B
Part of subcall function 005787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00578858
Part of subcall function 005787E1: GetLastError.KERNEL32 ref: 00578865

_memset.LIBCMT ref: 00578353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005783A5
CloseHandle.KERNEL32(?), ref: 005783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005783CD
GetProcessWindowStation.USER32 ref: 005783E6
SetProcessWindowStation.USER32(00000000), ref: 005783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0057840A

Part of subcall function 005781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00578309), ref: 005781E0
Part of subcall function 005781CB: CloseHandle.KERNEL32(?,?,00578309), ref: 005781F2

Strings

winsta0, xrefs: 005783C8
default, xrefs: 00578405
, xrefs: 00578362

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6bc2bb5f99456ffa2691db9e79f6f342ff9b07d90d12b5655d42ebceed6cfb55
Instruction ID: becd5251893948b30c1fcbd0bcf2e97753b3afc4b1299e015e1a785cfd4f7da8
Opcode Fuzzy Hash: 6bc2bb5f99456ffa2691db9e79f6f342ff9b07d90d12b5655d42ebceed6cfb55
Instruction Fuzzy Hash: 3C814971940209BFDF119FA4EC49AFE7FB9FF08304F148169F918A6261DB318A14EB60

Function 0058C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0058C78D
FindClose.KERNEL32(00000000), ref: 0058C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0058C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0058C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0058C844
__swprintf.LIBCMT ref: 0058C890
__swprintf.LIBCMT ref: 0058C8D3

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

__swprintf.LIBCMT ref: 0058C927

Part of subcall function 00543698: __woutput_l.LIBCMT ref: 005436F1

__swprintf.LIBCMT ref: 0058C975

Part of subcall function 00543698: __flsbuf.LIBCMT ref: 00543713
Part of subcall function 00543698: __flsbuf.LIBCMT ref: 0054372B

__swprintf.LIBCMT ref: 0058C9C4
__swprintf.LIBCMT ref: 0058CA13
__swprintf.LIBCMT ref: 0058CA62

Strings

%4d, xrefs: 0058C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 0058C88A
%02d, xrefs: 0058C91B, 0058C925, 0058C973, 0058C9C2, 0058CA11, 0058CA60

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 4a8e420d10d740563ee36a04cac34492b1ae77f908c61cedc7975957101fd2a1
Instruction ID: 57d145424629417fd9e231eccabdedbe5ded58d370543aa9d7986739ace59f7f
Opcode Fuzzy Hash: 4a8e420d10d740563ee36a04cac34492b1ae77f908c61cedc7975957101fd2a1
Instruction Fuzzy Hash: FAA120B2408316ABC714EF94D889DAFBBECFFD5704F400919F58596291EB30DA48CB62

Function 0058EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0058EFB6
_wcscmp.LIBCMT ref: 0058EFCB
_wcscmp.LIBCMT ref: 0058EFE2
GetFileAttributesW.KERNEL32(?), ref: 0058EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0058F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0058F026
FindClose.KERNEL32(00000000), ref: 0058F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0058F04D
_wcscmp.LIBCMT ref: 0058F074
_wcscmp.LIBCMT ref: 0058F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0058F09D
SetCurrentDirectoryW.KERNEL32(005D8920), ref: 0058F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058F0C5
FindClose.KERNEL32(00000000), ref: 0058F0D2
FindClose.KERNEL32(00000000), ref: 0058F0E4

Strings

*.*, xrefs: 0058F048

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: daee5f8fcf9d885b8a0946af49f2bd7553eb68c53b2636a503b83898e0b48cdd
Instruction ID: 68180ff4684b6b30c1109fc66586db7ba719480586c2e747154a4cbdd9b19c28
Opcode Fuzzy Hash: daee5f8fcf9d885b8a0946af49f2bd7553eb68c53b2636a503b83898e0b48cdd
Instruction Fuzzy Hash: 9531E336501209AEDB24FBA4EC4DBEE7BACBF49360F100176EC41E21A1DB70DA44DB61

Function 005A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,005AF910,00000000,?,00000000,?,?), ref: 005A09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005A0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005A0A92
RegCloseKey.ADVAPI32(?), ref: 005A0DB2
RegCloseKey.ADVAPI32(00000000), ref: 005A0DBF

Strings

REG_QWORD, xrefs: 005A0D00
REG_EXPAND_SZ, xrefs: 005A0A2F
REG_DWORD, xrefs: 005A0C83
REG_BINARY, xrefs: 005A0D4D
REG_MULTI_SZ, xrefs: 005A0B7A
REG_SZ, xrefs: 005A0AD0

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c73b965c22e2b48c5b35b6da733f8ec018ae3c471d8fd256cbcee1846d844b6e
Instruction ID: 65486f750ebf34963b7cc702b83c85fa430ae9dcbab35c66981d27f280ebb725
Opcode Fuzzy Hash: c73b965c22e2b48c5b35b6da733f8ec018ae3c471d8fd256cbcee1846d844b6e
Instruction Fuzzy Hash: B7024B756046129FCB14EF14D859E2ABBE5FF8A314F04885DF8899B3A2CB30EC45CB81

Function 005AC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

DragQueryPoint.SHELL32(?,?), ref: 005AC627

Part of subcall function 005AAB37: ClientToScreen.USER32(?,?), ref: 005AAB60
Part of subcall function 005AAB37: GetWindowRect.USER32(?,?), ref: 005AABD6
Part of subcall function 005AAB37: PtInRect.USER32(?,?,005AC014), ref: 005AABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 005AC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005AC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005AC6BE
_wcscat.LIBCMT ref: 005AC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 005AC705
SendMessageW.USER32(?,000000B0,?,?), ref: 005AC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 005AC735
SendMessageW.USER32(?,000000B1,?,?), ref: 005AC757
DragFinish.SHELL32(?), ref: 005AC75E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 005AC851

Strings

@GUI_DRAGID, xrefs: 005AC7C9
pb^, xrefs: 005AC79B
@GUI_DROPID, xrefs: 005AC77E
@GUI_DRAGFILE, xrefs: 005AC800

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb^
API String ID: 2166380349-368586474
Opcode ID: bcc7f3e958a9a655c16e25f49ee960ee823c5a2026dbe1666731cdb7fc3661e9
Instruction ID: 688aab2d6d6b2fb8d631762a516cbb47658d5dc1a80004b6e5d66aaa837485d0
Opcode Fuzzy Hash: bcc7f3e958a9a655c16e25f49ee960ee823c5a2026dbe1666731cdb7fc3661e9
Instruction Fuzzy Hash: D9615C71108301AFC715DFA4D889DAFBFE8FF9A750F04091EF591961A1DB309949CB92

Function 0058F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0058F113
_wcscmp.LIBCMT ref: 0058F128
_wcscmp.LIBCMT ref: 0058F13F

Part of subcall function 00584385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005843A0

FindNextFileW.KERNEL32(00000000,?), ref: 0058F16E
FindClose.KERNEL32(00000000), ref: 0058F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0058F195
_wcscmp.LIBCMT ref: 0058F1BC
_wcscmp.LIBCMT ref: 0058F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0058F1E5
SetCurrentDirectoryW.KERNEL32(005D8920), ref: 0058F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058F20D
FindClose.KERNEL32(00000000), ref: 0058F21A
FindClose.KERNEL32(00000000), ref: 0058F22C

Strings

*.*, xrefs: 0058F190

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5b6733dd6cabd9c2ef8653ef333d11f5fd23edd02f9e514f6a3a1cadf5e8c605
Instruction ID: 3e2cef1f21b8af0ded6b796ea71c2c998b8e7540fff1fd36255110583540068f
Opcode Fuzzy Hash: 5b6733dd6cabd9c2ef8653ef333d11f5fd23edd02f9e514f6a3a1cadf5e8c605
Instruction Fuzzy Hash: 2E31B9395001196ADB20BBA4EC59BEE7FACBF99360F100176EC41F21A0DB30DE45DB54

Function 0058A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0058A20F
__swprintf.LIBCMT ref: 0058A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0058A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0058A293
_memset.LIBCMT ref: 0058A2B2
_wcsncpy.LIBCMT ref: 0058A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0058A323
CloseHandle.KERNEL32(00000000), ref: 0058A32E
RemoveDirectoryW.KERNEL32(?), ref: 0058A337
CloseHandle.KERNEL32(00000000), ref: 0058A341

Strings

\, xrefs: 0058A247
:, xrefs: 0058A252
\??\%s, xrefs: 0058A22B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: ee6d7dc39bd9360546ebda7a1e26ec37b99a22538dacf10aec41ff23cb43ad52
Instruction ID: 15f4628a7591e72e70758de3ccf3138c8c8fe6e16bab00625724a6c565cef4f6
Opcode Fuzzy Hash: ee6d7dc39bd9360546ebda7a1e26ec37b99a22538dacf10aec41ff23cb43ad52
Instruction Fuzzy Hash: 2D3180B590410AABDB219FA0DC49FEB3BBCFF89741F1045B6F909E6160EB7096448B25

Function 005AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005AC1FC
GetFocus.USER32 ref: 005AC20C
GetDlgCtrlID.USER32(00000000), ref: 005AC217
_memset.LIBCMT ref: 005AC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005AC36D
GetMenuItemCount.USER32(?), ref: 005AC38D
GetMenuItemID.USER32(?,00000000), ref: 005AC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005AC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005AC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005AC454
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 005AC489

Strings

0, xrefs: 005AC33A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 4c0d25e47dac1d0d3e6d1f235277ae11080543d6a19f410aa7d79936bc219cbd
Instruction ID: 204df07378eaffc2d3041c492888d8b5cafbd672ee0e3f4ed7a46013ceab38fd
Opcode Fuzzy Hash: 4c0d25e47dac1d0d3e6d1f235277ae11080543d6a19f410aa7d79936bc219cbd
Instruction Fuzzy Hash: E8818A70608301AFDB24CF64C894A6EBFE9FF8A714F00492EF99597291D770D905DBA2

Function 005366E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 005711FC
CRLF), xrefs: 005712C1
CR), xrefs: 00571287
3cS, xrefs: 005368FF
_S, xrefs: 00571465, 0057150C, 005715B4
ANYCRLF), xrefs: 005712FB
BSR_UNICODE), xrefs: 00571338
LF), xrefs: 005712A4
ANY), xrefs: 005712DE
UTF16), xrefs: 005710CF
UTF), xrefs: 005710FA
NO_START_OPT), xrefs: 0057114F
LIMIT_MATCH=, xrefs: 00571170
BSR_ANYCRLF), xrefs: 0057131E
UCP), xrefs: 0057110D
NO_AUTO_POSSESS), xrefs: 0057112E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID: 3cS$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_S
API String ID: 0-654464195
Opcode ID: f79dc047e55849f5afc23fd83edac0957b474787de630e0dd9e80e2a133d0351
Instruction ID: ba86c5112455ba5626458f6b4b5539a12adc666c0f3633fe0a3a83674e52d696
Opcode Fuzzy Hash: f79dc047e55849f5afc23fd83edac0957b474787de630e0dd9e80e2a133d0351
Instruction Fuzzy Hash: 2B727E75E00619DBDB24CF59D8907AEBBB5FF44310F14856AE809EB290EB309E81DB94

Function 0058001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00580097
SetKeyboardState.USER32(?), ref: 00580102
GetAsyncKeyState.USER32(000000A0), ref: 00580122
GetKeyState.USER32(000000A0), ref: 00580139
GetAsyncKeyState.USER32(000000A1), ref: 00580168
GetKeyState.USER32(000000A1), ref: 00580179
GetAsyncKeyState.USER32(00000011), ref: 005801A5
GetKeyState.USER32(00000011), ref: 005801B3
GetAsyncKeyState.USER32(00000012), ref: 005801DC
GetKeyState.USER32(00000012), ref: 005801EA
GetAsyncKeyState.USER32(0000005B), ref: 00580213
GetKeyState.USER32(0000005B), ref: 00580221

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 73db6915d4e7bb53ed670954a54c77c925be8c6d51ad07fa43bb98319c026a3e
Instruction ID: 748c50b63e4cce7618373404b708e744c077fbf06bbf269d7b22bb585fdbfec6
Opcode Fuzzy Hash: 73db6915d4e7bb53ed670954a54c77c925be8c6d51ad07fa43bb98319c026a3e
Instruction Fuzzy Hash: D551EB309047896DFB75FBA088197BABFB4AF01380F485599DDC2761C3DAA49B8CC761

Function 005A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A04AC

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005A054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005A05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 005A0822
RegCloseKey.ADVAPI32(00000000), ref: 005A082F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: ac7d4931244bbff9fbc85109377a5f7cb491783a6e5330a65f1cb43f1fde55bd
Instruction ID: 3b8ea548d380e19430fc326e9971ae6145555ff3494f1a1eb07b4fe30510f43a
Opcode Fuzzy Hash: ac7d4931244bbff9fbc85109377a5f7cb491783a6e5330a65f1cb43f1fde55bd
Instruction Fuzzy Hash: 28E13D71604215AFCB14DF24C895D6EBBE4FF8A314F04896DF94ADB2A1DA30ED05CB91

Function 00594164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0059418B
EmptyClipboard.USER32 ref: 00594191
GlobalAlloc.KERNEL32(00000002,?), ref: 005941A6
CloseClipboard.USER32 ref: 00594245

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9badca12f9799b69f65290bb1550239d2532b34ca03a6a13cc93b7b48f5e7930
Instruction ID: fdf8f269e4c76c346873bfa2d6021f6297d73293205d47ae30ec43bb76f69212
Opcode Fuzzy Hash: 9badca12f9799b69f65290bb1550239d2532b34ca03a6a13cc93b7b48f5e7930
Instruction Fuzzy Hash: 9621BF392006119FDB14AF60EC09F6D7FA8FF56314F04802AF946DB2A1DB30AC02EB94

Function 005837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

Part of subcall function 00584A31: GetFileAttributesW.KERNEL32(?,0058370B), ref: 00584A32

FindFirstFileW.KERNEL32(?,?), ref: 005838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0058394B
MoveFileW.KERNEL32(?,?), ref: 0058395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0058397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0058399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 005839B9

Strings

\*.*, xrefs: 0058384E, 00583857, 0058386C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 40b8dd21dd44f1ca7b8bb96ecfed182b54868393e9c802960018663f7b989e66
Instruction ID: fd036f3fbee7bafc6d4e2e81f2b6fe285d47a574a7eb5fa1c7f7495ca5fb61a6
Opcode Fuzzy Hash: 40b8dd21dd44f1ca7b8bb96ecfed182b54868393e9c802960018663f7b989e66
Instruction Fuzzy Hash: 99516C3180515EAACF15FFA0E99A9EDBF79BF56300F600069E84676191EB316F09CB60

Function 0058F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0058F440
Sleep.KERNEL32(0000000A), ref: 0058F470
_wcscmp.LIBCMT ref: 0058F484
_wcscmp.LIBCMT ref: 0058F49F
FindNextFileW.KERNEL32(?,?), ref: 0058F53D
FindClose.KERNEL32(00000000), ref: 0058F553

Strings

*.*, xrefs: 0058F425

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: f0f66e50bf8a2728fdad1eea64a3eb82ec3d96ef378fbff6ab4c4d48073f8305
Instruction ID: 97f30e9e59a3fdde87f08b6378ae6eeebaddd308295c7a7487861265b44dba7c
Opcode Fuzzy Hash: f0f66e50bf8a2728fdad1eea64a3eb82ec3d96ef378fbff6ab4c4d48073f8305
Instruction Fuzzy Hash: 9B414E7190021A9FCF14EFA4DC49AEEBFB4FF5A310F14456AE815A31A1EB309E85DB50

Function 005AD43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

GetSystemMetrics.USER32(0000000F), ref: 005AD47C
GetSystemMetrics.USER32(0000000F), ref: 005AD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 005AD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005AD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005AD716
ShowWindow.USER32(00000003,00000000), ref: 005AD735
InvalidateRect.USER32(?,00000000,00000001), ref: 005AD75A
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 005AD77D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: c7ef6d84a7ff41fa6cbfc7df30d54aa05a7300337a4a3fe7cbf55b2bb96b0108
Instruction ID: 3fdb91f006b0d42c6476ba8a4f95513b817d4027c046f7dac3b742affe98901d
Opcode Fuzzy Hash: c7ef6d84a7ff41fa6cbfc7df30d54aa05a7300337a4a3fe7cbf55b2bb96b0108
Instruction Fuzzy Hash: 3EB1AB71600229EBDF18DF68C9C57AD7BB1FF0A701F088069ED4A9F695D734A950CBA0

Function 00533030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cS, xrefs: 00533225
_S, xrefs: 00533322

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cS$_S
API String ID: 674341424-3431193023
Opcode ID: aea090a724faa9b3bed88e67fc58da9b660b70a46e500ca880e56dd85c169da2
Instruction ID: d497acce88106c18491bb5254c45aa277497c5a36bbcbfb13e4a35cd6cd03344
Opcode Fuzzy Hash: aea090a724faa9b3bed88e67fc58da9b660b70a46e500ca880e56dd85c169da2
Instruction Fuzzy Hash: 97228A716083129FCB24DF24D885B6EBBE4BFC5310F14492CF89A97291EB31E944CB92

Function 00535760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005358A5
_memmove.LIBCMT ref: 005358F5
_memmove.LIBCMT ref: 0053595B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e99411be43a44a1565f39f0b18d93424b7c9d24d0524ec74816ee39063779598
Instruction ID: 7155e9415ef2b605b6784285a94d7d9012ba7cffc1e46c4fd6a8c6120a6c24f8
Opcode Fuzzy Hash: e99411be43a44a1565f39f0b18d93424b7c9d24d0524ec74816ee39063779598
Instruction Fuzzy Hash: 2112AE70A0061ADFDF14DFA4D985AEEBBF5FF88300F209529E406E7291EB35A914DB50

Function 005851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057882B
Part of subcall function 005787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00578858
Part of subcall function 005787E1: GetLastError.KERNEL32 ref: 00578865

ExitWindowsEx.USER32(?,00000000), ref: 005851F9

Strings

, xrefs: 005851E7
SeShutdownPrivilege, xrefs: 005851C9
@, xrefs: 005851EC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: c9f31e5e18b9600af750464d99f1c60ce01df1515ff7768a50f23ec2268b4dd7
Instruction ID: 5568cf57aa03618906f83c95faa541a38bc94dfde12044d99b6bf0858bbb8451
Opcode Fuzzy Hash: c9f31e5e18b9600af750464d99f1c60ce01df1515ff7768a50f23ec2268b4dd7
Instruction Fuzzy Hash: 0001F7397916126BEB287268AC8EFBA7E58FB05740F600821FD57F20D2FD511C009790

Function 00596283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 005962DC
WSAGetLastError.WS2_32(00000000), ref: 005962EB
bind.WS2_32(00000000,?,00000010), ref: 00596307
listen.WS2_32(00000000,00000005), ref: 00596316
WSAGetLastError.WS2_32(00000000), ref: 00596330
closesocket.WS2_32(00000000), ref: 00596344

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: d4f9e8698c2fbf1671ab3f9e1eefd54e8080e9735e8baa7dd8c789ab6f688ae0
Instruction ID: 4494c22394434cf791f71a1065a027305463690ab7c75e1da8f77e6c35f3d273
Opcode Fuzzy Hash: d4f9e8698c2fbf1671ab3f9e1eefd54e8080e9735e8baa7dd8c789ab6f688ae0
Instruction Fuzzy Hash: 11210131200211AFCF10EF64D889B6EBBA8FF8A720F148559F816A73D1CB30AC09DB50

Function 00535520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

_memmove.LIBCMT ref: 00570258
_memmove.LIBCMT ref: 0057036D
_memmove.LIBCMT ref: 00570414

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 44d217bf3952cf2b97106ea7928a0b508aaaf1afe529a252eef2e5c33cff2f70
Instruction ID: 5e49d40769330a7a22e1dd776e16bcac3b79179a08532201a147893668a5ec87
Opcode Fuzzy Hash: 44d217bf3952cf2b97106ea7928a0b508aaaf1afe529a252eef2e5c33cff2f70
Instruction Fuzzy Hash: 6502C2B0A0020ADBCF04DF64E985AAE7FF5FF84300F549469E80ADB295EB31D954DB91

Function 00521287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 005219FA
GetSysColor.USER32(0000000F), ref: 00521A4E
SetBkColor.GDI32(?,00000000), ref: 00521A61

Part of subcall function 00521290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 005212D8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 64fa29c39343d6b752fa681ba135c5a553b7353410169f78c6be417226d8542c
Instruction ID: fbe28bca5c99d8c56fbdb5287943b6acf674325cc16f04c7f5b9c0a82a37c82f
Opcode Fuzzy Hash: 64fa29c39343d6b752fa681ba135c5a553b7353410169f78c6be417226d8542c
Instruction Fuzzy Hash: 65A16B71106D65BAE728AA38AC5CE7F3E6DFFA3342B14051AF402D51D2DB229D0092F9

Function 00596747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00597D8B: inet_addr.WS2_32(00000000), ref: 00597DB6

socket.WS2_32(00000002,00000002,00000011), ref: 0059679E
WSAGetLastError.WS2_32(00000000), ref: 005967C7
bind.WS2_32(00000000,?,00000010), ref: 00596800
WSAGetLastError.WS2_32(00000000), ref: 0059680D
closesocket.WS2_32(00000000), ref: 00596821

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5ff4736b3e1826575d32f8ec3ad5651496cfb1fc934847e484320389cb66e3fd
Instruction ID: 04ff01cfe0ea3724ecb03cff43130079038326e3827521e76436fff26bf7a53a
Opcode Fuzzy Hash: 5ff4736b3e1826575d32f8ec3ad5651496cfb1fc934847e484320389cb66e3fd
Instruction Fuzzy Hash: CC41E475A00221AFDB14BF649C8AF7E7BE8FF86714F448458F919AB3C2CA709D058791

Function 005A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 005A53C5
IsWindowEnabled.USER32 ref: 005A53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 005A53E0
IsIconic.USER32 ref: 005A53EE
IsZoomed.USER32 ref: 005A53FC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7c039a1c5136151a8af8c8d3c48bb43275146cb6065d69d9410b64c6b7b7f5bb
Instruction ID: 856464a9051e35be2a34011e034ce71cf12372a6b174c40e5381d367478aca30
Opcode Fuzzy Hash: 7c039a1c5136151a8af8c8d3c48bb43275146cb6065d69d9410b64c6b7b7f5bb
Instruction Fuzzy Hash: AA11B2327009216FEB215F66AC48E6E7F98FFD77A1B444839F846D7241EB709C0196A0

Function 005780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005780D9
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 005780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005780F6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: da6b070c8f90928fc1b4c3c2ab80747e79ed17225e51ad90a7a7e279e0b06aab
Instruction ID: 8c4b9c297535e9f6e4b166b9ac449e5e03aea9cac020052e052f7dfd3e26eb6b
Opcode Fuzzy Hash: da6b070c8f90928fc1b4c3c2ab80747e79ed17225e51ad90a7a7e279e0b06aab
Instruction Fuzzy Hash: A7F06231240204AFEB100FA5EC8DE7B3FACFF4A755B404025F949C6150CB619C45EB60

Function 0058C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0058C432
CoCreateInstance.COMBASE(005B2D6C,00000000,00000001,005B2BDC,?), ref: 0058C44A

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

CoUninitialize.COMBASE ref: 0058C6B7

Strings

.lnk, xrefs: 0058C3C6, 0058C3EE, 0058C3F8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 9baab8e9ca00070cb697da46012333230171498d27e0ba3e8dc155328eff9179
Instruction ID: 5c7fb00db1263728e3401238f7ed35444b97a40f8440e4bfe4e3355773f52185
Opcode Fuzzy Hash: 9baab8e9ca00070cb697da46012333230171498d27e0ba3e8dc155328eff9179
Instruction Fuzzy Hash: 89A14B71104206AFD300EF54D885EABBBE8FFCA314F00492CF55597292EB71E949CB62

Function 0059EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0059EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0059EE4B

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Process32NextW.KERNEL32(00000000,?), ref: 0059EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0059EF1A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 7b804cce7a74658d7365dd5884c2553ab2e8040335041324998ea8ccc97f3e3d
Instruction ID: 703f069c4ed6eb274236f09aaaab42f0882f086cda3048ef3e9b2a1badf2a237
Opcode Fuzzy Hash: 7b804cce7a74658d7365dd5884c2553ab2e8040335041324998ea8ccc97f3e3d
Instruction Fuzzy Hash: E7518071504316AFD710EF24D88AE6BBBE8FF95710F40481DF595962A1EB70A908CB92

Function 005AC498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

GetCursorPos.USER32(?), ref: 005AC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0055B9AB,?,?,?,?,?), ref: 005AC4E7
GetCursorPos.USER32(?), ref: 005AC534
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0055B9AB,?,?,?), ref: 005AC56E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 39e928177082aaee827d0a469b32db535ee84c0a9734e22b3f2b6081c40bad62
Instruction ID: 967af9eda18dea0ba322163b9e372a75132879fea34ac1e9587dc712f733d710
Opcode Fuzzy Hash: 39e928177082aaee827d0a469b32db535ee84c0a9734e22b3f2b6081c40bad62
Instruction Fuzzy Hash: D7316F39A00458EFCB258F98C898EAE7FB5FF4F310F444169F9458B261D731A950EBA4

Function 00521290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 005212D8
GetClientRect.USER32(?,?), ref: 0055B5FB
GetCursorPos.USER32(?), ref: 0055B605
ScreenToClient.USER32(?,?), ref: 0055B610

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 83527f54073d8d49faf24118fd3448b9dc23f7085f8a3dd250489fdd05eddc9c
Instruction ID: 0cfb939b95201b00532fa6cab7e8a0eb7f7869525870d3a504914f5707439821
Opcode Fuzzy Hash: 83527f54073d8d49faf24118fd3448b9dc23f7085f8a3dd250489fdd05eddc9c
Instruction Fuzzy Hash: A6116D3A90042AEFCB10DF95E8899EF7BB8FF56300F100455F941E7181D730BA559BA9

Function 0057E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0057E628

Strings

(, xrefs: 0057E66E
|, xrefs: 0057E658

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fdd70c3e65f7f0c6ad42bda7ea2770abcf06c30d37516b1ad489ee326d80421e
Instruction ID: e95ed6731c37db071860e126fef387844d203af13a8fd76c0b3727b38ea87887
Opcode Fuzzy Hash: fdd70c3e65f7f0c6ad42bda7ea2770abcf06c30d37516b1ad489ee326d80421e
Instruction Fuzzy Hash: 05322675A007059FD728CF29D48596ABBF1FF48310B15C4AEE99ADB3A1E770E941CB40

Function 005922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0059180A,00000000), ref: 005923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00592418

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 402d7f9aaa461f40de6238c3739fccb6d6c8050af86155653d2121ef865c2478
Instruction ID: a1b20ef43746f33fac29e2c4ba0e89cb9275252ed09fba0811760b7e192c4e7c
Opcode Fuzzy Hash: 402d7f9aaa461f40de6238c3739fccb6d6c8050af86155653d2121ef865c2478
Instruction Fuzzy Hash: E241C371904209BFEF209E95DC85EBBBFBCFB80314F10446AF645A6141EB759E419A60

Function 0058B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0058B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0058B3EA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4bf9020338ec232d9780bfef9d944779035fe748373c9b1bbd27d64e03e547d1
Instruction ID: 6e8c9e5bdd62d046a97ed7d12d4cd7e0184eaa4e4bd2cd4bf97de5cec4ebd114
Opcode Fuzzy Hash: 4bf9020338ec232d9780bfef9d944779035fe748373c9b1bbd27d64e03e547d1
Instruction Fuzzy Hash: 49216035A00518EFCB00EFA5E885AEDBFB8FF89310F1480AAE905AB351DB319915DB50

Function 005787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0057882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00578858
GetLastError.KERNEL32 ref: 00578865

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 6039148a9c505d22b84835f06cf4252823d4272199a7a2ed249fd102d1b742b8
Instruction ID: 8cd6528c41e216c6ebf5a447319f6ea9562edfefe3b60666cfbd18d7216726cd
Opcode Fuzzy Hash: 6039148a9c505d22b84835f06cf4252823d4272199a7a2ed249fd102d1b742b8
Instruction Fuzzy Hash: 4B1160B1814205AFD718DFA4EC89D6BBBB8FB45715B20852EE45A97241DA30BC449B60

Function 0057874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00578774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0057878B
FreeSid.ADVAPI32(?), ref: 0057879B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 35c6611ac73f48350b43225a8fd21d829d6e56a9d9ade63281e4870ac9990283
Instruction ID: 2cad32e0feb555710beb397881d93e6d9c2a0af484cdf44440218a1097316b6b
Opcode Fuzzy Hash: 35c6611ac73f48350b43225a8fd21d829d6e56a9d9ade63281e4870ac9990283
Instruction Fuzzy Hash: 45F03C75951208BBDB04DFE49C89AAEBBB8FF08201F1044A9A502E2181E6715A089B50

Function 00588889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0058889B

Part of subcall function 0054520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00588F6E,00000000,?,?,?,?,0058911F,00000000,?), ref: 00545213
Part of subcall function 0054520A: __aulldiv.LIBCMT ref: 00545233

Strings

0e^, xrefs: 00588892

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e^
API String ID: 2893107130-1332993939
Opcode ID: 9f9c2af5fbd157846b8e2f3263280b1c6ce3eb9c9f5a635076419f960451e9ff
Instruction ID: f1bfecfb53885ffa3d9d06f27d0710e0e2dde4ce69035774aac61f398ce84d2b
Opcode Fuzzy Hash: 9f9c2af5fbd157846b8e2f3263280b1c6ce3eb9c9f5a635076419f960451e9ff
Instruction Fuzzy Hash: 8121D2326256108BC329CF25D881A62B7E1EBB4310B688E6CD4F5CF2C0CA34A905DF54

Function 005216DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

GetParent.USER32(?), ref: 0055B7BA
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,005219B3,?,?,?,00000006,?), ref: 0055B834

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: a5c2fdc720d3712523c22ea2096a9572d5e4fe60a48c609a8df5fe41141291af
Instruction ID: b7365376d1fc957159980965cf6bd6aa98fb1707007f511f5ee90be3fbecfde2
Opcode Fuzzy Hash: a5c2fdc720d3712523c22ea2096a9572d5e4fe60a48c609a8df5fe41141291af
Instruction Fuzzy Hash: 9F21E634200954AFDB248F28E898DAA3FD6FF9B320F584251F9554B2F2D7315D11DB54

Function 0058C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0058C6FB
FindClose.KERNEL32(00000000), ref: 0058C72B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 747930639857e31d8d27bff077a1757540ae41916eeae8ee6afdeb1dddbfc5df
Instruction ID: 8c440c952c81cebcebe558c6d722846da866b00862a1d5f2a75a0d46fcf526e0
Opcode Fuzzy Hash: 747930639857e31d8d27bff077a1757540ae41916eeae8ee6afdeb1dddbfc5df
Instruction Fuzzy Hash: 2E1182726006019FDB10EF29D849A2AFBE4FF85320F04851DF8AAD7390DB30AC05CB91

Function 005AC57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0055B93A,?,?,?), ref: 005AC5F1

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 005AC5D7

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: c2d120f4b26f2554ad67742d9e234b417897f73103c8284692d815ba0ee2bb49
Instruction ID: 12145179c431feff1d15596b6c12591335ab48331e20aecc425e29339a8ede01
Opcode Fuzzy Hash: c2d120f4b26f2554ad67742d9e234b417897f73103c8284692d815ba0ee2bb49
Instruction Fuzzy Hash: C801B135200254EBCB259F14DC88E6E3FA6FF9A364F140528F9411B2E1CB72A815EBA0

Function 005AC93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005AC961
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0055BA16,?,?,?,?,?), ref: 005AC98A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 478776a31638d8d5eb53e9a2559d6189ad8c016b13188391c73c948a7b5c2d53
Instruction ID: 332902b193656517f646d6f81c62a4db7036a0600866d7e58aa94e292c3710ea
Opcode Fuzzy Hash: 478776a31638d8d5eb53e9a2559d6189ad8c016b13188391c73c948a7b5c2d53
Instruction Fuzzy Hash: 7FF03A7240021CFFEF049F85EC09DAE7FB9FB49311F10416AF941A2161D3716A64EBA4

Function 0058A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00599468,?,005AFB84,?), ref: 0058A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00599468,?,005AFB84,?), ref: 0058A0A9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c53543a3a1f2c33ad840f151152191403ae110538bcb208c93329201ca68860e
Instruction ID: b15b53348b9ecfb410da224ff381d2f72f3074b5a24b04072037c067738c9a5e
Opcode Fuzzy Hash: c53543a3a1f2c33ad840f151152191403ae110538bcb208c93329201ca68860e
Instruction Fuzzy Hash: 3FF0823520522DABDB21AFA4DC4CFEA7B6CBF09362F004166FD09D6181D670A944CBA1

Function 005ACA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 005ACA84
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0055B995,?,?,?,?), ref: 005ACAB2

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: f56669431df711dcbcdd708ebd8d5217f65e453ad55b40ed7d58235294f8322a
Instruction ID: e80e0fbb30b592f74eb253501f3de8cb5cca98563f1c0b9d8d1083707e6ca01f
Opcode Fuzzy Hash: f56669431df711dcbcdd708ebd8d5217f65e453ad55b40ed7d58235294f8322a
Instruction Fuzzy Hash: 7DE04F70100218BBEB149F19DC0AFBE3F54EB15751F408515F99ADA1E1C6709850A760

Function 005781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00578309), ref: 005781E0
CloseHandle.KERNEL32(?,?,00578309), ref: 005781F2

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e3172261e2341c494475091f1e0cfefc45cbda37e7d211fa887b560b4deebf2d
Instruction ID: bc386e02eddb5467a5b456da051c7ac4d61297562eedac31e6d0d90e9c410ee6
Opcode Fuzzy Hash: e3172261e2341c494475091f1e0cfefc45cbda37e7d211fa887b560b4deebf2d
Instruction Fuzzy Hash: 54E04632010611AEEB252B61EC08DB37BAEFB00315720882DB9A680470CB32ACA0EB10

Function 0054A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,005B4178,00548D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0054A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0054A163

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0feb659e9b18759ae865a81d7c8ab1623b8605372ecfb6b392db81076a50edc9
Instruction ID: 3a307619dc7671e9401d9b8149ab201a6a0271077954b8a0373a322e33299833
Opcode Fuzzy Hash: 0feb659e9b18759ae865a81d7c8ab1623b8605372ecfb6b392db81076a50edc9
Instruction Fuzzy Hash: C3B09231054208ABCF002BD1EC59B883F68EB56AA2F404422F60D84060CBA25454AB91

Function 0054F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b905179bdc57511ed456642295ac6d2d980706ec008e17b061f6fdc6e9862c
Instruction ID: bc50c6a9a2b6976438711b65d59772aa151d8e97597e74357450a1619773639f
Opcode Fuzzy Hash: d3b905179bdc57511ed456642295ac6d2d980706ec008e17b061f6fdc6e9862c
Instruction Fuzzy Hash: 78320231D29F054DDB639638D872336A688BFB73C8F15D737E819B59A6EB28D4835200

Function 0055242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9906c11176c6614517ee8d2050b86b1769b0f371f956182c10398a18b0f04296
Instruction ID: 5387973fbb49cc4f3f0cf71b8ca8f4c76c939bbd32fb943986bc2e9d1ea560c4
Opcode Fuzzy Hash: 9906c11176c6614517ee8d2050b86b1769b0f371f956182c10398a18b0f04296
Instruction Fuzzy Hash: 31B11F20E2AF404DD76396388831336BA9CAFBB2C5F52D71BFC2674D22EB2195875241

Function 005AD78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 005AD838

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 5b03bce31799f8cbcb7e1c0dec5e12294c417262455333e0df24c834d762623b
Instruction ID: 29c600037023f1526265136324d316236aba0ca9f3865e1ed31d121d475ddb80
Opcode Fuzzy Hash: 5b03bce31799f8cbcb7e1c0dec5e12294c417262455333e0df24c834d762623b
Instruction Fuzzy Hash: A3110834204256ABEB296A2CCC49F7E3F64F743B20F204714F9535A9D2CA649D0093B0

Function 005AD3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0055B952,?,?,?,?,00000000,?), ref: 005AD432

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 04b134d99153b95e7d3243a9dea1ba1497f60c9f7b37ec4c8ab48f429920e581
Instruction ID: b601014c680e61e1c4780243b241893158c176a148af16090d09a03bfccd7180
Opcode Fuzzy Hash: 04b134d99153b95e7d3243a9dea1ba1497f60c9f7b37ec4c8ab48f429920e581
Instruction Fuzzy Hash: 1601F535600114AFDF14AE25D849AAD3FA2FF4B325F444125F9471B592C370BC1197B0

Function 0052189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00521B04,?,?,?,?,?), ref: 005218E2

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 0bf885cdee72932af9c301fc4df2aeb1c158ee9781e63f92200892c5cd13cbf3
Instruction ID: 84b36cf01361a314ed66d623693f30f931d5d87c9469e98f0847bcb7de159a7d
Opcode Fuzzy Hash: 0bf885cdee72932af9c301fc4df2aeb1c158ee9781e63f92200892c5cd13cbf3
Instruction Fuzzy Hash: D6F0BE34600669EFCB1CDF15E8909263BE2FB66350F504128F9924B2E1DB31D860EB50

Function 005AC8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 005AC8FE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 4316a6109bfd8afc4cb88d4546d0a6ac9870bf1e64a7aca8bcf160754c17b640
Instruction ID: 2506165dfc805fa98241dd621da20eadaaf98ba45af180d9f4e103506a8ecad4
Opcode Fuzzy Hash: 4316a6109bfd8afc4cb88d4546d0a6ac9870bf1e64a7aca8bcf160754c17b640
Instruction Fuzzy Hash: EEF06D35200295AFDB21DF58DC45FC63F95FB1A320F144018BA51672E2CB706820E7A0

Function 00584C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00584C76

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 1730f8cc40c00dff0f2fadfdb3a139439ed68e2fe6f2ed2bfd204b9ed465fb4b
Instruction ID: 70616d2f65b1b0fa9fe71b6d36260cf304d12b4fd5a75ccac8d1e5021544f359
Opcode Fuzzy Hash: 1730f8cc40c00dff0f2fadfdb3a139439ed68e2fe6f2ed2bfd204b9ed465fb4b
Instruction Fuzzy Hash: 57D05EA012220B39EE282B208D8FF7A190DF3C0781F84854E7E41B50C0E8D85C00AF34

Function 005787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00578389), ref: 005787D1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: e0932277dcf3688b5b1e02ec0b9cda0e5910fa1a31d6f2dea1018f4219741e07
Instruction ID: c7998952327f4d7745e8a901b13e0b47232c3be4fd3bf696554288d7555275a7
Opcode Fuzzy Hash: e0932277dcf3688b5b1e02ec0b9cda0e5910fa1a31d6f2dea1018f4219741e07
Instruction Fuzzy Hash: C6D05E322A050EABEF018EA4DC05EAE3B69EB04B01F408111FE16C50A1C775D835AB60

Function 005AC909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0055B9BC,?,?,?,?,?,?), ref: 005AC934

Part of subcall function 005AB635: _memset.LIBCMT ref: 005AB644
Part of subcall function 005AB635: _memset.LIBCMT ref: 005AB653
Part of subcall function 005AB635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E6F20,005E6F64), ref: 005AB682
Part of subcall function 005AB635: CloseHandle.KERNEL32 ref: 005AB694

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 183bbc138f6c6f0ce35aed045046b951e69c97f1aab6c210f5bb5941f3e98484
Instruction ID: f18e004a8866afed36a0d94ae7e4634bca4acfa197b67bd19f70ed8525e2bef2
Opcode Fuzzy Hash: 183bbc138f6c6f0ce35aed045046b951e69c97f1aab6c210f5bb5941f3e98484
Instruction Fuzzy Hash: A7E0B635110209EFCB11AF54ED55E9A3FB5FB1D715F018055FA065B2B2C731A960EF90

Function 0052167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00521AEE,?,?,?), ref: 005216AB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: de5e0a60262c7397befd1bdeca6f33960bd2b982fb2dab85245b9c7747688614
Instruction ID: 857512d3bbaab4b51a965525b45b847fd8e6eee9f61133e1188249b9723e6165
Opcode Fuzzy Hash: de5e0a60262c7397befd1bdeca6f33960bd2b982fb2dab85245b9c7747688614
Instruction Fuzzy Hash: F1E0EC35500218FBCF19AF91EC55E643F26FF99354F508418FA850A2A2CA72A921EB50

Function 005AC860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 005AC885

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 78e2951c09ac6962e31d318e3176b9806a6e4fb9846b60a3ce426342b2602eaf
Instruction ID: 3d6aedb66a27d7ac26541712832ab6398c4b168a7ca8484f31a030de1157004c
Opcode Fuzzy Hash: 78e2951c09ac6962e31d318e3176b9806a6e4fb9846b60a3ce426342b2602eaf
Instruction Fuzzy Hash: 3FE0E235204248EFCB01DF88E884E863BA5AB2D300F004054FA054B262C771A820EBA1

Function 005AC88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 005AC8B4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 287761c0230bceb3032bbbce0ee4471d734a76cfb021e71d2c17357e059cc48e
Instruction ID: c403d6dc6979ecb7a18d2c23fe804d98aed4ee4f9ff46cf3a34288aefaafb89f
Opcode Fuzzy Hash: 287761c0230bceb3032bbbce0ee4471d734a76cfb021e71d2c17357e059cc48e
Instruction Fuzzy Hash: 04E0E235200248EFCB01DF88E984D863BA5AB2D300F004054FA054B262C771A824EBA1

Function 005216B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

Part of subcall function 0052201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005220D3
Part of subcall function 0052201B: KillTimer.USER32(-00000001,?,?,?,?,005216CB,00000000,?,?,00521AE2,?,?), ref: 0052216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00521AE2,?,?), ref: 005216D4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 90479eef3df0e1eb02a2e6eea9e591ca1a4f717c6add4697b95fc7b5e46aa619
Instruction ID: 6c30ffe4bf84af5a2d0a3a58ae3a7978f390e2288b6bcedd66af0f2504637465
Opcode Fuzzy Hash: 90479eef3df0e1eb02a2e6eea9e591ca1a4f717c6add4697b95fc7b5e46aa619
Instruction Fuzzy Hash: 0BD01235140318B7DE202FA2EC1FF493E1AEF59750F408020BA04291D3CAB16820B598

Function 0054A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0054A12A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 71b0fe2453631d2489a609eb8ba3b08fe3b98062630b84f48b7e2c1c824b2ade
Instruction ID: 9a8aa46c83182d253f6bb61d6a5a35d1e4889da47f0b960f9f52db9211680a3a
Opcode Fuzzy Hash: 71b0fe2453631d2489a609eb8ba3b08fe3b98062630b84f48b7e2c1c824b2ade
Instruction Fuzzy Hash: 00A0113000020CAB8F002B82EC08888BFACEA022A0B008022F80C800228B32A820AA80

Function 00538808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc47a16ce597f1e286f55862b55d76b1b6bbab2a72c246a5e7e73c127d165436
Instruction ID: 314f91d36d8e7b7345692bfb9027115503a6944b5e4bbc6de0d7b5518328fbbd
Opcode Fuzzy Hash: dc47a16ce597f1e286f55862b55d76b1b6bbab2a72c246a5e7e73c127d165436
Instruction Fuzzy Hash: D1226731504306CBDF3C8A24D494B7CBFA1FB01314F68886BF99A8B592EBB09D81E751

Function 005421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: e4059703fb47d69df059d79aab8a45f8a2f3636fc346850a95f7063735d3f9f6
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D9C1B7722094A309DF2D463A84341BEFFA17EA27B975A076DE4B3CF0D4EE10C965D620

Function 005425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: fd5c3defddaa772ad3d6b34977603b855aa6da0416b8542a8da4bc4a81a4b1ff
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 6CC1B2722051A30ADF2D463AC4340BEFEA17EA27F575A076DE4B3DB0D4EE20C964D620

Function 00541978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e1e2546bbea8450795ef1c1910cbe97db2568aab96fb54a681b587d11ea09f07
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 9EC1C37220589309DF2D463AC4740BEBFA17EA27B931A076DD4B3CB1C4FE20C9A4D624

Function 0119F958 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: e69ff6cea54467d0c00b56276f45642c58dfeb74aece48a966d81bb5470fe841
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: E641D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 0119F848 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 6d05d0e068537c0737889493224e69f8fdfe480197b3fec4e5b779d5f93836b3
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 00014474A11109EFCB58DF98C5909AEFBB5FB48310F208599D81997745D730AE52DB80

Function 0119F7E8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 82dab3d30af94d073f6e2e5b1d925f10e3adef4882242b12d1079a0d13037186
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 5C018478A01109EFCB48DF98C5909AEFBB5FB48310F208599D81597741D730AE42DB80

Function 0119E1B8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1700242548.000000000119C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0119C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_119c000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00597806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0059785B
DeleteObject.GDI32(00000000), ref: 0059786D
DestroyWindow.USER32 ref: 0059787B
GetDesktopWindow.USER32 ref: 00597895
GetWindowRect.USER32(00000000), ref: 0059789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597A35
GetClientRect.USER32(00000000,?), ref: 00597A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00597A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597ABB
GlobalLock.KERNEL32(00000000), ref: 00597AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597AD3
GlobalUnlock.KERNEL32(00000000), ref: 00597ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597AE3
GlobalFree.KERNEL32(00000000), ref: 00597AEE
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00597B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,005B2CAC,00000000), ref: 00597B16
GlobalFree.KERNEL32(00000000), ref: 00597B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00597B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00597B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00597D7A

Strings

, xrefs: 00597D00
DISPLAY, xrefs: 00597BDD
AutoIt v3, xrefs: 00597A2D
static, xrefs: 00597A75, 00597BCC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b446930cb7440ff12b52caec804061e70a1c0e7c9d6b46bcaf79e3263e2227de
Instruction ID: 3256243d692e19a16aa55973c86d643d90abd604beb13bdb0325275db67bdd59
Opcode Fuzzy Hash: b446930cb7440ff12b52caec804061e70a1c0e7c9d6b46bcaf79e3263e2227de
Instruction Fuzzy Hash: 45026775910219AFDB14DFA4DC89EAE7FB9FF49310F048169F905AB2A1CB30AD05DB60

Function 005A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,005AF910), ref: 005A3627
IsWindowVisible.USER32(?), ref: 005A364B

Strings

HIDEDROPDOWN, xrefs: 005A3700
GETCURRENTSELECTION, xrefs: 005A37E3
ISENABLED, xrefs: 005A366B
DELSTRING, xrefs: 005A3749
GETLINECOUNT, xrefs: 005A38C6
UNCHECK, xrefs: 005A3883
ISCHECKED, xrefs: 005A3839
GETLINE, xrefs: 005A399B
SENDCOMMANDID, xrefs: 005A39DA
TABRIGHT, xrefs: 005A369D
GETSELECTED, xrefs: 005A38A3
GETCURRENTLINE, xrefs: 005A38ED
ISVISIBLE, xrefs: 005A3637
SELECTSTRING, xrefs: 005A3806
GETCURRENTCOL, xrefs: 005A3928
CHECK, xrefs: 005A386D
SETCURRENTSELECTION, xrefs: 005A37B6
TABLEFT, xrefs: 005A3687
EDITPASTE, xrefs: 005A395F
SHOWDROPDOWN, xrefs: 005A36E0
FINDSTRING, xrefs: 005A3776
CURRENTTAB, xrefs: 005A36BD
ADDSTRING, xrefs: 005A3716

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 7244f2d0e9452d9af330580135b8c8fb82f0c97e3e5d4a0b866b5f2f38aec2cd
Instruction ID: 041a7856e2be75a15c678cc10167159878415a694716770ef3fca28d5502d60e
Opcode Fuzzy Hash: 7244f2d0e9452d9af330580135b8c8fb82f0c97e3e5d4a0b866b5f2f38aec2cd
Instruction Fuzzy Hash: 95D171302043129BCB14EF14D459A6E7FE5BF96358F144859F88A5B3E2DB31DE4ACB81

Function 005AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 005AA630
GetSysColorBrush.USER32(0000000F), ref: 005AA661
GetSysColor.USER32(0000000F), ref: 005AA66D
SetBkColor.GDI32(?,000000FF), ref: 005AA687
SelectObject.GDI32(?,00000000), ref: 005AA696
InflateRect.USER32(?,000000FF,000000FF), ref: 005AA6C1
GetSysColor.USER32(00000010), ref: 005AA6C9
CreateSolidBrush.GDI32(00000000), ref: 005AA6D0
FrameRect.USER32(?,?,00000000), ref: 005AA6DF
DeleteObject.GDI32(00000000), ref: 005AA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 005AA731
FillRect.USER32(?,?,00000000), ref: 005AA763
GetWindowLongW.USER32(?,000000F0), ref: 005AA78E

Part of subcall function 005AA8CA: GetSysColor.USER32(00000012), ref: 005AA903
Part of subcall function 005AA8CA: SetTextColor.GDI32(?,?), ref: 005AA907
Part of subcall function 005AA8CA: GetSysColorBrush.USER32(0000000F), ref: 005AA91D
Part of subcall function 005AA8CA: GetSysColor.USER32(0000000F), ref: 005AA928
Part of subcall function 005AA8CA: GetSysColor.USER32(00000011), ref: 005AA945
Part of subcall function 005AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005AA953
Part of subcall function 005AA8CA: SelectObject.GDI32(?,00000000), ref: 005AA964
Part of subcall function 005AA8CA: SetBkColor.GDI32(?,00000000), ref: 005AA96D
Part of subcall function 005AA8CA: SelectObject.GDI32(?,?), ref: 005AA97A
Part of subcall function 005AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 005AA999
Part of subcall function 005AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005AA9B0
Part of subcall function 005AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 005AA9C5
Part of subcall function 005AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005AA9ED

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: ab8eb8e6cc2add9eb603c06ecb81d6d3fa30122d94528df0739dd43da0b9a9cd
Instruction ID: f1019debf8864956dccf73e3c815820f9af7cffd1492cb802e519387d4fe484b
Opcode Fuzzy Hash: ab8eb8e6cc2add9eb603c06ecb81d6d3fa30122d94528df0739dd43da0b9a9cd
Instruction Fuzzy Hash: 6B918D72408301FFC7109FA4DC08A5FBBA9FF8A321F100B29F9A2961A0D731D948DB52

Function 005974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0059759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00597633
GetClientRect.USER32(00000000,?), ref: 0059763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00597683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00597692
GetStockObject.GDI32(00000011), ref: 005976A2
SelectObject.GDI32(00000000,00000000), ref: 005976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005976BF
DeleteDC.GDI32(00000000), ref: 005976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0059770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00597746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0059775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0059776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0059779B
GetStockObject.GDI32(00000011), ref: 005977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005977BB

Strings

DISPLAY, xrefs: 00597688
AutoIt v3, xrefs: 0059762B
static, xrefs: 0059767D, 00597795
msctls_progress32, xrefs: 0059773C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: b5afad3c39cabb445c7194c70ceb79bba21f3be7ef59042263150d51de419980
Instruction ID: 885bcfbde5309e47a562b136e23c7519cedd155749c53ed53890dfa4357e79f0
Opcode Fuzzy Hash: b5afad3c39cabb445c7194c70ceb79bba21f3be7ef59042263150d51de419980
Instruction Fuzzy Hash: 4FA19C71A00219BFEB14DBA4DC8AFAE7BB9FF09714F004115FA04AB2E0D670AD04DB64

Function 0058AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058AD1E
GetDriveTypeW.KERNEL32(?,005AFAC0,?,\\.\,005AF910), ref: 0058ADFB
SetErrorMode.KERNEL32(00000000,005AFAC0,?,\\.\,005AF910), ref: 0058AF59

Strings

SSD, xrefs: 0058AE86
RAID, xrefs: 0058AEF7
RAMDisk, xrefs: 0058AE25
FileBackedVirtual, xrefs: 0058AF28
1394, xrefs: 0058AEDB
iSCSI, xrefs: 0058AEFE
Removable, xrefs: 0058AE4D
Network, xrefs: 0058AE39
SATA, xrefs: 0058AF0C
SSA, xrefs: 0058AEE2
Virtual, xrefs: 0058AF21
USB, xrefs: 0058AEF0
Unknown, xrefs: 0058AE1B, 0058AEBF
SCSI, xrefs: 0058AEC6
PhysicalDrive, xrefs: 0058ADA7
MMC, xrefs: 0058AF1A
Fibre, xrefs: 0058AEE9
\\.\, xrefs: 0058AD70
ATA, xrefs: 0058AED4
ATAPI, xrefs: 0058AECD
SAS, xrefs: 0058AF05
Fixed, xrefs: 0058AE43
CDROM, xrefs: 0058AE2F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d8f5a081f988357b4c2a6b9c25b57c2753cdd444e5b5d04b5d963d0a6e234736
Instruction ID: 5c45f29b2daf725612b62c5b85dbd4a18377f0f76cdac0d26183bf20556ff7e5
Opcode Fuzzy Hash: d8f5a081f988357b4c2a6b9c25b57c2753cdd444e5b5d04b5d963d0a6e234736
Instruction Fuzzy Hash: F851A3B8644206ABAB20FB54C986CBD7FA0FF49710B244857ED07B73D0EA709D41EB42

Function 005268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00526931
__wcsnicmp.LIBCMT ref: 00526949
__wcsnicmp.LIBCMT ref: 00526961
__wcsnicmp.LIBCMT ref: 00526979
__wcsnicmp.LIBCMT ref: 00526991
__wcsnicmp.LIBCMT ref: 005269A9
__wcsnicmp.LIBCMT ref: 005269C1
__wcsnicmp.LIBCMT ref: 005269D5
__wcsnicmp.LIBCMT ref: 00526A16
__wcsnicmp.LIBCMT ref: 00526A2A
__wcsnicmp.LIBCMT ref: 00526A3E
__wcsnicmp.LIBCMT ref: 00526A52

Strings

#include, xrefs: 005269A3
#pragma compile, xrefs: 0052692B
#OnAutoItStartRegister, xrefs: 00526973
#requireadmin, xrefs: 0052695B
#notrayicon, xrefs: 00526943
Cannot parse #include, xrefs: 0055E3F0
#include-once, xrefs: 0052698B
#comments-start, xrefs: 005269BB, 00526A10
Unterminated group of comments, xrefs: 0055E403
#cs, xrefs: 005269CF, 00526A24
#ce, xrefs: 00526A4C
Bad directive syntax error, xrefs: 0055E31A
#comments-end, xrefs: 00526A38

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 61fced25035d64b2280b703818c95f88a87ccc9dd32e38f52e44826a9a24e831
Instruction ID: 17c1b7b755a1b86a19e1f5084862d32de6d6be70d9dc0e996196fa2aa06f0bf7
Opcode Fuzzy Hash: 61fced25035d64b2280b703818c95f88a87ccc9dd32e38f52e44826a9a24e831
Instruction Fuzzy Hash: 5C8127B0600226AACF25AB60FC57FAE3F68FF46704F044025FD456A1D6EB71EE45C261

Function 00522C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00522CA2
DeleteObject.GDI32(00000000), ref: 00522CE8
DeleteObject.GDI32(00000000), ref: 00522CF3
DestroyCursor.USER32(00000000), ref: 00522CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00522D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0055C43B
6F550200.COMCTL32(?,000000FF,?), ref: 0055C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0055C89D

Part of subcall function 00521B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00522036,?,00000000,?,?,?,?,005216CB,00000000,?), ref: 00521B9A

SendMessageW.USER32(?,00001053), ref: 0055C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0055C8F1

Strings

0, xrefs: 0055C731

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF550200InvalidateMoveRect
String ID: 0
API String ID: 2586706302-4108050209
Opcode ID: 98f7eccf9e9bdf95b59780eecf6f5ee5965dfca762ed597696c4966fd9466c13
Instruction ID: f00e028a6f410988a299ef94643b0bd78cfebcab90beaca7f9098883219dd743
Opcode Fuzzy Hash: 98f7eccf9e9bdf95b59780eecf6f5ee5965dfca762ed597696c4966fd9466c13
Instruction Fuzzy Hash: 90129E34504211EFDB10CF24D898BA9BFE1FF4A312F54456AE885DB6A2C731EC4ADB91

Function 005AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 005AA903
SetTextColor.GDI32(?,?), ref: 005AA907
GetSysColorBrush.USER32(0000000F), ref: 005AA91D
GetSysColor.USER32(0000000F), ref: 005AA928
CreateSolidBrush.GDI32(?), ref: 005AA92D
GetSysColor.USER32(00000011), ref: 005AA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 005AA953
SelectObject.GDI32(?,00000000), ref: 005AA964
SetBkColor.GDI32(?,00000000), ref: 005AA96D
SelectObject.GDI32(?,?), ref: 005AA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 005AA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005AA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 005AA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005AA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005AAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 005AAA32
DrawFocusRect.USER32(?,?), ref: 005AAA3D
GetSysColor.USER32(00000011), ref: 005AAA4B
SetTextColor.GDI32(?,00000000), ref: 005AAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 005AAA67
SelectObject.GDI32(?,005AA5FA), ref: 005AAA7E
DeleteObject.GDI32(?), ref: 005AAA89
SelectObject.GDI32(?,?), ref: 005AAA8F
DeleteObject.GDI32(?), ref: 005AAA94
SetTextColor.GDI32(?,?), ref: 005AAA9A
SetBkColor.GDI32(?,?), ref: 005AAAA4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 806c70f292efe176e8329fd7454b7e6e55d6ee1f772a7c92348bedf0996ebfba
Instruction ID: d21644c7261e7d767881a56424440afe342e29b6ba329bd8d6b6ecf1fc460f50
Opcode Fuzzy Hash: 806c70f292efe176e8329fd7454b7e6e55d6ee1f772a7c92348bedf0996ebfba
Instruction Fuzzy Hash: 95511B71900208EFDB119FA4DC48EAEBBB9FB4A320F114625FA11AB2A1D7759944DB90

Function 005A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005A8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A8AD2
CharNextW.USER32(0000014E), ref: 005A8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005A8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005A8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005A8B86
SetWindowTextW.USER32(?,0000014E), ref: 005A8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 005A8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A8C1F
_memset.LIBCMT ref: 005A8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005A8C8D
_memset.LIBCMT ref: 005A8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 005A8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 005A8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 005A8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 005A8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005A8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005A8EB4
DrawMenuBar.USER32(?), ref: 005A8EC3
SetWindowTextW.USER32(?,0000014E), ref: 005A8EEB

Strings

0, xrefs: 005A8E55

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 1cbd7281c3e18f58957105c6784425f858359bbe22712cc47bf7d7f82d80d07d
Instruction ID: 49c0c40b66ab40ff8c7a380dcb0a7b6e461769ff0b82c0a35d4aff90f267644b
Opcode Fuzzy Hash: 1cbd7281c3e18f58957105c6784425f858359bbe22712cc47bf7d7f82d80d07d
Instruction Fuzzy Hash: 20E15E70900219AFDB209F60CC88EFE7FB9FF4A720F148156F915AA291DB749984DF60

Function 005A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005A49CA
GetDesktopWindow.USER32 ref: 005A49DF
GetWindowRect.USER32(00000000), ref: 005A49E6
GetWindowLongW.USER32(?,000000F0), ref: 005A4A48
DestroyWindow.USER32(?), ref: 005A4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005A4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005A4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 005A4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 005A4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005A4B09
IsWindowVisible.USER32(?), ref: 005A4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 005A4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 005A4B58
GetWindowRect.USER32(?,?), ref: 005A4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 005A4B96
GetMonitorInfoW.USER32(00000000,?), ref: 005A4BB0
CopyRect.USER32(?,?), ref: 005A4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 005A4C32

Strings

(, xrefs: 005A4BA3
tooltips_class32, xrefs: 005A4A96
0, xrefs: 005A4975

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 76cc17e3cfc4dc33a0d4e3330bcd9deaf284b496942d1fdfd87f3319ab834982
Instruction ID: 209f79d19a697afe975315c08383706fc4a9c5b2e0efd297f206e9031b687206
Opcode Fuzzy Hash: 76cc17e3cfc4dc33a0d4e3330bcd9deaf284b496942d1fdfd87f3319ab834982
Instruction Fuzzy Hash: 15B17A71608351AFDB04DFA4D848B6EBBE5BF8A310F008918F5999B2A1D7B0EC05CF95

Function 005227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005228BC
GetSystemMetrics.USER32(00000007), ref: 005228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005228EF
GetSystemMetrics.USER32(00000008), ref: 005228F7
GetSystemMetrics.USER32(00000004), ref: 0052291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00522939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00522949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0052297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00522990
GetClientRect.USER32(00000000,000000FF), ref: 005229AE
GetStockObject.GDI32(00000011), ref: 005229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005229D5

Part of subcall function 00522344: GetCursorPos.USER32(?), ref: 00522357
Part of subcall function 00522344: ScreenToClient.USER32(005E57B0,?), ref: 00522374
Part of subcall function 00522344: GetAsyncKeyState.USER32(00000001), ref: 00522399
Part of subcall function 00522344: GetAsyncKeyState.USER32(00000002), ref: 005223A7

SetTimer.USER32(00000000,00000000,00000028,00521256), ref: 005229FC

Strings

AutoIt v3 GUI, xrefs: 00522974

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5ff1c99ab07f45066c907d06e1a51c1f262304e2d04c15a0e150da301df660d1
Instruction ID: 55703e308f3b719a3d91ba0c7df16f9feed0cd97429f1176901b69bafabe7a39
Opcode Fuzzy Hash: 5ff1c99ab07f45066c907d06e1a51c1f262304e2d04c15a0e150da301df660d1
Instruction Fuzzy Hash: 38B1AE75A0021AEFDB14DFA8DC89BAD7FA4FF19315F104229FA15A72E0DB709844DB50

Function 0055A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

_copy_environ.LIBCMT ref: 0055A92B
___wtomb_environ.LIBCMT ref: 0055A94D

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

__malloc_crt.LIBCMT ref: 0055A975
__malloc_crt.LIBCMT ref: 0055A992
_free.LIBCMT ref: 0055A9C9
__recalloc_crt.LIBCMT ref: 0055AA02
__recalloc_crt.LIBCMT ref: 0055AA47
_strlen.LIBCMT ref: 0055AA73
__calloc_crt.LIBCMT ref: 0055AA7D
_strlen.LIBCMT ref: 0055AA8C
SetEnvironmentVariableA.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000), ref: 0055AABA
_free.LIBCMT ref: 0055AAD4
_free.LIBCMT ref: 0055AAE1
_free.LIBCMT ref: 0055AAF3
__invoke_watson.LIBCMT ref: 0055AB0D

Strings

{nT, xrefs: 0055AAAD
{nT, xrefs: 0055A932

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
String ID: {nT${nT
API String ID: 884005220-1826762898
Opcode ID: 11ff670d14cb6ca50e957224486fa8866230a22e2c6de296eb0b063099a5c813
Instruction ID: 52a9bca3170aa09a30d94a37ae51429bf3d4f08df83db3b4099c4b8537da0ffc
Opcode Fuzzy Hash: 11ff670d14cb6ca50e957224486fa8866230a22e2c6de296eb0b063099a5c813
Instruction Fuzzy Hash: E8610472900222AFDB245F24DC597AD7FB4FF90326F21471BEC41AB191EB349949CB92

Function 0057A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0057A47A
__swprintf.LIBCMT ref: 0057A51B
_wcscmp.LIBCMT ref: 0057A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0057A583
_wcscmp.LIBCMT ref: 0057A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0057A5F6
GetDlgCtrlID.USER32(?), ref: 0057A648
GetWindowRect.USER32(?,?), ref: 0057A67E
GetParent.USER32(?), ref: 0057A69C
ScreenToClient.USER32(00000000), ref: 0057A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0057A71D
_wcscmp.LIBCMT ref: 0057A731
GetWindowTextW.USER32(?,?,00000400), ref: 0057A757
_wcscmp.LIBCMT ref: 0057A76B

Part of subcall function 0054362C: _iswctype.LIBCMT ref: 00543634

Strings

%s%u, xrefs: 0057A515

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 5f42c0919d992be74b205f7ae146024b74ff3f6708a84ef7e137fb64f4ec57a7
Instruction ID: 16deebe273df3b46a13b5eb081cca27aef81e92b62641f8df618d1385a054c7e
Opcode Fuzzy Hash: 5f42c0919d992be74b205f7ae146024b74ff3f6708a84ef7e137fb64f4ec57a7
Instruction Fuzzy Hash: CCA1C331204607AFDB19DF64D888BAEBBE8FF84315F008529F99DD2190DB30E945DB92

Function 0057AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0057AF18
_wcscmp.LIBCMT ref: 0057AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0057AF51
CharUpperBuffW.USER32(?,00000000), ref: 0057AF6E
_wcscmp.LIBCMT ref: 0057AF8C
_wcsstr.LIBCMT ref: 0057AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0057AFD5
_wcscmp.LIBCMT ref: 0057AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0057B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0057B055
_wcscmp.LIBCMT ref: 0057B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0057B08D
GetWindowRect.USER32(00000004,?), ref: 0057B0F6

Strings

@, xrefs: 0057AEF9
ThumbnailClass, xrefs: 0057AFE0, 0057B060

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 04da4a775bd1d5250819e546516bcbfb1504fa5aeaa9321c06b08760635c95dc
Instruction ID: e8a28fd46151d89127e2d69c758e6b0db4d2b84d8dcf54549078acbe9333903c
Opcode Fuzzy Hash: 04da4a775bd1d5250819e546516bcbfb1504fa5aeaa9321c06b08760635c95dc
Instruction Fuzzy Hash: 5F819F711082069FEB05DF14D889BAA7FE8FF94314F04C46AFD898A095DB34DD49DB61

Function 0057ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0057AC33

Strings

[HANDLE:, xrefs: 0057AC3F
[LAST, xrefs: 0057ACE0
[CLASS:, xrefs: 0057AC83
HANDLE=, xrefs: 0057AC2C
REGEXP=, xrefs: 0057AC48
ACTIVE, xrefs: 0057AC0E
[ALL, xrefs: 0057ACD9
LAST, xrefs: 0057ABF8
[REGEXPTITLE:, xrefs: 0057AC5B
CLASSNAME=, xrefs: 0057AC70
[ACTIVE, xrefs: 0057AC20
ALL, xrefs: 0057ACC7

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 99ad973899e49c02dedd4b7a6e241f849605ba29ed4d3ed301b2037144c57a07
Instruction ID: 43517d8780ed38235c007264d4d0b737f14b5565c7e2c7dd5cf3758d3596ca1a
Opcode Fuzzy Hash: 99ad973899e49c02dedd4b7a6e241f849605ba29ed4d3ed301b2037144c57a07
Instruction Fuzzy Hash: 8D31D03194821EBADB20EA64ED0BEEE7F68BF99710F60441AF405711E1FB616F04D652

Function 00594FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00595013
LoadCursorW.USER32(00000000,00007F00), ref: 0059501E
LoadCursorW.USER32(00000000,00007F03), ref: 00595029
LoadCursorW.USER32(00000000,00007F8B), ref: 00595034
LoadCursorW.USER32(00000000,00007F01), ref: 0059503F
LoadCursorW.USER32(00000000,00007F81), ref: 0059504A
LoadCursorW.USER32(00000000,00007F88), ref: 00595055
LoadCursorW.USER32(00000000,00007F80), ref: 00595060
LoadCursorW.USER32(00000000,00007F86), ref: 0059506B
LoadCursorW.USER32(00000000,00007F83), ref: 00595076
LoadCursorW.USER32(00000000,00007F85), ref: 00595081
LoadCursorW.USER32(00000000,00007F82), ref: 0059508C
LoadCursorW.USER32(00000000,00007F84), ref: 00595097
LoadCursorW.USER32(00000000,00007F04), ref: 005950A2
LoadCursorW.USER32(00000000,00007F02), ref: 005950AD
LoadCursorW.USER32(00000000,00007F89), ref: 005950B8
GetCursorInfo.USER32(?), ref: 005950C8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 114971032146c6b394b6362e16547d9d5b5e159db0e474708b8b6173fe456e1e
Instruction ID: 3eee51cdcd308bc944f0c6d505540c831e081817b73025fcecc825d264335eb4
Opcode Fuzzy Hash: 114971032146c6b394b6362e16547d9d5b5e159db0e474708b8b6173fe456e1e
Instruction Fuzzy Hash: 6531F4B1D4831A6ADF109FB68C8995EBFE8FF04750F50453AE54DE7280EA786504CF91

Function 005AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005AA259
DestroyWindow.USER32(?,?), ref: 005AA2D3

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005AA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005AA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005AA382
DestroyWindow.USER32(00000000), ref: 005AA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00520000,00000000), ref: 005AA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005AA3F4
GetDesktopWindow.USER32 ref: 005AA40D
GetWindowRect.USER32(00000000), ref: 005AA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005AA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005AA444

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

Strings

tooltips_class32, xrefs: 005AA346, 005AA3D4
0, xrefs: 005AA26F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: dcf753e95404e01d0d08261883746803462a4989a4be7217f8d39abbb213a932
Instruction ID: 7243ffaa9d6e52ef286e4604c97ca5121ce4d2aa1cff88eb94dbe9a9f0c7611c
Opcode Fuzzy Hash: dcf753e95404e01d0d08261883746803462a4989a4be7217f8d39abbb213a932
Instruction Fuzzy Hash: 6371CF71140245AFDB25CF28CC49F6A7BE6FB9E304F04492DF9858B2A0E770E906DB52

Function 005A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005A4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A446F

Strings

EXPAND, xrefs: 005A4521
COLLAPSE, xrefs: 005A44B5
GETSELECTED, xrefs: 005A457F
SELECT, xrefs: 005A4620
CHECK, xrefs: 005A448F
GETTEXT, xrefs: 005A45C2
GETTOTALCOUNT, xrefs: 005A4456
UNCHECK, xrefs: 005A464B
ISCHECKED, xrefs: 005A45F2
EXISTS, xrefs: 005A44D8
GETITEMCOUNT, xrefs: 005A4551

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: bbc0c51aa94040c3edcdeed38f7805f8a8f5848c2e987d2ca01bf55ed8745151
Instruction ID: ed0bf2c0d549ad2734f09e8226d2ff0bcd30298dc0b0c8beb20960bbfd437784
Opcode Fuzzy Hash: bbc0c51aa94040c3edcdeed38f7805f8a8f5848c2e987d2ca01bf55ed8745151
Instruction Fuzzy Hash: F29179712043129BCB08EF60D455A6EBFE1BFD6354F148869F8965B3A2CB70ED09CB91

Function 005AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005AB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,005A6B11,?), ref: 005AB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005AB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005AB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005AB9C3
FreeLibrary.KERNEL32(?), ref: 005AB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005AB9DF
DestroyCursor.USER32(?), ref: 005AB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005ABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005ABA17

Part of subcall function 00542EFD: __wcsicmp_l.LIBCMT ref: 00542F86

Strings

.dll, xrefs: 005AB86D
.exe, xrefs: 005AB84A
.icl, xrefs: 005AB82A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 88c26aa1ba96fbf7be92acb31b09922afbefff8cb8019ed2129560a122a9b930
Instruction ID: b9922f2316604494b025e814685c35332cee6e4928de846ac0e707b2ac0d16f0
Opcode Fuzzy Hash: 88c26aa1ba96fbf7be92acb31b09922afbefff8cb8019ed2129560a122a9b930
Instruction Fuzzy Hash: A361EB7190022ABEFB14DF64CC45BBE7BA8FF0A710F104516FA15D61C2DB749990DBA0

Function 0058A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

CharLowerBuffW.USER32(?,?), ref: 0058A3CB
GetDriveTypeW.KERNEL32 ref: 0058A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0058A4C5

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Strings

wait, xrefs: 0058A482
set cd door , xrefs: 0058A466
open, xrefs: 0058A3F2
close cd wait, xrefs: 0058A4B0
open , xrefs: 0058A427
type cdaudio alias cd wait, xrefs: 0058A443
close, xrefs: 0058A3D1
closed, xrefs: 0058A3DF, 0058A3E8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 4bf812f87fa71787e117d38c7b50885fe15bcc51fc7ccc30ab431477a77f1f22
Instruction ID: c07a4b8d146265556b37f47743011f3811db6e4f0dc2b7f261018402722d0984
Opcode Fuzzy Hash: 4bf812f87fa71787e117d38c7b50885fe15bcc51fc7ccc30ab431477a77f1f22
Instruction Fuzzy Hash: 68516D711043169FC700EF24D89596ABBE4FF99718F14486EF889673A1DB31ED09CB92

Function 0057F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0055E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0057F8DF
LoadStringW.USER32(00000000,?,0055E029,00000001), ref: 0057F8E8

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0055E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0057F90A
LoadStringW.USER32(00000000,?,0055E029,00000001), ref: 0057F90D
__swprintf.LIBCMT ref: 0057F95D
__swprintf.LIBCMT ref: 0057F96E
_wprintf.LIBCMT ref: 0057FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057FA2E

Strings

Error: , xrefs: 0057F9E5
Line %d:, xrefs: 0057F968
^ ERROR, xrefs: 0057F9C3
Line %d (File "%s"):, xrefs: 0057F957
%s (%d) : ==> %s: %s %s, xrefs: 0057FA12

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 2399872ea7f02555611a53a6bf8463cff1896cf897856169d7a937beafdd9e7c
Instruction ID: 92202e55374f73ea10677c6cf3d6439690e42688b871794dab97be28e2239ba8
Opcode Fuzzy Hash: 2399872ea7f02555611a53a6bf8463cff1896cf897856169d7a937beafdd9e7c
Instruction Fuzzy Hash: ED413D7280451EAACF14FFE4ED8ADEE7B78BF99300F100065B509761A1EA316F49DB60

Function 00526A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00540957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00526B0C,?,00008000), ref: 00540973

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00526BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00526CFA

Part of subcall function 0052586D: _wcscpy.LIBCMT ref: 005258A5

Part of subcall function 0054363D: _iswctype.LIBCMT ref: 00543645

Strings

EA06, xrefs: 0055E452
>>>AUTOIT SCRIPT<<<, xrefs: 0055E496
AU3!, xrefs: 00526B61
/vR, xrefs: 0055E4ED, 0055E511
Error opening the file, xrefs: 0055E43D, 0055E4B8
Bad directive syntax error, xrefs: 0055E79D
Unterminated string, xrefs: 0055E7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0055E421

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$/vR$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3104249712
Opcode ID: 31dc66eae2775b3e78f975a590d8978c3db0c06211e17248bfacf23aa4528483
Instruction ID: a12bc844026122a87a5856ac8edb6a31930c0e4ae3eaafd9bfadadbea3925316
Opcode Fuzzy Hash: 31dc66eae2775b3e78f975a590d8978c3db0c06211e17248bfacf23aa4528483
Instruction Fuzzy Hash: D70279301083529FC714EF24D8959AEBFE5BFDA354F10481EF889972A1EB30DA49CB52

Function 0058D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0058DA10
_wcscat.LIBCMT ref: 0058DA28
_wcscat.LIBCMT ref: 0058DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0058DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DA63
GetFileAttributesW.KERNEL32(?), ref: 0058DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0058DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0058DAA7

Strings

*.*, xrefs: 0058DAE6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 29f2edb41552b7fa136145782703a854bdb6e4d949ffc45298b4cd69d85ce05b
Instruction ID: 2beffe319466679b906b6302fd85d24425e9712c0beee90b9e79a4b361292792
Opcode Fuzzy Hash: 29f2edb41552b7fa136145782703a854bdb6e4d949ffc45298b4cd69d85ce05b
Instruction Fuzzy Hash: 268161725042459FCB64EF64C845AAABBF4BF89314F184C2EFC89E7291E630D945CB62

Function 0059731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0059738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0059739B
CreateCompatibleDC.GDI32(?), ref: 005973A7
SelectObject.GDI32(00000000,?), ref: 005973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00597408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00597444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00597468
SelectObject.GDI32(00000006,?), ref: 00597470
DeleteObject.GDI32(?), ref: 00597479
DeleteDC.GDI32(00000006), ref: 00597480
ReleaseDC.USER32(00000000,?), ref: 0059748B

Strings

(, xrefs: 00597410

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 61b7f5fe50141cec2eb6b5120985cecfdb3a1fc407ae8a81aee59a1ebc347bcf
Instruction ID: f165bf2ab0bce77d9b6f664bee46c23d26ba4c9660621dc4d82017142a1d8549
Opcode Fuzzy Hash: 61b7f5fe50141cec2eb6b5120985cecfdb3a1fc407ae8a81aee59a1ebc347bcf
Instruction Fuzzy Hash: 8D513975904209EFCB14CFA8CC89EAEBBB9FF49310F14852EF95A97211C731A944DB50

Function 00582D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00582DDD
GetMenuItemCount.USER32(005E5890), ref: 00582E66
DeleteMenu.USER32(005E5890,00000005,00000000,000000F5,?,?), ref: 00582EF6
DeleteMenu.USER32(005E5890,00000004,00000000), ref: 00582EFE
DeleteMenu.USER32(005E5890,00000006,00000000), ref: 00582F06
DeleteMenu.USER32(005E5890,00000003,00000000), ref: 00582F0E
GetMenuItemCount.USER32(005E5890), ref: 00582F16
SetMenuItemInfoW.USER32(005E5890,00000004,00000000,00000030), ref: 00582F4C
GetCursorPos.USER32(?), ref: 00582F56
SetForegroundWindow.USER32(00000000), ref: 00582F5F
TrackPopupMenuEx.USER32(005E5890,00000000,?,00000000,00000000,00000000), ref: 00582F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00582F7E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 20bb3f7bdd550840d5be90a7dfdcfc82ba19621405f116f91ac41e817899d418
Instruction ID: b8d22ed5ae36641d4c8bfafda6df93e3258d1273b122b3f8d61160152f47b2a8
Opcode Fuzzy Hash: 20bb3f7bdd550840d5be90a7dfdcfc82ba19621405f116f91ac41e817899d418
Instruction Fuzzy Hash: 23710770601206BFEB21AF54DC8AFAABF68FF45324F140216FA25BA1E1C7B15C50DB95

Function 005777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

_memset.LIBCMT ref: 0057786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00577902
CLSIDFromString.COMBASE(?,?), ref: 0057792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00577935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0057793A

Strings

\CLSID, xrefs: 00577822
SOFTWARE\Classes\, xrefs: 0057780C
\IPC$, xrefs: 00577882

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 419a6e5339715c0a05bac3db0594a736a1cbc2d4a782f95e4ade3802a685d6a7
Instruction ID: 17913b7457300c286b095e2a944ec807f3f0ae4a6cbb83192515cc68fe10e2d3
Opcode Fuzzy Hash: 419a6e5339715c0a05bac3db0594a736a1cbc2d4a782f95e4ade3802a685d6a7
Instruction Fuzzy Hash: 2B41F97281462EAACB21EFA4EC59DEDBB78FF59710F40442AE905A21A1EA305D05DB90

Function 005A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

Strings

HKU, xrefs: 005A0F43
HKLM, xrefs: 005A0EAF
HKEY_USERS, xrefs: 005A0F32
HKCU, xrefs: 005A0F21
HKCC, xrefs: 005A0EFF
HKCR, xrefs: 005A0ED9
HKEY_CURRENT_CONFIG, xrefs: 005A0EEE
HKEY_CURRENT_USER, xrefs: 005A0F10
HKEY_CLASSES_ROOT, xrefs: 005A0EC4
HKEY_LOCAL_MACHINE, xrefs: 005A0E9A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 51d4b1c1d304ebeacb846a16bdc271812cd594cad0d9b5bc1b41cf315077099f
Instruction ID: 66c5959bbd3c6f688128eab30a5d0785e47a8bdc6da10e04950bfa31d6612a28
Opcode Fuzzy Hash: 51d4b1c1d304ebeacb846a16bdc271812cd594cad0d9b5bc1b41cf315077099f
Instruction Fuzzy Hash: CD416D3115024A8FCF20EF14D869AEE3FA4BF56344F141456FC552B2D2DB309D5ACBA0

Function 0057F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0055E2A0,00000010,?,Bad directive syntax error,005AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0057F7C2
LoadStringW.USER32(00000000,?,0055E2A0,00000010), ref: 0057F7C9

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

_wprintf.LIBCMT ref: 0057F7FC
__swprintf.LIBCMT ref: 0057F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0057F88D

Strings

Line %d:, xrefs: 0057F818
Line %d (File "%s"):, xrefs: 0057F833
Error: , xrefs: 0057F85B
%s (%d) : ==> %s.: %s %s, xrefs: 0057F7F7
., xrefs: 0057F873

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 137924dce9b3113aa011b434696bed03f575f269a73f828a10adeaec2356b627
Instruction ID: 8f4321abef9280bb0a91e2ab5f3ac3ccb70eee8356ba43a5455bc34f4453947e
Opcode Fuzzy Hash: 137924dce9b3113aa011b434696bed03f575f269a73f828a10adeaec2356b627
Instruction Fuzzy Hash: 59216D3294021EABCF11EFA0DC4AEFE7F39BF19300F044466B509661A1EA719A18DB51

Function 005852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Part of subcall function 00527924: _memmove.LIBCMT ref: 005279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00585330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00585346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00585357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00585369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0058537A

Strings

play PlayMe, xrefs: 00585375
play PlayMe wait, xrefs: 00585364
status PlayMe mode, xrefs: 0058532B
open , xrefs: 005852DF
alias PlayMe, xrefs: 00585309
close PlayMe, xrefs: 00585341, 0058536E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a3850df5b622c6a40f7763683af2c833d614efb2752a2e7474294949344ceb1c
Instruction ID: 6fcee9585e32d8cacbc0ceaeafc2562cc49efcddc7a80dffb479e52d8af7f8c1
Opcode Fuzzy Hash: a3850df5b622c6a40f7763683af2c833d614efb2752a2e7474294949344ceb1c
Instruction Fuzzy Hash: 78115E21A5022E79D720FA75DC4ADFF6E7CFFE6B50F00082AB801A21D1EEA05D45C6A0

Function 005846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 005846D2
gethostname.WS2_32(?,00000100), ref: 005846EC
gethostbyname.WS2_32(?), ref: 005846F9
_wcscpy.LIBCMT ref: 00584721
_memmove.LIBCMT ref: 00584734
inet_ntoa.WS2_32(?), ref: 0058473F
_strcat.LIBCMT ref: 0058474D
_wcscpy.LIBCMT ref: 00584764
WSACleanup.WS2_32 ref: 00584772
_wcscpy.LIBCMT ref: 00584780

Strings

0.0.0.0, xrefs: 0058471B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 7584c9cd731c1ef66228508ad625d5f8fb83c94797f5c05d4c8ca4fe7f078145
Instruction ID: bcc72cd9e7bf3cf76b840f7d29ffeb0fe5a3cadd75eacfa65d7a448ec7f3d904
Opcode Fuzzy Hash: 7584c9cd731c1ef66228508ad625d5f8fb83c94797f5c05d4c8ca4fe7f078145
Instruction Fuzzy Hash: DD11D5319001166FCB24BB709C4AEEA7FBCFF52715F0401B6F945E60A1EF7499869B50

Function 00584F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00584F7A

Part of subcall function 0054049F: timeGetTime.WINMM(?,75C0B400,00530E7B), ref: 005404A3

Sleep.KERNEL32(0000000A), ref: 00584FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00584FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00584FEC
SetActiveWindow.USER32 ref: 0058500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00585019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00585038
Sleep.KERNEL32(000000FA), ref: 00585043
IsWindow.USER32 ref: 0058504F
EndDialog.USER32(00000000), ref: 00585060

Strings

BUTTON, xrefs: 00584FDE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 9092abfcafcba58806325b15d93f0eef502748b782799d7a7a6708df94e4d253
Instruction ID: ffa22721884a5db56ec3e1cee17fae763711dcfec7e2635cb0a797c88795cf1e
Opcode Fuzzy Hash: 9092abfcafcba58806325b15d93f0eef502748b782799d7a7a6708df94e4d253
Instruction Fuzzy Hash: 16219274600B45AFE7146F60ECCCA363FA9FB75785B441029FA42962B1EB714D08EB61

Function 0058D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

CoInitialize.OLE32(00000000), ref: 0058D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0058D67D
SHGetDesktopFolder.SHELL32(?), ref: 0058D691
CoCreateInstance.COMBASE(005B2D7C,00000000,00000001,005D8C1C,?), ref: 0058D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0058D74C
CoTaskMemFree.COMBASE(?), ref: 0058D7A4
_memset.LIBCMT ref: 0058D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0058D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0058D840
CoTaskMemFree.COMBASE(00000000), ref: 0058D847
CoTaskMemFree.COMBASE(00000000), ref: 0058D87E
CoUninitialize.COMBASE ref: 0058D880

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: ebd54ae403f3a2e620be3bfa49662ef1f7cbe22eee5f6d34637bfbe2b9da49f0
Instruction ID: 13ff002b9915697c59ff190a687883909e72e4c4372bdc4c9b1bdea50ca096ae
Opcode Fuzzy Hash: ebd54ae403f3a2e620be3bfa49662ef1f7cbe22eee5f6d34637bfbe2b9da49f0
Instruction Fuzzy Hash: 0BB1EC75A00119AFDB04DFA4D888DAEBBF9FF49314F148469E909EB261DB30ED45CB50

Function 0057C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0057C283
GetWindowRect.USER32(00000000,?), ref: 0057C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0057C2F3
GetDlgItem.USER32(?,00000002), ref: 0057C2FE
GetWindowRect.USER32(00000000,?), ref: 0057C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0057C364
GetDlgItem.USER32(?,000003E9), ref: 0057C372
GetWindowRect.USER32(00000000,?), ref: 0057C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0057C3C6
GetDlgItem.USER32(?,000003EA), ref: 0057C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0057C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0057C3FE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 403eb39349cae5b7faabe8e83214ae170df0ccf13c907fd4ab790a136f3f50c1
Instruction ID: 5493bfe1f64930801864f5411834532026c5c5d64212f611def3d3a88134ea3f
Opcode Fuzzy Hash: 403eb39349cae5b7faabe8e83214ae170df0ccf13c907fd4ab790a136f3f50c1
Instruction Fuzzy Hash: B9514D71B00205ABDB18CFA9DD89AAEBBBAFB98311F14852DF51AD7290D7709D049B10

Function 005221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005225DB: GetWindowLongW.USER32(?,000000EB), ref: 005225EC

GetSysColor.USER32(0000000F), ref: 005221D3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b2904e7cb198a4eb21fb46bfa6f403f84ed2e7a1c9078acf1f3f9e0a20feca56
Instruction ID: ba16501cb0f89fbda8ab5c600d45ef11ec4478e6683f5d511513a6842a9ff0a7
Opcode Fuzzy Hash: b2904e7cb198a4eb21fb46bfa6f403f84ed2e7a1c9078acf1f3f9e0a20feca56
Instruction Fuzzy Hash: 22419039100150EADB255F68EC98BB93F66FF17321F184365FE659A1E1C7328C46EB21

Function 0058A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,005AF910), ref: 0058A90B
GetDriveTypeW.KERNEL32(00000061,005D89A0,00000061), ref: 0058A9D5
_wcscpy.LIBCMT ref: 0058A9FF

Strings

cdrom, xrefs: 0058A927
ramdisk, xrefs: 0058A97F
unknown, xrefs: 0058A996
removable, xrefs: 0058A93D
network, xrefs: 0058A969
fixed, xrefs: 0058A953
all, xrefs: 0058A911

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 15685862eca9d80360778a561a4fe9590587fd824ffd8de121ae33e9e65d955d
Instruction ID: 0ffc0a2a16a59dae38cd65251550c4d07f8af56812ef1e401c29e3b597fba130
Opcode Fuzzy Hash: 15685862eca9d80360778a561a4fe9590587fd824ffd8de121ae33e9e65d955d
Instruction Fuzzy Hash: 72518A311083029BD314EF14D896AAEBFA5FFC5704F14482EF999672E2DB319909CB93

Function 00529837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00529862
__swprintf.LIBCMT ref: 005298AC
__i64tow.LIBCMT ref: 0055F5E6

Strings

True, xrefs: 0055F5A7
False, xrefs: 0055F5AE
0x%p, xrefs: 0055F5C8
%.15g, xrefs: 005298A6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 984566b98ce338b908cc5e417fee27922e67b0816271537a2028dedb422a0cf1
Instruction ID: 111cb684d52535c49ca798f1a0a4f275674378d22df452871c124798afe42905
Opcode Fuzzy Hash: 984566b98ce338b908cc5e417fee27922e67b0816271537a2028dedb422a0cf1
Instruction Fuzzy Hash: 1541B571900216AFDB24DF34E85AAB67FE8FF46304F24486FE949D72D1FA3199458B10

Function 005A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A716A
CreateMenu.USER32 ref: 005A7185
SetMenu.USER32(?,00000000), ref: 005A7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A7221
IsMenu.USER32(?), ref: 005A7237
CreatePopupMenu.USER32 ref: 005A7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A726E
DrawMenuBar.USER32 ref: 005A7276

Strings

F, xrefs: 005A7262
0, xrefs: 005A7160

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: a91d2e5536abf36528611632a109c28d71734e40361a74d2d898d2c8ede4e1d5
Instruction ID: fbc6ccb39c13c58c2edf9451b96a07aac53c34b9bdc02cc36327c8ffc47d81b5
Opcode Fuzzy Hash: a91d2e5536abf36528611632a109c28d71734e40361a74d2d898d2c8ede4e1d5
Instruction Fuzzy Hash: 05412378A01209EFDB20DFA4D988B9ABBB5FF5E310F144028F945A7361D731A914DBA0

Function 005A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 005A755E
CreateCompatibleDC.GDI32(00000000), ref: 005A7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005A7578
SelectObject.GDI32(00000000,00000000), ref: 005A7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 005A758B
DeleteDC.GDI32(00000000), ref: 005A7594
GetWindowLongW.USER32(?,000000EC), ref: 005A759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005A75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005A75BE

Strings

static, xrefs: 005A74F6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: d1d787fcef507af08fd33b174dad49f79e12751693997cabe429280027009268
Instruction ID: c569fc2054bd13ce6aaeba849fa7a87fa9133f2583cfdcf7624c1cd43dafca21
Opcode Fuzzy Hash: d1d787fcef507af08fd33b174dad49f79e12751693997cabe429280027009268
Instruction Fuzzy Hash: 8C314732505219ABDF119FA4DC08FEB3FA9FF1E360F110224FA55A60A0D731D825EBA4

Function 00546E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00546E3E

Part of subcall function 00548B28: __getptd_noexit.LIBCMT ref: 00548B28

__gmtime64_s.LIBCMT ref: 00546ED7
__gmtime64_s.LIBCMT ref: 00546F0D
__gmtime64_s.LIBCMT ref: 00546F2A
__allrem.LIBCMT ref: 00546F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00546F9C
__allrem.LIBCMT ref: 00546FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00546FD1
__allrem.LIBCMT ref: 00546FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00547006
__invoke_watson.LIBCMT ref: 00547077

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 66263885d2c01860fc948617693a8b64b59aa89a3cf7ff0fac1041ea27f20f23
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 2E711672A00717ABD7149E68CC45BEBBBE8BF45368F10452AF818D7281F770ED548B91

Function 00582527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582542
GetMenuItemInfoW.USER32(005E5890,000000FF,00000000,00000030), ref: 005825A3
SetMenuItemInfoW.USER32(005E5890,00000004,00000000,00000030), ref: 005825D9
Sleep.KERNEL32(000001F4), ref: 005825EB
GetMenuItemCount.USER32(?), ref: 0058262F
GetMenuItemID.USER32(?,00000000), ref: 0058264B
GetMenuItemID.USER32(?,-00000001), ref: 00582675
GetMenuItemID.USER32(?,?), ref: 005826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00582700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00582714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00582735

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ec363c3548db267292099f8161e765bea1b527dd5e6eead54c8bc69c333170e8
Instruction ID: a94dbee1e41bdc3a0c431820fde6ce32074ae783075fd099802b7270da581653
Opcode Fuzzy Hash: ec363c3548db267292099f8161e765bea1b527dd5e6eead54c8bc69c333170e8
Instruction Fuzzy Hash: 77618D7490024AAFDF11EFA5D8889AE7FB8FB45308F140459EC42A7251EB31AD09DB21

Function 005A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005A6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005A6FA8
GetWindowLongW.USER32(?,000000F0), ref: 005A6FCC
_memset.LIBCMT ref: 005A6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005A7067

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c4a95edf85eeaee134164a7a5acf709b8ec442a3c589902346e53c611bb44b44
Instruction ID: ade153dbce94e7278757e1e9801bb5be1438a169492dfa0bf13ca6c527317b27
Opcode Fuzzy Hash: c4a95edf85eeaee134164a7a5acf709b8ec442a3c589902346e53c611bb44b44
Instruction Fuzzy Hash: DC619A74900248AFDB10DFA4CC85EEE7BF8FB0A314F140169FA04AB2A1D771AD45DB90

Function 00576B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00576BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00576C18
VariantInit.OLEAUT32(?), ref: 00576C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00576C4A
VariantCopy.OLEAUT32(?,?), ref: 00576C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00576CB1
VariantClear.OLEAUT32(?), ref: 00576CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00576CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00576CDC
VariantClear.OLEAUT32(?), ref: 00576CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00576CF9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 412cb731673d8f5edd95463883c9cb480a46556ec5f66a87e61db0b8af508df4
Instruction ID: e47cf511a4ef8f51886a81615c2d79d07a684a52efc4d8a28ffbe71d2396aabe
Opcode Fuzzy Hash: 412cb731673d8f5edd95463883c9cb480a46556ec5f66a87e61db0b8af508df4
Instruction Fuzzy Hash: 1C414075A0011A9FCF04DFA4D8489AEBFB9FF59350F00C069E959A7261DB30AD45DB90

Function 005983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

CoInitialize.OLE32 ref: 00598403
CoUninitialize.COMBASE ref: 0059840E
CoCreateInstance.COMBASE(?,00000000,00000017,005B2BEC,?), ref: 0059846E
IIDFromString.COMBASE(?,?), ref: 005984E1
VariantInit.OLEAUT32(?), ref: 0059857B
VariantClear.OLEAUT32(?), ref: 005985DC

Strings

Invalid parameter, xrefs: 005984FA
NULL Pointer assignment, xrefs: 005984B3
Failed to create object, xrefs: 00598479, 0059852F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2150ba7087a1c5bc35261340a32cf519062fc213555fb0a640fbdadd64c8df7f
Instruction ID: e037d83c74828afa5268aade594be8662c1fe64f9cbe13b6d5c40f4fc7ebdba5
Opcode Fuzzy Hash: 2150ba7087a1c5bc35261340a32cf519062fc213555fb0a640fbdadd64c8df7f
Instruction Fuzzy Hash: 21619270608312AFCB10DF54D848F6ABFE4BF8A754F144819F9859B291DB70ED48CB92

Function 00595732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00595793
inet_addr.WS2_32(?), ref: 005957D8
gethostbyname.WS2_32(?), ref: 005957E4
IcmpCreateFile.IPHLPAPI ref: 005957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00595862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00595878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005958ED
WSACleanup.WS2_32 ref: 005958F3

Strings

Ping, xrefs: 00595816

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bbe78d998b7df0b700a46c43cd32500f30e2db07091afe1be4944061b6a744d6
Instruction ID: 4885941ead4419fbde8963d49ac22913d1ad014036a7f7917fa0ad227c612c55
Opcode Fuzzy Hash: bbe78d998b7df0b700a46c43cd32500f30e2db07091afe1be4944061b6a744d6
Instruction Fuzzy Hash: 82517E316046019FDB11EF64DC49B2ABBE4FF89720F148929F956DB2E1EB30E914DB41

Function 0058B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0058B546
GetLastError.KERNEL32 ref: 0058B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0058B5BD

Strings

NOTREADY, xrefs: 0058B57C
READONLY, xrefs: 0058B588
INVALID, xrefs: 0058B58F
READY, xrefs: 0058B596
UNKNOWN, xrefs: 0058B575

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 00ceb8e3b142c6ea528c0187f3b7581bb7a341bfc2920ea33d69e93d26bd2517
Instruction ID: d51de5f996eacc495f51f3fa7d73919a72c481020a677dc18e492e2616ee5dff
Opcode Fuzzy Hash: 00ceb8e3b142c6ea528c0187f3b7581bb7a341bfc2920ea33d69e93d26bd2517
Instruction Fuzzy Hash: 75318335A0020ADFEB10FB68D889EBE7FB8FF49311F144166E905A7291EB709A45CB51

Function 00578F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00579014
GetDlgCtrlID.USER32 ref: 0057901F
GetParent.USER32 ref: 0057903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0057903E
GetDlgCtrlID.USER32(?), ref: 00579047
GetParent.USER32(?), ref: 00579063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00579066

Strings

ComboBox, xrefs: 00578F9C
ListBox, xrefs: 00578FD1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 62ae2384745b587d31cd1223f088d8cf8175e2acfd73b07d61ef5ef3c8b4ac75
Instruction ID: 3a027925cb637a753de5598bb152ede518aaf12a060dc2f31883d1d8e5dca321
Opcode Fuzzy Hash: 62ae2384745b587d31cd1223f088d8cf8175e2acfd73b07d61ef5ef3c8b4ac75
Instruction Fuzzy Hash: 4E21B574A00109BBDF14ABA4DC89EBEBF74FF9A310F104116B525572E1DB755819EB20

Function 0057907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005790FD
GetDlgCtrlID.USER32 ref: 00579108
GetParent.USER32 ref: 00579124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00579127
GetDlgCtrlID.USER32(?), ref: 00579130
GetParent.USER32(?), ref: 0057914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0057914F

Strings

ComboBox, xrefs: 00579087
ListBox, xrefs: 005790BC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 9011622473615b007e7c7931b7b2a9f9fc73c19b8ad5cd73d41ea5c9ae68e3dc
Instruction ID: 3acb1e3232d296a60038985260ff037c5ad3ec661f8ff1dec4ec830ea6e810f9
Opcode Fuzzy Hash: 9011622473615b007e7c7931b7b2a9f9fc73c19b8ad5cd73d41ea5c9ae68e3dc
Instruction Fuzzy Hash: 79210774A00109BBDF10ABA4EC89EFEBF78FF9A300F004016F915972A1DB754819EB20

Function 00579163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0057916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00579184
_wcscmp.LIBCMT ref: 00579196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00579211

Strings

details, xrefs: 005791BF
SHELLDLL_DefView, xrefs: 00579190
list, xrefs: 005791F3
smallicons, xrefs: 005791D9
largeicons, xrefs: 005791A5

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c7d2fbe69ff7fabef1991ecb7934a8855070187f40bdfd4be32c8c05756523f2
Instruction ID: cd743b63733ef7f41a0c149bc65998456f5ddc445db21569681bd3b2cf647389
Opcode Fuzzy Hash: c7d2fbe69ff7fabef1991ecb7934a8855070187f40bdfd4be32c8c05756523f2
Instruction Fuzzy Hash: 1511EB3B18C31775EA213628FC1ADE73F9CBB15724B204417F904E51D6FE51586176A4

Function 005988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005988D7
CoInitialize.OLE32(00000000), ref: 00598904
CoUninitialize.COMBASE ref: 0059890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00598A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00598B3B
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,005B2C0C), ref: 00598B6F
CoGetObject.OLE32(?,00000000,005B2C0C,?), ref: 00598B92
SetErrorMode.KERNEL32(00000000), ref: 00598BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00598C25
VariantClear.OLEAUT32(?), ref: 00598C35

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: eeb65dad19e6c0c3c43601cad0eb84dd71d7720dbbc79a2b9af4260b344c2ca9
Instruction ID: 0e7c16ff2418d8e597e9fa68a2df5fb287caa1ace1287c3cd5c0bb6542e7e5e7
Opcode Fuzzy Hash: eeb65dad19e6c0c3c43601cad0eb84dd71d7720dbbc79a2b9af4260b344c2ca9
Instruction Fuzzy Hash: A4C118B1608305AFDB00DF64C88492BBBE9FF8A748F04495DF98A9B251DB71ED05CB52

Function 00587990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00587A6C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b9e039ad6f1d6414c64aa805c63f4d1116424c79665330bc4bfdb36452fb3c1b
Instruction ID: 7ced8ac5eb1557489176f1bdcbddd1d09fe1925c2d3b62b360f1bd771b8a51f1
Opcode Fuzzy Hash: b9e039ad6f1d6414c64aa805c63f4d1116424c79665330bc4bfdb36452fb3c1b
Instruction Fuzzy Hash: F3B16A7190421A9FDB00EFA4C889BBEBBB5FF4D321F244429EA41A7291D734E945DB90

Function 005811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00580268,?,00000001), ref: 00581204
GetWindowThreadProcessId.USER32(00000000), ref: 0058120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00580268,?,00000001), ref: 0058121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0058122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00580268,?,00000001), ref: 00581245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00580268,?,00000001), ref: 00581257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00580268,?,00000001), ref: 0058129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00580268,?,00000001), ref: 005812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00580268,?,00000001), ref: 005812BC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 31a3e86303e24c8e659eeca0048aeaf25fb0c506914844bf9310cec9fb27b6b5
Instruction ID: dbca7798113b804e9e5fa52b4597d28517b928f0701ee4a3bc4f53d0f0e80ff9
Opcode Fuzzy Hash: 31a3e86303e24c8e659eeca0048aeaf25fb0c506914844bf9310cec9fb27b6b5
Instruction Fuzzy Hash: 4431FF79600604FBEB64AF91ED88F693BADFB75391F104114FC11EB1A0D3B09D499B54

Function 0052FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0052FAA6
OleUninitialize.OLE32(?,00000000), ref: 0052FB45
UnregisterHotKey.USER32(?), ref: 0052FC9C
DestroyWindow.USER32(?), ref: 005645D6
FreeLibrary.KERNEL32(?), ref: 0056463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00564668

Strings

close all, xrefs: 0052FAA1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 45289fbf65dba68ce72eac68f710548f059fbb942bee862ab04884a185915796
Instruction ID: 9e019040bc527337f3a7016fa45a9b6441f1974e4610ebfe310aa4da9bba5a09
Opcode Fuzzy Hash: 45289fbf65dba68ce72eac68f710548f059fbb942bee862ab04884a185915796
Instruction Fuzzy Hash: 12A17031701222CFCB19EF14E599A69FB64BF56704F5446BDE80AAB2A1DB30AC16CF50

Function 0057A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0057A439), ref: 0057A377

Strings

NAME, xrefs: 0057A1A9
CLASSNN, xrefs: 0057A119
REGEXPCLASS, xrefs: 0057A13C
CLASS, xrefs: 0057A0F6
TEXT, xrefs: 0057A2AE
INSTANCE, xrefs: 0057A285

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 3be33df259ccccffd7db1c5063c1d8ca6d44623b333a11b30ab9b1898ef50f5c
Instruction ID: 0f7a6d49abbba6d8b1184912e9af88c5ac6d0e847b0198b5b4ed1cbbe0858ecf
Opcode Fuzzy Hash: 3be33df259ccccffd7db1c5063c1d8ca6d44623b333a11b30ab9b1898ef50f5c
Instruction Fuzzy Hash: BC910631600606AADB08DFA0D459BEDFFB4BF84304F54C51AE84DA3292DF306999EBD1

Function 00522E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00522EAE

Part of subcall function 00521DB3: GetClientRect.USER32(?,?), ref: 00521DDC
Part of subcall function 00521DB3: GetWindowRect.USER32(?,?), ref: 00521E1D
Part of subcall function 00521DB3: ScreenToClient.USER32(?,?), ref: 00521E45

GetDC.USER32 ref: 0055CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0055CD45
SelectObject.GDI32(00000000,00000000), ref: 0055CD53
SelectObject.GDI32(00000000,00000000), ref: 0055CD68
ReleaseDC.USER32(?,00000000), ref: 0055CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0055CDFB

Strings

U, xrefs: 0055CCD0

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 98c38df127071c36addf99adee27e5b950a686dc3ca6a6b27e9dc028b8d9ab51
Instruction ID: 3551b44a6ad9486b2da0504ac4c9b3aacdf2c2dc1a258fe35d4ec27adaad65f8
Opcode Fuzzy Hash: 98c38df127071c36addf99adee27e5b950a686dc3ca6a6b27e9dc028b8d9ab51
Instruction Fuzzy Hash: 2471F231400345EFCF258F64CC94ABA3FB5FF5A325F14466AED569A2A6D7308C48EB60

Function 00591A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00591A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00591A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00591ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00591AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00591AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00591B10
InternetCloseHandle.WININET(00000000), ref: 00591B57

Part of subcall function 00592483: GetLastError.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 00592498
Part of subcall function 00592483: SetEvent.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 005924AD

Strings

, xrefs: 00591B01

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 8ccd7cd12e7350d965ffd4180516c3cdce3777bceb810a20ae2a8fc2649a8528
Instruction ID: 062412857df2f382f116ff224df5bcd97d8fb68595795156d84e08d3110181e2
Opcode Fuzzy Hash: 8ccd7cd12e7350d965ffd4180516c3cdce3777bceb810a20ae2a8fc2649a8528
Instruction Fuzzy Hash: E8417FB150162ABFEF118F50CC89FFA7BADFF09354F004126F9059A191E7749E449BA4

Function 00598C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,005AF910), ref: 00598D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,005AF910), ref: 00598D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00598ED6
SysFreeString.OLEAUT32(?), ref: 00598F00

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 23df554d13764ca2ef0aec2dd34bd9a2372499e768e4c07c8cc8014aa6d856f3
Instruction ID: ce02c00d89320ee8489f6e43284d8229299dea20d3e2c985a5def4fd72eebea2
Opcode Fuzzy Hash: 23df554d13764ca2ef0aec2dd34bd9a2372499e768e4c07c8cc8014aa6d856f3
Instruction Fuzzy Hash: 71F11A71A00219EFDF14DF94C888EAEBBB9FF86314F108498F915AB251DB31AE45DB50

Function 0059F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0059F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0059F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0059FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0059FA7C
CloseHandle.KERNEL32(?), ref: 0059FAAB
CloseHandle.KERNEL32(?), ref: 0059FB22

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 6e7846af0c4e91949112cca2458012625bb37c9765a7a7a76e98f0d64bf7decf
Instruction ID: 9542e5fbdaf84612e8dcbc1e5688413c9282cd0b276090f5ee5940e27b9abc6f
Opcode Fuzzy Hash: 6e7846af0c4e91949112cca2458012625bb37c9765a7a7a76e98f0d64bf7decf
Instruction Fuzzy Hash: 44E19E316042129FCB14EF24D885B6ABFE1FF85314F18896DF8999B2A2CB31DC45CB52

Function 0052201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00521B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00522036,?,00000000,?,?,?,?,005216CB,00000000,?), ref: 00521B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005220D3
KillTimer.USER32(-00000001,?,?,?,?,005216CB,00000000,?,?,00521AE2,?,?), ref: 0052216E
DestroyAcceleratorTable.USER32(00000000), ref: 0055BCA6
DeleteObject.GDI32(00000000), ref: 0055BD1C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 9d6f8bded0c3200c91c879279dd5a4515917fcdaa4de993d81336e3851eeb53d
Instruction ID: 318d893875da3f0df2723b401d79b3f95d6d1dc73123d02ae645989f89910a35
Opcode Fuzzy Hash: 9d6f8bded0c3200c91c879279dd5a4515917fcdaa4de993d81336e3851eeb53d
Instruction Fuzzy Hash: 8E61A035504B61EFDB399F14E99CB257FF1FF62316F204529E9824A5B0C770A898EB80

Function 00584CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00583697,?), ref: 0058468B

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00583697,?), ref: 005846A4

Part of subcall function 00584A31: GetFileAttributesW.KERNEL32(?,0058370B), ref: 00584A32

lstrcmpiW.KERNEL32(?,?), ref: 00584D40
_wcscmp.LIBCMT ref: 00584D5A
MoveFileW.KERNEL32(?,?), ref: 00584D75

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: bf3c2ceabb40806b38ad77cd2ccefad8ab545338506432959f5a02ba6b0e84e9
Instruction ID: b97c1fc48d187496671910b72e93e5546cfeee0369282a47dd9782810cecc8c7
Opcode Fuzzy Hash: bf3c2ceabb40806b38ad77cd2ccefad8ab545338506432959f5a02ba6b0e84e9
Instruction Fuzzy Hash: E65165B24083469BC724EB90D8859DFBBECBFC5310F40092EBA85D3151EF34A588CB56

Function 005A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005A86FF

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: b516beb4a2dc5ea7f20de2b27912935b3aad7a6822389036ee0e826c15d42064
Instruction ID: 2cc7da64c034cecdc738d3c3069cdf8c0d307ebca21abf5edc61b2a32026c376
Opcode Fuzzy Hash: b516beb4a2dc5ea7f20de2b27912935b3aad7a6822389036ee0e826c15d42064
Instruction Fuzzy Hash: 0251AC34600255BEEB249B289C89FBD7FA5FB17320F600521FA51E72A1DF76A980DB50

Function 00522B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0055C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0055C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0055C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0055C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0055C370
DestroyCursor.USER32(00000000), ref: 0055C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0055C39C
DestroyCursor.USER32(?), ref: 0055C3AB

Part of subcall function 005AA4AF: DeleteObject.GDI32(00000000), ref: 005AA4E8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: fbd16b0435c3476f30ff666de84be3f6a27751c212aa8b3356c8ee886008b3c1
Instruction ID: 939d20c117ea4c8cbd6c7c274a19d4384883b5eaa7d8d0726930227b35277f25
Opcode Fuzzy Hash: fbd16b0435c3476f30ff666de84be3f6a27751c212aa8b3356c8ee886008b3c1
Instruction Fuzzy Hash: 43514874600309AFDB24DF64DC45BAA3FA5FF5A311F104929F942A72E0DB70AD54EB50

Function 0057966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0057A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0057A84C
Part of subcall function 0057A82C: GetCurrentThreadId.KERNEL32 ref: 0057A853
Part of subcall function 0057A82C: AttachThreadInput.USER32(00000000,?,00579683,?,00000001), ref: 0057A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0057968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 005796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 005796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005796FB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: be8b16fd40e441e308bfce826122a5e21752d18c21ddc3f9d94fa2427109d432
Instruction ID: 8b02e64fff0254b80705908c65e5cb190a699c78650cf95e59abd896cabffe61
Opcode Fuzzy Hash: be8b16fd40e441e308bfce826122a5e21752d18c21ddc3f9d94fa2427109d432
Instruction Fuzzy Hash: 2511E1B1910618BFF6106FA0EC89F6A3F2DEB8D750F100425F248AB0E0C9F25C11EBA4

Function 00578921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0057853C,00000B00,?,?), ref: 0057892A
RtlAllocateHeap.NTDLL(00000000,?,0057853C), ref: 00578931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0057853C,00000B00,?,?), ref: 00578946
GetCurrentProcess.KERNEL32(?,00000000,?,0057853C,00000B00,?,?), ref: 0057894E
DuplicateHandle.KERNEL32(00000000,?,0057853C,00000B00,?,?), ref: 00578951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0057853C,00000B00,?,?), ref: 00578961
GetCurrentProcess.KERNEL32(0057853C,00000000,?,0057853C,00000B00,?,?), ref: 00578969
DuplicateHandle.KERNEL32(00000000,?,0057853C,00000B00,?,?), ref: 0057896C
CreateThread.KERNEL32(00000000,00000000,00578992,00000000,00000000,00000000), ref: 00578986

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 9d437c03dd23d398a80c720d3bdc6ebd3897e3762f6355060fa5fb9a9ea7f330
Instruction ID: 4ba5d475104c3217664638eeef91f38330a15340c2a8a14c8c471226eba8147f
Opcode Fuzzy Hash: 9d437c03dd23d398a80c720d3bdc6ebd3897e3762f6355060fa5fb9a9ea7f330
Instruction Fuzzy Hash: 1101BBB5240308FFE760ABA5DC4DF6B3BACEB99711F418421FA05DB1A1DA709804DB20

Function 00599113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00599167
VariantInit.OLEAUT32(?), ref: 00599238
VariantInit.OLEAUT32(?), ref: 00599339
VariantClear.OLEAUT32(?), ref: 00599343
VariantClear.OLEAUT32(?), ref: 005993A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0059931C
Null Object assignment in FOR..IN loop, xrefs: 005991C8, 005992F6, 005993AE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: e1753d4f7d73b686109a3dd6dbadd1b1d833b458d6ce181c4faeded6a6a5af01
Instruction ID: cb5a37af55537c33d5f06c338b761260f843981d18789d6f3c20cfef68383495
Opcode Fuzzy Hash: e1753d4f7d73b686109a3dd6dbadd1b1d833b458d6ce181c4faeded6a6a5af01
Instruction Fuzzy Hash: 09915E71A00219ABDF24DFA9C848FAEBBB8FF85714F10855EF515AB280D7709945CFA0

Function 0059975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0057710A: CLSIDFromProgID.COMBASE ref: 00577127
Part of subcall function 0057710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00577142
Part of subcall function 0057710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 00577150
Part of subcall function 0057710A: CoTaskMemFree.COMBASE(00000000), ref: 00577160

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00599806
_memset.LIBCMT ref: 00599813
_memset.LIBCMT ref: 00599956
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00599982
CoTaskMemFree.COMBASE(?), ref: 0059998D

Strings

NULL Pointer assignment, xrefs: 005999DB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4508ab0f9013fd23ce3a006cf6a0fcf4d89ca669e065034e615a176d62793a3f
Instruction ID: 32e6b94a225e4ba7e6df6b28d6b6b82535685aa1294307cf17133c5f91e6769d
Opcode Fuzzy Hash: 4508ab0f9013fd23ce3a006cf6a0fcf4d89ca669e065034e615a176d62793a3f
Instruction Fuzzy Hash: 02910771D00229ABDF10DFA5DC45ADEBBB9FF49310F10415AF419A7291EB71AA44CFA0

Function 005A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005A6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 005A6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005A6E52
_wcscat.LIBCMT ref: 005A6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 005A6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 005A6EF2

Strings

SysListView32, xrefs: 005A6DF6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: eba0fc8d864d75ad1416d2a1aa29990b700b72ca4e9e4b9669d6f1956b8ce090
Instruction ID: 281b55ad8e1446f7e08effa93113865dc272fa819878c3d6c42103dbfb059c33
Opcode Fuzzy Hash: eba0fc8d864d75ad1416d2a1aa29990b700b72ca4e9e4b9669d6f1956b8ce090
Instruction Fuzzy Hash: 86419070A00349AFEB219FA4CC89BEE7BE9FF09354F14042AF584E7291D6719D848B60

Function 0059E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00583C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00583C7A
Part of subcall function 00583C55: Process32FirstW.KERNEL32(00000000,?), ref: 00583C88
Part of subcall function 00583C55: CloseHandle.KERNEL32(00000000), ref: 00583D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059E9A4
GetLastError.KERNEL32 ref: 0059E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0059E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0059EA63
GetLastError.KERNEL32(00000000), ref: 0059EA6E
CloseHandle.KERNEL32(00000000), ref: 0059EAA3

Strings

SeDebugPrivilege, xrefs: 0059E9C2

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4cb57555c4195c689df281d56eed79914c764efe230443cd9e55db101242f38a
Instruction ID: 9935b64e324d872a5b8ab29c82a6a7a25e761e5bc09c8994362f03b4fbf32059
Opcode Fuzzy Hash: 4cb57555c4195c689df281d56eed79914c764efe230443cd9e55db101242f38a
Instruction Fuzzy Hash: 8441AC712002029FDB14EF54DC9AF6EBFA5BF81314F088859F9469B3D2CB75A808DB91

Function 00582F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00583033

Strings

blank, xrefs: 00582FB5
warning, xrefs: 0058301C
info, xrefs: 00582FD4
stop, xrefs: 00583004
question, xrefs: 00582FEC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 324dd154ed8862620c00250595a3a52bac8c0b1f810c57ebda0c10079d16f54e
Instruction ID: 4a3faa5b7fa3f00004d7ec8996e3f6d8d672c7e772257078154d75818f308303
Opcode Fuzzy Hash: 324dd154ed8862620c00250595a3a52bac8c0b1f810c57ebda0c10079d16f54e
Instruction Fuzzy Hash: 2411D83124C346FAD724AA58DC4ADBB7F9CBF15764F10006BFD00B6281DA619F4057A5

Function 005842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00584312
LoadStringW.USER32(00000000), ref: 00584319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0058432F
LoadStringW.USER32(00000000), ref: 00584336
_wprintf.LIBCMT ref: 0058435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0058437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00584357

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 8db2c43362ef6148bb3c9af1013dfc5e5553231167e844e844de316dde983dba
Instruction ID: 44a456f75485c641968ea369123befea376f577c80a2163249b0bb941013f3ba
Opcode Fuzzy Hash: 8db2c43362ef6148bb3c9af1013dfc5e5553231167e844e844de316dde983dba
Instruction Fuzzy Hash: DD0162F6940208BFE761A7E4DD89EFB776CEB09300F0005A2BB45E2051EA745E899B74

Function 00522A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000), ref: 00522ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00522B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000), ref: 0055C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0055C1C7,00000004,00000000,00000000,00000000), ref: 0055C286

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0b8cf3307229fa6582fb27f92d190481539389159023d6b79a06a09733dee29c
Instruction ID: dc3b6ef78c0b4a462afb32bd1a166b4c0d0a4a915ce2b8cb3d2f9007843dede1
Opcode Fuzzy Hash: 0b8cf3307229fa6582fb27f92d190481539389159023d6b79a06a09733dee29c
Instruction Fuzzy Hash: CA412C39208790BEC7358B68AC9C76B7FD2BF97300F14882EE487469E0C7B19889D710

Function 005870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005870DD

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00587114
RtlEnterCriticalSection.NTDLL(?), ref: 00587130
_memmove.LIBCMT ref: 0058717E
_memmove.LIBCMT ref: 0058719B
RtlLeaveCriticalSection.NTDLL(?), ref: 005871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 005871DE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 855969acafe6e8c29f886396c6697dc58771638578874c7296446954d06eed63
Instruction ID: bf282c61e98cc1e3ff9192026561cb6192ef8db39bb77dd42e06995972bb276c
Opcode Fuzzy Hash: 855969acafe6e8c29f886396c6697dc58771638578874c7296446954d06eed63
Instruction Fuzzy Hash: DC315E75900205EBDB10EFA5DC89AAABB78FF85710F2441A5ED04AB256DB30DA14DB60

Function 005A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005A61EB
GetDC.USER32(00000000), ref: 005A61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A61FE
ReleaseDC.USER32(00000000,00000000), ref: 005A620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005A6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005A6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 005A6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005A62B1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 42f83d97d2ec2940451b3ae391fc0fd5c5d661c434e35313744e92aa9380a59c
Instruction ID: 2844129b324b0a6a8e4a25a21b50ace26249548349df7570d4550855e2ac662f
Opcode Fuzzy Hash: 42f83d97d2ec2940451b3ae391fc0fd5c5d661c434e35313744e92aa9380a59c
Instruction Fuzzy Hash: 1B316D76101210BFEB118F50DC8AFEA3FA9FF5A765F084065FE089A191C6759841DBA4

Function 00521424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6c9d625b563790ecfc81ab30f2cec3c6d08959c8ee5f94542ab13b1caef81c
Instruction ID: a45ae0961e668249b8231d3aa83580b20664990e2db55d5ae5f5980ee9c369ae
Opcode Fuzzy Hash: ca6c9d625b563790ecfc81ab30f2cec3c6d08959c8ee5f94542ab13b1caef81c
Instruction Fuzzy Hash: F8716830900519EFDB04DF98DC48ABFBF79FF9A310F108159F915AA291C734AA51CBA4

Function 005AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00FB3838), ref: 005AB3EB
IsWindowEnabled.USER32(00FB3838), ref: 005AB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 005AB4DB
SendMessageW.USER32(00FB3838,000000B0,?,?), ref: 005AB512
IsDlgButtonChecked.USER32(?,?), ref: 005AB54F
GetWindowLongW.USER32(00FB3838,000000EC), ref: 005AB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005AB589

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: cf020ed7c747eddbce355f8f6ce418e4435f2046bda2c3d266f441e229e57218
Instruction ID: d9763e0640efec28b1c537b68ff870e37b118862df5b4ce8fd80d19d9db20439
Opcode Fuzzy Hash: cf020ed7c747eddbce355f8f6ce418e4435f2046bda2c3d266f441e229e57218
Instruction Fuzzy Hash: A0717934604204AFEF249F65C894FAE7FBAFF4B300F144459E986972A3D732A954DB90

Function 0059F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059F448
_memset.LIBCMT ref: 0059F511
ShellExecuteExW.SHELL32(?), ref: 0059F556

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

GetProcessId.KERNEL32(00000000), ref: 0059F5CD
CloseHandle.KERNEL32(00000000), ref: 0059F5FC

Strings

@, xrefs: 0059F525

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 1c7ad6a7c65746e56356fe816f15ba419e35f12d69736b79d80d0248a6a16ceb
Instruction ID: ad1608d2cfaa30416c5f6758efd8fbe878a6ec5ab80d758fc9e6d4a1c9d0a99e
Opcode Fuzzy Hash: 1c7ad6a7c65746e56356fe816f15ba419e35f12d69736b79d80d0248a6a16ceb
Instruction Fuzzy Hash: D261BF75A0062A9FCF14DFA4D4859AEBFF5FF89310F148069E859AB391CB30AD41CB94

Function 00580F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00580F8C
GetKeyboardState.USER32(?), ref: 00580FA1
SetKeyboardState.USER32(?), ref: 00581002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00581030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0058104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00581095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005810B8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ffd6f4ae69eb0cae7df2fbaf05b7be86345b983e1887ba2c944ef21551da67f0
Instruction ID: 891ca136ef6e55824c18c64cd36200511801ef775047e885dc1bb7bbe00ecd06
Opcode Fuzzy Hash: ffd6f4ae69eb0cae7df2fbaf05b7be86345b983e1887ba2c944ef21551da67f0
Instruction Fuzzy Hash: A8510660504BD57EFB3663348C09BB6BEAD7B06300F088589EAD5A58C3C2D9DCCAD755

Function 00580D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00580DA5
GetKeyboardState.USER32(?), ref: 00580DBA
SetKeyboardState.USER32(?), ref: 00580E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00580E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00580E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00580EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00580EC9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d6601ebde74a5d15c8516d841fda87264ea47d10738967bfe1fd701135da7f55
Instruction ID: 191116b2a4ea1b017598fc3d8195e5c90d110b7cd57d4cc1358c6b4fa849c42c
Opcode Fuzzy Hash: d6601ebde74a5d15c8516d841fda87264ea47d10738967bfe1fd701135da7f55
Instruction Fuzzy Hash: 255106A06047D53DFB72A3748C45B7B7FAD7B06300F089889E9D5AA4C2C395AC8DE750

Function 005855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0058560A
_wcsncpy.LIBCMT ref: 0058563F
_wcsncpy.LIBCMT ref: 00585671
_wcsncpy.LIBCMT ref: 005856A4
_wcsncpy.LIBCMT ref: 005856E6
_wcsncpy.LIBCMT ref: 00585720
_wcsncpy.LIBCMT ref: 0058574F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 7c61ea511a2d09377ca4b4fd321db68e77b9410710b83316b7c3181223dadd05
Instruction ID: 811933c126029b82a8c8462174ee44bc11ce9f90bf0763daa77cd043d47cc48c
Opcode Fuzzy Hash: 7c61ea511a2d09377ca4b4fd321db68e77b9410710b83316b7c3181223dadd05
Instruction Fuzzy Hash: B8418075C1061576CB11EBB4884EACFBBA8FF44310F508956F908E3221FA34A755C7A6

Function 00583671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00583697,?), ref: 0058468B

Part of subcall function 0058466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00583697,?), ref: 005846A4

lstrcmpiW.KERNEL32(?,?), ref: 005836B7
_wcscmp.LIBCMT ref: 005836D3
MoveFileW.KERNEL32(?,?), ref: 005836EB
_wcscat.LIBCMT ref: 00583733
SHFileOperationW.SHELL32(?), ref: 0058379F

Strings

\*.*, xrefs: 0058372D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: c6386539937636620a56a9773b504e93d1a27d4fb3e93b75ec66e8b9fba5bd3b
Instruction ID: e679540389009f1af35b44342729b81768f6601386b441638be14a95ea7fd3ad
Opcode Fuzzy Hash: c6386539937636620a56a9773b504e93d1a27d4fb3e93b75ec66e8b9fba5bd3b
Instruction Fuzzy Hash: FF41AF71508345AAC751EF64C4459DF7BE8FF89780F00082EB88AD3251EA34D689CB52

Function 005A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005A7351
IsMenu.USER32(?), ref: 005A7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005A73B1
DrawMenuBar.USER32 ref: 005A73C4

Strings

0, xrefs: 005A729E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 6fc47f53c724cfea69d00c2d85dc3c06d7b4cfc7be1ee0bbe858a4a5dc856ab7
Instruction ID: 5f9a886df0b741fd1728236269af258ea5c45d98fa18760271332a3e2c18f29e
Opcode Fuzzy Hash: 6fc47f53c724cfea69d00c2d85dc3c06d7b4cfc7be1ee0bbe858a4a5dc856ab7
Instruction Fuzzy Hash: C4411675A04209AFDF20DF50D884A9EBBB9FF0A314F25982AFD459B250D730AD54EB60

Function 005A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 005A0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005A0FFE
FreeLibrary.KERNEL32(00000000), ref: 005A10B5

Part of subcall function 005A0FA5: RegCloseKey.ADVAPI32(?), ref: 005A101B
Part of subcall function 005A0FA5: FreeLibrary.KERNEL32(?), ref: 005A106D
Part of subcall function 005A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005A1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 005A1058

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 6cea04f0399247806578258078bbc53f913f854be817e4509a7fac9ad02894d5
Instruction ID: d78140b6682e1f1e5d95c36c189101884752e652ad2477928a02604c46a4a726
Opcode Fuzzy Hash: 6cea04f0399247806578258078bbc53f913f854be817e4509a7fac9ad02894d5
Instruction Fuzzy Hash: DA310D71901109BFDB159F90DC89EFFBBBCFF19310F000169E512E2151EA749E899BA4

Function 005A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005A62EC
GetWindowLongW.USER32(00FB3838,000000F0), ref: 005A631F
GetWindowLongW.USER32(00FB3838,000000F0), ref: 005A6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005A6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005A63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 005A63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005A63DB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 34cf7d0315cbe63b16e906b9b1208dc2bb529920309fe6334f82ecb7c615495c
Instruction ID: 7d40b703c191fb462067d9db6e963e231efaa2b24e8abcbd937a5c6adddb13b9
Opcode Fuzzy Hash: 34cf7d0315cbe63b16e906b9b1208dc2bb529920309fe6334f82ecb7c615495c
Instruction Fuzzy Hash: 34313134644280EFDF20CF58DC84F593BE1FB5A714F2915A9F6518F2B2CB71A845AB50

Function 00596173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00597D8B: inet_addr.WS2_32(00000000), ref: 00597DB6

socket.WS2_32(00000002,00000001,00000006), ref: 005961C6
WSAGetLastError.WS2_32(00000000), ref: 005961D5
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0059620E
connect.WSOCK32(00000000,?,00000010), ref: 00596217
WSAGetLastError.WS2_32 ref: 00596221
closesocket.WS2_32(00000000), ref: 0059624A
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00596263

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 61a8c7853e56d01fead0f0ded5d498a3843c424ab8cb890e43b5b28b744a31e7
Instruction ID: 752db698560d5f1b5fa8eebca097526003167b13bd23ebfbf03619554aa1d356
Opcode Fuzzy Hash: 61a8c7853e56d01fead0f0ded5d498a3843c424ab8cb890e43b5b28b744a31e7
Instruction Fuzzy Hash: CC31A135600219AFDF10AF64DC89BBE7BADFF45750F044029F905A7291DB74AC08DBA1

Function 0057F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0057F671
__wcsnicmp.LIBCMT ref: 0057F692
__wcsnicmp.LIBCMT ref: 0057F6AC

Strings

#OnAutoItStartRegister, xrefs: 0057F6A6
#requireadmin, xrefs: 0057F68C
#notrayicon, xrefs: 0057F669

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 72d93e92dc5bb017e750b5202cd225cab6dca82289b8ad00ed45e9fc2382a237
Instruction ID: e7b94e9a097245b55c2f0e1ad9105551f688b029cc8bba26ccb446273946afc9
Opcode Fuzzy Hash: 72d93e92dc5bb017e750b5202cd225cab6dca82289b8ad00ed45e9fc2382a237
Instruction Fuzzy Hash: 2321497220451266D324EA34BC06EEB7FE8FF95344F10C439F98A870A1EB50AD41E3A5

Function 005A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00521D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00521D73
Part of subcall function 00521D35: GetStockObject.GDI32(00000011), ref: 00521D87
Part of subcall function 00521D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00521D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005A7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005A763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005A764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005A7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005A7665

Strings

Msctls_Progress32, xrefs: 005A7603

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af91dbbd709ebb0abeedb03967637451b336b68557a32a152b40c43fe00a9b3d
Instruction ID: db57e28a0765a289a5f84f99f7e2d339c55748385e9cbb36a4c5e8879db74405
Opcode Fuzzy Hash: af91dbbd709ebb0abeedb03967637451b336b68557a32a152b40c43fe00a9b3d
Instruction Fuzzy Hash: C2118EB2110219BFEF158F64CC85EEB7F6DFF09798F014115BA04A60A0CA729C21DBA4

Function 005AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005AB644
_memset.LIBCMT ref: 005AB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005E6F20,005E6F64), ref: 005AB682
CloseHandle.KERNEL32 ref: 005AB694

Strings

do^, xrefs: 005AB64D
o^, xrefs: 005AB63E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o^$do^
API String ID: 3277943733-577272521
Opcode ID: 2017ca09c5beadde507651b1c41c226c28876a41c4d8fe17d6e1e2d06cfe72e7
Instruction ID: 116c0d75b0123e7a26604206865d4c3dfebb436552ee0dc45676790aa0dd1788
Opcode Fuzzy Hash: 2017ca09c5beadde507651b1c41c226c28876a41c4d8fe17d6e1e2d06cfe72e7
Instruction Fuzzy Hash: 35F05EB25403507AE7102761BC4AFBB3E9CFB293D5F004421FA98EA196D7714C04D7A8

Function 0054406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00543F85), ref: 00544085
GetProcAddress.KERNEL32(00000000), ref: 0054408C
RtlEncodePointer.NTDLL(00000000), ref: 00544097
RtlDecodePointer.NTDLL(00543F85), ref: 005440B2

Strings

combase.dll, xrefs: 00544080
RoUninitialize, xrefs: 00544074

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 406e3777f933dcca45a96899b0fee436ea34f8260dc72ef075d4a0325e3f338a
Instruction ID: 0882b12b6986f2eae08d32f77ad7cd02368d24a691c0bc94e2af6edf3c508d83
Opcode Fuzzy Hash: 406e3777f933dcca45a96899b0fee436ea34f8260dc72ef075d4a0325e3f338a
Instruction Fuzzy Hash: 23E09A70585340AFDB18AFA2EC4DB453AA4B725746F104429F141EA0A0CB76560CEB14

Function 00596B76 Relevance: 9.2, APIs: 6, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88696ddafec688a1e1641fd57370b7b29d6183a8c00e8e61bfb0e78b5d57ea2d
Instruction ID: 8b15a171944f9a1af07d2c9b2f44cdc01f7143993fde0862da7914d4a981674a
Opcode Fuzzy Hash: 88696ddafec688a1e1641fd57370b7b29d6183a8c00e8e61bfb0e78b5d57ea2d
Instruction Fuzzy Hash: 7961DE72208312ABCB14EB24DC89E6FBBA8FFD5714F504919F5559B2D2DB309D08CB92

Function 005864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0058660B
_memmove.LIBCMT ref: 00586546

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

_memmove.LIBCMT ref: 005865B9
_memmove.LIBCMT ref: 005866A0
_memmove.LIBCMT ref: 005866B9
_memmove.LIBCMT ref: 005866D5

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 78a494ea9efca2352b27e18679cc3fe3873682991bb1b200d7a5fc0ed4c63071
Instruction ID: 1871ae485d99d8fde7c55d291be1f47c482088b7955ca80e8ce5e6422f5da36a
Opcode Fuzzy Hash: 78a494ea9efca2352b27e18679cc3fe3873682991bb1b200d7a5fc0ed4c63071
Instruction Fuzzy Hash: 6B616A3090025B9BCB05FF60D889AFE3FA9BF85308F444919FD556A2D2EB34A915DB50

Function 005A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 005A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005A02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 005A0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005A0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 005A038C
RegCloseKey.ADVAPI32(00000000), ref: 005A0399

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 87af6206cc200a34808b01789d3b4f94e2d83320a603654fcaf384791ce9fdd3
Instruction ID: 8ea832d1df7d8ac83efe905eaaaafd441feb57a4e888609824af87c0be01afa9
Opcode Fuzzy Hash: 87af6206cc200a34808b01789d3b4f94e2d83320a603654fcaf384791ce9fdd3
Instruction Fuzzy Hash: CE514831118205AFCB14EF64D889E6EBFE8FF8A314F04491DF585872A2DB31E905DB52

Function 005A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 005A57FB
GetMenuItemCount.USER32(00000000), ref: 005A5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005A585A
GetMenuItemID.USER32(?,?), ref: 005A58C9
GetSubMenu.USER32(?,?), ref: 005A58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 005A5928

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 70c0239d138745e15687c28a2b03680e0d739312e81dddbadd66d8225176dea5
Instruction ID: e5aff522789921c683ce6901212513d884b3449501be831d9eb67b18b2b6b521
Opcode Fuzzy Hash: 70c0239d138745e15687c28a2b03680e0d739312e81dddbadd66d8225176dea5
Instruction Fuzzy Hash: BA516D35E00616AFCF05EFA4C8459AEBBB4FF4A310F144469E901BB351DB34AE41DB90

Function 0057EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057EF06
VariantClear.OLEAUT32(00000013), ref: 0057EF78
VariantClear.OLEAUT32(00000000), ref: 0057EFD3
_memmove.LIBCMT ref: 0057EFFD
VariantClear.OLEAUT32(?), ref: 0057F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0057F078

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 316fccc70e72e85210a8f400bc6f92f7e42a8d4455091391f50480266ffb4823
Instruction ID: d616a97b79908e61d10ecfbc5675feae52a2a075f51b652923e63c641a1c41e9
Opcode Fuzzy Hash: 316fccc70e72e85210a8f400bc6f92f7e42a8d4455091391f50480266ffb4823
Instruction Fuzzy Hash: 1F515AB5A00209EFDB14CF58D884AAABBB8FF4D314B158569ED59DB301E335E911CFA0

Function 0058220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005822A3
IsMenu.USER32(00000000), ref: 005822C3
CreatePopupMenu.USER32 ref: 005822F7
GetMenuItemCount.USER32(000000FF), ref: 00582355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00582386

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7e6230005208fe40a4a911e2c159477604c83be20a5a5d27dafefd0f8d8ab94c
Instruction ID: b4143b24bb80387bfeb8ab5afae1788f3c6bfca9738c9a1aa5a0714ea4483740
Opcode Fuzzy Hash: 7e6230005208fe40a4a911e2c159477604c83be20a5a5d27dafefd0f8d8ab94c
Instruction Fuzzy Hash: BF519C70A0020AEFDF21EF68D898BADBFF5BF56314F104929EC51A7290DB749A44CB51

Function 00521765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0052179A
GetWindowRect.USER32(?,?), ref: 005217FE
ScreenToClient.USER32(?,?), ref: 0052181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0052182C
EndPaint.USER32(?,?), ref: 00521876

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7a5515411c38a0c98fdaa7ff6a2cb351c7b948a43f050fa9023e2a3b70b40601
Instruction ID: 3d9c9ef4f0ae5729d51abf8c69127a0460ef7f6ab09d5b41cdb83653d983f253
Opcode Fuzzy Hash: 7a5515411c38a0c98fdaa7ff6a2cb351c7b948a43f050fa9023e2a3b70b40601
Instruction Fuzzy Hash: 53419B31504A51AFD710DF24D8C8BAB7FE8FF66324F140629F9A48B2E1D7309849EB61

Function 005AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(005E57B0,00000000,00FB3838,?,?,005E57B0,?,005AB5A8,?,?), ref: 005AB712
EnableWindow.USER32(00000000,00000000), ref: 005AB736
ShowWindow.USER32(005E57B0,00000000,00FB3838,?,?,005E57B0,?,005AB5A8,?,?), ref: 005AB796
ShowWindow.USER32(00000000,00000004,?,005AB5A8,?,?), ref: 005AB7A8
EnableWindow.USER32(00000000,00000001), ref: 005AB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 005AB7EF

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: cacbbcd00456e994b67f99526c8a1bd6c63b5de069f89f00c9e5f2fc941c3680
Instruction ID: 83588cd6a742e04de7839d9806acfd0b94a6e5e4e2e377e93b652dc29dec3457
Opcode Fuzzy Hash: cacbbcd00456e994b67f99526c8a1bd6c63b5de069f89f00c9e5f2fc941c3680
Instruction Fuzzy Hash: B9416134600240AFEB26CF24C499B987FE1FF46310F1841B9E9498F6A3C771AC56DBA1

Function 0059709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00594E41,?,?,00000000,00000001), ref: 005970AC

Part of subcall function 005939A0: GetWindowRect.USER32(?,?), ref: 005939B3

GetDesktopWindow.USER32 ref: 005970D6
GetWindowRect.USER32(00000000), ref: 005970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0059710F

Part of subcall function 00585244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

GetCursorPos.USER32(?), ref: 0059713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00597199

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 13bf41c2ec2e04cc7f05db581e098cabf8b001708e16d0641b0701eb112829cf
Instruction ID: 0a094bc3f5ca6efc8499bc1a837760346ea5350d3e974485f56f91a2e2dd9f63
Opcode Fuzzy Hash: 13bf41c2ec2e04cc7f05db581e098cabf8b001708e16d0641b0701eb112829cf
Instruction Fuzzy Hash: 7831C67250530AABD724DF54C849F5BBBE9FFC9314F00091AF58597191DB70EA09CB92

Function 0058EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

_wcstok.LIBCMT ref: 0058EC94
_wcscpy.LIBCMT ref: 0058ED23
_memset.LIBCMT ref: 0058ED56

Strings

X, xrefs: 0058ED93

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 45ce2edb718d9db6820914fbe7b289e38dd94edc6e78ad69eb1444fa1a3a4bdb
Instruction ID: 4d30f63b9fff0945597522d68fb454fe37d5b8622059d6e2d6809f8586eb331c
Opcode Fuzzy Hash: 45ce2edb718d9db6820914fbe7b289e38dd94edc6e78ad69eb1444fa1a3a4bdb
Instruction Fuzzy Hash: 39C170315087129FC714EF24D88AA5ABBF4FF86314F00492DF9999B2A2DB30EC45CB42

Function 00578879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005780C0
Part of subcall function 005780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005780CA
Part of subcall function 005780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005780D9
Part of subcall function 005780A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 005780E0
Part of subcall function 005780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005780F6

GetLengthSid.ADVAPI32(?,00000000,0057842F), ref: 005788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005788D6
RtlAllocateHeap.NTDLL(00000000), ref: 005788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 005788F6
GetProcessHeap.KERNEL32(00000000,00000000,0057842F), ref: 0057890A
HeapFree.KERNEL32(00000000), ref: 00578911

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 3b963c09b80456a1a8a5121cc5d1713ab1f0414545e86a47e5211ae92ff19f6e
Instruction ID: ae486315d66dae37bc031e448227e534e58340676e7f0226ed292731a58b1385
Opcode Fuzzy Hash: 3b963c09b80456a1a8a5121cc5d1713ab1f0414545e86a47e5211ae92ff19f6e
Instruction Fuzzy Hash: 6D11B131641209FFDB109FA4EC0DBBE7B68FB45311F148468F98997110CB329D04EB61

Function 0057B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0057B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0057B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0057B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0057B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0057B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0057B7FE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 108049dba70925fb46a39002e447e2f39f1008a2b8e1153f89446081daefff9a
Instruction ID: f758b8ba659ca94c460becb7554027bc5f14f84531ced7d5ff586d7e15d127a0
Opcode Fuzzy Hash: 108049dba70925fb46a39002e447e2f39f1008a2b8e1153f89446081daefff9a
Instruction Fuzzy Hash: E4018875E00209BBEB105BE69C49B5EBFB8EB59311F004075FA08A7291D6709C00DF90

Function 00540162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00540193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0054019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 005401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 005401C1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7158b081ab0677ab9cf60ba5b47d9abad0de71798899242d561a586914cb12de
Instruction ID: b730a25c0715643f9812a23932818ffa81e5bd1225f41c00f818249340e8b913
Opcode Fuzzy Hash: 7158b081ab0677ab9cf60ba5b47d9abad0de71798899242d561a586914cb12de
Instruction Fuzzy Hash: A3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 005853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0058540F
GetWindowThreadProcessId.USER32(?,?), ref: 0058541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00585437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0058543E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3bf68feaacbb7fb7723772c79492046fd3fc04f46a39d4396267a673ef1a4f9d
Instruction ID: 3f218cda61229ca966428bc3464e41d4b2074deaf056937720d251b592acaed8
Opcode Fuzzy Hash: 3bf68feaacbb7fb7723772c79492046fd3fc04f46a39d4396267a673ef1a4f9d
Instruction Fuzzy Hash: 54F01D32241558BBE7215BE2DC0DEAB7A7CEBD7B11F000169FA04D2061A7A11A05D7B5

Function 00587230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00587243
RtlEnterCriticalSection.NTDLL(?), ref: 00587254
TerminateThread.KERNEL32(00000000,000001F6,?,00530EE4,?,?), ref: 00587261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00530EE4,?,?), ref: 0058726E

Part of subcall function 00586C35: CloseHandle.KERNEL32(00000000,?,0058727B,?,00530EE4,?,?), ref: 00586C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00587281
RtlLeaveCriticalSection.NTDLL(?), ref: 00587288

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 62b27501026a1c725da2588411c920450be6efc4881691075292130504e7d1d0
Instruction ID: b9759b8cf95a12722781d66e73ea5b0c128f1e295e6c8850ac6fca9d76730547
Opcode Fuzzy Hash: 62b27501026a1c725da2588411c920450be6efc4881691075292130504e7d1d0
Instruction Fuzzy Hash: 74F0823E540612EBD7622BA4ED4DAEB7B39FF5A702B100531F503A10B0DB765805DB50

Function 005985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00598613
CharUpperBuffW.USER32(?,?), ref: 00598722
VariantClear.OLEAUT32(?), ref: 0059889A

Part of subcall function 00587562: VariantInit.OLEAUT32(00000000), ref: 005875A2
Part of subcall function 00587562: VariantCopy.OLEAUT32(00000000,?), ref: 005875AB
Part of subcall function 00587562: VariantClear.OLEAUT32(00000000), ref: 005875B7

Strings

Incorrect Parameter format, xrefs: 0059864B, 0059880D
AUTOIT.ERROR, xrefs: 00598728

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e355d74bdcfff7f9fe635d947dda7ad326e3cf49b210806a7621bd62997f974b
Instruction ID: a150628557f7c8ddb2896687eec7b22755f0f38aa174b82c302c1efebfa9d43c
Opcode Fuzzy Hash: e355d74bdcfff7f9fe635d947dda7ad326e3cf49b210806a7621bd62997f974b
Instruction Fuzzy Hash: 6F914C716043029FCB10DF64C48496ABBE4FFDA714F14896EF89A8B3A1DB31E945CB51

Function 00582A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

_memset.LIBCMT ref: 00582B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00582BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00582C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00582C97

Strings

0, xrefs: 00582B73

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 0a3f8c3b89f879270ca0965372e3c0903bd713668e42cb1a08392e573062b28f
Instruction ID: 3f71497e908773df9da97b3ca01440208be59c08fe3efcd7aa51deac7090d51e
Opcode Fuzzy Hash: 0a3f8c3b89f879270ca0965372e3c0903bd713668e42cb1a08392e573062b28f
Instruction Fuzzy Hash: B551CD71619301AAD729AE28D849A7FBFE8FF99314F140A2DFC95E61D0DB70CC049B52

Function 00533137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00533277
_memmove.LIBCMT ref: 00533310
_free.LIBCMT ref: 00533336
_memmove.LIBCMT ref: 005333E9

Strings

3cS, xrefs: 00533225
_S, xrefs: 00533322

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cS$_S
API String ID: 2620147621-3431193023
Opcode ID: 571d185ea6e58106ec958c8c9f46dcf117eedd510330abd0fdc14bcc11dab2ef
Instruction ID: 19ca25e07225573d479a8642d853883dbc22961bef0310e1b8333cc2f69f3896
Opcode Fuzzy Hash: 571d185ea6e58106ec958c8c9f46dcf117eedd510330abd0fdc14bcc11dab2ef
Instruction Fuzzy Hash: E2513971A043418FDB25CF28C885B6BBBE5BFC5314F44492DE98987351EB35E945CB42

Function 00536192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00536248
_memmove.LIBCMT ref: 005362E4
_memset.LIBCMT ref: 00536308

Strings

3cS, xrefs: 005362AF
ERCP, xrefs: 005361B3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cS$ERCP
API String ID: 2532777613-430453233
Opcode ID: 7a3b65a624f393bb0e45cf95b8c09db5964d14baf0f79b9cbb6bb5b392b8ce85
Instruction ID: 7232f70c6e483a2ae9cd152235d581105e47d3d25ae3d90872f2652a5b22b460
Opcode Fuzzy Hash: 7a3b65a624f393bb0e45cf95b8c09db5964d14baf0f79b9cbb6bb5b392b8ce85
Instruction Fuzzy Hash: 6F517F71900706EBDB24DF55C9457ABBFE4BF44314F20896EE54ACB291E770AA44CB50

Function 0057D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0057D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0057D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0057D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0057D69D

Strings

DllGetClassObject, xrefs: 0057D610

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 87ecad87f3292ff766b2db1ee6a39e41ba8d639682e4b6a5470260aac1a58248
Instruction ID: b6ca10c4e53d63dc23d24813f71cb6ed7d7170326a4b4552c5e7b750aa6deea7
Opcode Fuzzy Hash: 87ecad87f3292ff766b2db1ee6a39e41ba8d639682e4b6a5470260aac1a58248
Instruction Fuzzy Hash: B1417CB1600205EFDB15DF64E888A9ABFB9FF84310F1581A9AD0D9F205D7B1D944EBB0

Function 00582753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00582822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005E5890,00000000), ref: 0058286B

Strings

0, xrefs: 005827B5

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 93346bf4ad8f82c2e43dc1394674d7088aa30513d11f7187dd1d51d2c0afeb1f
Instruction ID: 0c3819e91ba7e4e7fada3bac03b5b044a1b8525ded5a63348f929590c402183b
Opcode Fuzzy Hash: 93346bf4ad8f82c2e43dc1394674d7088aa30513d11f7187dd1d51d2c0afeb1f
Instruction Fuzzy Hash: 61418070604342AFDB24EF24C848B5ABFE4FF85314F14492EF965A7291D730A905CB52

Function 0059D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0059D7C5

Part of subcall function 0052784B: _memmove.LIBCMT ref: 00527899

Strings

winapi, xrefs: 0059D836
stdcall, xrefs: 0059D847
none, xrefs: 0059D8A0
cdecl, xrefs: 0059D81C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 4af12668c7e27346164a33c04993b581fc74cc2ec2e76af0039f3917dfe865a1
Instruction ID: 82659a62d7fa80dd25c924582142cdc550e8e5d005a9476cde8981232fd66e31
Opcode Fuzzy Hash: 4af12668c7e27346164a33c04993b581fc74cc2ec2e76af0039f3917dfe865a1
Instruction Fuzzy Hash: 9131C47190421AABCF10EF58CC559FEBBB4FF45320B108A2AE825977D2DB31AD05CB90

Function 00578E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00578F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00578F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00578F57

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

Strings

ComboBox, xrefs: 00578E9E
ListBox, xrefs: 00578ED3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b552c9bc318b2fe21b772be6e4a2580f08455e953401d1a6313584d94c8821f5
Instruction ID: cad5eaf85346e71b668ba08b2f628c30e77c2704517dd82a9d952bf497b469eb
Opcode Fuzzy Hash: b552c9bc318b2fe21b772be6e4a2580f08455e953401d1a6313584d94c8821f5
Instruction Fuzzy Hash: 9421F271A40109BEDB14ABB0AC4DCFFBF69FF86320B14851AF429972E1DB354849E650

Function 0059182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00591872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005918A2
InternetCloseHandle.WININET(00000000), ref: 005918E9

Part of subcall function 00592483: GetLastError.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 00592498
Part of subcall function 00592483: SetEvent.KERNEL32(?,?,00591817,00000000,00000000,00000001), ref: 005924AD

Strings

, xrefs: 00591893

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9d75e277ca264c2cddf68a64beadfbb427c7267e4b3f43099c5afa5bdde198ad
Instruction ID: 8ef461809b80449c78e2f7ebbc0c59580e336b13a5936cab45e63fd44d72ca64
Opcode Fuzzy Hash: 9d75e277ca264c2cddf68a64beadfbb427c7267e4b3f43099c5afa5bdde198ad
Instruction Fuzzy Hash: 5321C2B5500719BFEF119F60DC85EBF7BEDFB89784F10412AF40596140EB209D0467A4

Function 005A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00521D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00521D73
Part of subcall function 00521D35: GetStockObject.GDI32(00000011), ref: 00521D87
Part of subcall function 00521D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00521D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005A6461
LoadLibraryW.KERNEL32(?), ref: 005A6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005A647D
DestroyWindow.USER32(?), ref: 005A6485

Strings

SysAnimate32, xrefs: 005A643C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: f8339160e04ba8b4cc2f614d639ffec48854f54aa1c18fd65824a5258f20a72a
Instruction ID: f33c944d215d1d56dbfb2a7b62aea41bb782ac4921e540a1fa75969f4d59cf65
Opcode Fuzzy Hash: f8339160e04ba8b4cc2f614d639ffec48854f54aa1c18fd65824a5258f20a72a
Instruction Fuzzy Hash: 1F215E71100205ABEF104FA4DC84EBF7FA9FB5A764F18462AFA5097190D7719C51A760

Function 00586D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00586DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00586DEF
GetStdHandle.KERNEL32(0000000C), ref: 00586E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00586E3B

Strings

nul, xrefs: 00586E36

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b5b981b58bc970218d982f5df9f5d023c3e4dc19d004e42ee216676b4d8db7c1
Instruction ID: 50d996e6fdb51c0b5033851542fbe0e647362e0d17d7bf15c6ec42a28e6cb836
Opcode Fuzzy Hash: b5b981b58bc970218d982f5df9f5d023c3e4dc19d004e42ee216676b4d8db7c1
Instruction Fuzzy Hash: 9821A47460020AABDB20AF69DC04B9A7FF8FF95720F204A19FCA1E72D0D7709955DB50

Function 00586E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00586E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00586EBB
GetStdHandle.KERNEL32(000000F6), ref: 00586ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00586F06

Strings

nul, xrefs: 00586F01

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 8d331d08191904f844381bc9832d4af5b4578d23edbd9cb158e5d3296d051695
Instruction ID: 7c2cf2f7976276110327d9535b4e6648f469e855460dada2beee5cff854de95e
Opcode Fuzzy Hash: 8d331d08191904f844381bc9832d4af5b4578d23edbd9cb158e5d3296d051695
Instruction Fuzzy Hash: 8D2174796003059BDB20AF69DC04A9B7BA8FF55720F200A19FDE1E72D0DB70D855CB60

Function 0058AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0058AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0058ACA8
__swprintf.LIBCMT ref: 0058ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,005AF910), ref: 0058ACFF

Strings

%lu, xrefs: 0058ACBB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 3b1ea8e23c99370370e465c2a2dafc960fa4064d784b091c70387441003acabb
Instruction ID: 941cfb152edf463b3e63cf3205508792d7c6295adbfc851a5174a7baa7805b21
Opcode Fuzzy Hash: 3b1ea8e23c99370370e465c2a2dafc960fa4064d784b091c70387441003acabb
Instruction Fuzzy Hash: 6C21743060020AAFDB10EF55D945DAE7FB8FF8A714B004069F909AB351DB71EA45DB61

Function 00581142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 0058115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 00581184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 0058118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0057FCED,?,00580D40,?,00008000), ref: 005811C1

Strings

@X, xrefs: 0058119D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @X
API String ID: 2875609808-1606808409
Opcode ID: 665939e824bdc969377f9f68799583945eb238bc0a9bc751e7a6d5e21c0f39e7
Instruction ID: c05ef009231dd063cabd81a8fb48854fa63da46d580cee97ab853b42fe51f471
Opcode Fuzzy Hash: 665939e824bdc969377f9f68799583945eb238bc0a9bc751e7a6d5e21c0f39e7
Instruction Fuzzy Hash: AF111831D00919D7CF00AFA5D849AEEBF78FB1A711F004456EE85B2240CB709556DB99

Function 0059EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0059EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0059EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0059ED6A
CloseHandle.KERNEL32(?), ref: 0059EDEB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 94dbd1ac09aa588f1129bff158b45f7dd6a9253cd738b85ccacbc5b53762b651
Instruction ID: c4d9e612e059674973daba83bc22381596b798599a0f017e7056122b65d88999
Opcode Fuzzy Hash: 94dbd1ac09aa588f1129bff158b45f7dd6a9253cd738b85ccacbc5b53762b651
Instruction Fuzzy Hash: 548161716043119FDB24EF28D84AF2ABBE5BF89710F44881DF9999B3D2D670AC44CB91

Function 005A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 005A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0059FDAD,?,?), ref: 005A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005A00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005A013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005A0183
RegCloseKey.ADVAPI32(?,?), ref: 005A01AF
RegCloseKey.ADVAPI32(00000000), ref: 005A01BC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4026d195f001decb3fd0cdea78f85499fd6bbfd271df68ef017b2e455797db13
Instruction ID: 71b373b72d52884cf5788c7a08f05b57f598cdca83923f3e08f5d3e120cc4ca6
Opcode Fuzzy Hash: 4026d195f001decb3fd0cdea78f85499fd6bbfd271df68ef017b2e455797db13
Instruction Fuzzy Hash: C3518D71218205AFD704EF54DC85EAEBBE8FF86304F40492DF595872A2DB31E944DB52

Function 0059D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0059D927
GetProcAddress.KERNEL32(00000000,?), ref: 0059D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0059D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0059DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0059DA21

Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00587896,?,?,00000000), ref: 00525A2C
Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00587896,?,?,00000000,?,?), ref: 00525A50

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 8c00a972268625ed0b318a92cf1d9900b9d26e828a8c49c7b5afe2cb322cbaeb
Instruction ID: 3cebcc8cdf12bd9c82817ebf0470436c1d1cfa658189a8683ec8b84be946b6f2
Opcode Fuzzy Hash: 8c00a972268625ed0b318a92cf1d9900b9d26e828a8c49c7b5afe2cb322cbaeb
Instruction Fuzzy Hash: F9512935A0421ADFCB00EFA8D4889ADBBF4FF5A320B448065E855AB352DB31ED45CF50

Function 0058E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0058E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0058E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0058E687

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0058E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0058E6B4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c694ed87504ad99934304641320c6e7d7cad79cc1b14d3ca78ac3a136101b8be
Instruction ID: 56c8c9b5bc33c6fd0c3dda881f5a6c875713b3aadd0beec06fef5fac017c8271
Opcode Fuzzy Hash: c694ed87504ad99934304641320c6e7d7cad79cc1b14d3ca78ac3a136101b8be
Instruction Fuzzy Hash: 63513939A00116DFCB04EF65D985AADBBF5FF4A314F1480A9E809AB3A1DB31ED11DB50

Function 005AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f9ccc16de418c7681682fe259491ee8c20dfdd6f0c6eb3392cfa6987e550ac
Instruction ID: 95004bcc842c98ee66fa18dd38915cd5f7c626ada66d28a178759410276c7b59
Opcode Fuzzy Hash: a8f9ccc16de418c7681682fe259491ee8c20dfdd6f0c6eb3392cfa6987e550ac
Instruction Fuzzy Hash: BF419E35904244BFD724DB68CC88FADBFA8FB0B310F140565E856A72E1D730AD45EAA1

Function 00522344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00522357
ScreenToClient.USER32(005E57B0,?), ref: 00522374
GetAsyncKeyState.USER32(00000001), ref: 00522399
GetAsyncKeyState.USER32(00000002), ref: 005223A7

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c29817e1043e652fb7cadde1aa05a9345458be3b4a8a7d9eb4a36c1c90f199d9
Instruction ID: 19f2c9dbd2f37614eab14c02b3924d8c6f84773f0a1b7e0c4a8da839861278e0
Opcode Fuzzy Hash: c29817e1043e652fb7cadde1aa05a9345458be3b4a8a7d9eb4a36c1c90f199d9
Instruction Fuzzy Hash: 53416F39604215FFDB15DF68C848AEDBFB4BF16361F20471AE829922E0C734A954DB91

Function 005763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00576433
TranslateMessage.USER32(?), ref: 0057645C
DispatchMessageW.USER32(?), ref: 00576466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00576475

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: ba559cd30b2516273cf7372004977991dbaf67da1491076ef52f3b9337c5cecd
Instruction ID: b155e4b2cbe3f42b351fd8e075e8439330b4762015c5e3514c126f40b626dc11
Opcode Fuzzy Hash: ba559cd30b2516273cf7372004977991dbaf67da1491076ef52f3b9337c5cecd
Instruction Fuzzy Hash: 8931E471900A82AFDF288FB0ECC4BB67FA9BB11304F148565E569C70A0E7359849FB60

Function 00578A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00578A30
PostMessageW.USER32(?,00000201,00000001), ref: 00578ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00578AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00578AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00578AF8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7dba5317b405e14a45f8cbd00745599299c1a5aa92eb964327c14f19fb9d9f12
Instruction ID: 9f96dc3bbc2dcdfdac8cf6b89b37dd9022773b14dd0d24e48e5afc3703c1ea1b
Opcode Fuzzy Hash: 7dba5317b405e14a45f8cbd00745599299c1a5aa92eb964327c14f19fb9d9f12
Instruction Fuzzy Hash: 4131C471500219EBDF14CFA8E94CAAE3FB5FB15325F108229F929DB1D0C7709914EB90

Function 0057B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0057B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0057B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0057B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0057B27F
_wcsstr.LIBCMT ref: 0057B289

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 5c5fa8cbb89b21b1d374db64a670243fec520620d800c0b06627783d957e1aeb
Instruction ID: 333a1e037dd89ae6cb702d1825de615251d5f7f884dc3fd06d3ca57480ce72eb
Opcode Fuzzy Hash: 5c5fa8cbb89b21b1d374db64a670243fec520620d800c0b06627783d957e1aeb
Instruction Fuzzy Hash: 9921F5756052017AFB155B75AC0DF7F7FACEF89710F108129F808DA1A2EF619C40A3A0

Function 005AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00522612: GetWindowLongW.USER32(?,000000EB), ref: 00522623

GetWindowLongW.USER32(?,000000F0), ref: 005AB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 005AB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005AB1CF
GetSystemMetrics.USER32(00000004), ref: 005AB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00590E90,00000000), ref: 005AB216

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 92c65c746aef318b385a5163ce3c1590bfa65d55fb93f95b3aa66e81d525bec2
Instruction ID: 78418c62775d1cfca7bc37f7cda6395996c83e5a1a3d70f759a7b4112eeb7599
Opcode Fuzzy Hash: 92c65c746aef318b385a5163ce3c1590bfa65d55fb93f95b3aa66e81d525bec2
Instruction Fuzzy Hash: 0721AD31A10661AFDB249F789C04B6E3BA4FF17321F204B29B922C71E1E7309820DB90

Function 00579307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00579320

Part of subcall function 00527BCC: _memmove.LIBCMT ref: 00527C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00579352
__itow.LIBCMT ref: 0057936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00579392
__itow.LIBCMT ref: 005793A3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 601c436acb21d150a87b433e3732b429ccbfe361ab88b7e5f1c692f2fb75687d
Instruction ID: 31d0c81304eec076a24323f7a03ecfeb84752069149cc635d635979eee4514da
Opcode Fuzzy Hash: 601c436acb21d150a87b433e3732b429ccbfe361ab88b7e5f1c692f2fb75687d
Instruction Fuzzy Hash: 0D21D731700219ABDB109FA4AC89EEE7FA9FFDA710F048425FD09E71D1D6B08D45A7A1

Function 00595A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00595A6E
GetForegroundWindow.USER32 ref: 00595A85
GetDC.USER32(00000000), ref: 00595AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00595ACD
ReleaseDC.USER32(00000000,00000003), ref: 00595B08

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: e8a94763a501b8ffcdbce4c3e5e4a3c0d5c72ecad4e884858c076fb62e0ce1b8
Instruction ID: dd99a7404801bf5bca2c7bc849cb0d6f497243909c7275e0cdaf733eaa2f0472
Opcode Fuzzy Hash: e8a94763a501b8ffcdbce4c3e5e4a3c0d5c72ecad4e884858c076fb62e0ce1b8
Instruction Fuzzy Hash: DD21C335A00104AFDB14EFA4DC88AAABBF5FF99311F148479F909D7362DA30AC04DB90

Function 005212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0052134D
SelectObject.GDI32(?,00000000), ref: 0052135C
BeginPath.GDI32(?), ref: 00521373
SelectObject.GDI32(?,00000000), ref: 0052139C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9da93526d6102adffe8b426fcd9587735d48959ad074923272712c9b4bfa30d6
Instruction ID: abc1487d40eb1ad0b8717a55b9cc91264dbcef6d93487d91d16b029269000c16
Opcode Fuzzy Hash: 9da93526d6102adffe8b426fcd9587735d48959ad074923272712c9b4bfa30d6
Instruction Fuzzy Hash: 0721B231804A54EFDB10CF24EC8876A3FA9FB31315F244626F8419A0F0E7B08899EF94

Function 00584A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00584ABA
__beginthreadex.LIBCMT ref: 00584AD8
MessageBoxW.USER32(?,?,?,?), ref: 00584AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00584B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00584B0A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 38ee996f15252f221d0ed211bfacbea16315132c1def391069cbe9a31622d4c1
Instruction ID: f13fd34156a18b1845ab52d78f858c1fbea7462831fe632afc8705fe8cd6691c
Opcode Fuzzy Hash: 38ee996f15252f221d0ed211bfacbea16315132c1def391069cbe9a31622d4c1
Instruction Fuzzy Hash: 9B114876904245BBCB04AFA8EC48A9B7FADFB55325F144269FD14E3250E771C9088BA0

Function 00578202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0057821E
GetLastError.KERNEL32(?,00577CE2,?,?,?), ref: 00578228
GetProcessHeap.KERNEL32(00000008,?,?,00577CE2,?,?,?), ref: 00578237
RtlAllocateHeap.NTDLL(00000000,?,00577CE2), ref: 0057823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00578255

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: bca70939ed6de73157836e8b306f621e647ae4f95a1a054c85ad2fd9e02cbebd
Instruction ID: 58b45d89193b5f682bb1ed890387db9485f5c3a040d462bef5e0d0d7fc605b56
Opcode Fuzzy Hash: bca70939ed6de73157836e8b306f621e647ae4f95a1a054c85ad2fd9e02cbebd
Instruction Fuzzy Hash: 3B014675280204AFDB204FA6EC4CD6B7FADFF9A756B504469F809C3220DA318C04EB60

Function 0057710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00577127
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00577142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00577044,80070057,?,?), ref: 00577150
CoTaskMemFree.COMBASE(00000000), ref: 00577160
CLSIDFromString.COMBASE(?,?), ref: 0057716C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b7bb9c0994f341047fc783afb504312102950c4bb94a08ed0d291780d3735693
Instruction ID: 75260d873441d450fdc213f002b4045ed1cb4742598b9a3a170faf4af0725a79
Opcode Fuzzy Hash: b7bb9c0994f341047fc783afb504312102950c4bb94a08ed0d291780d3735693
Instruction Fuzzy Hash: F3017C76601209AFDB114FA4FC44AAA7FADFB49791F1481B4FD08D2220DB75DD40EBA0

Function 00585244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00585260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0058526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00585276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00585280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: dd20c0d0c1ef8a4ada47d3d958d728eb8d8a2099f0c5b23b3fcfa74cb5fbba5e
Instruction ID: 19ab0d206db618419f611bcf4ffb2019abf77b177e98c482085c3a8888b193f5
Opcode Fuzzy Hash: dd20c0d0c1ef8a4ada47d3d958d728eb8d8a2099f0c5b23b3fcfa74cb5fbba5e
Instruction Fuzzy Hash: 66015739D01A29DBDF00EFE4E848AEDBF78BB19311F400566E982B2140DF305958DBA1

Function 0057810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00578121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0057812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0057813A
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00578141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00578157

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: d382cd243c7ba590851e6a1cb3a7fcf7ee9c38a7830ebc62a8f13dc89dad2e6e
Instruction ID: 46e6391d87265c51adb62fd6ac7d86768971b608979a0a4de7f8de8c7107dc90
Opcode Fuzzy Hash: d382cd243c7ba590851e6a1cb3a7fcf7ee9c38a7830ebc62a8f13dc89dad2e6e
Instruction Fuzzy Hash: F9F03C71340304AFEB110FA5EC8CE7B3BACFF4A655B404025F94986150CF619945EB60

Function 0057C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0057C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0057C20E
MessageBeep.USER32(00000000), ref: 0057C226
KillTimer.USER32(?,0000040A), ref: 0057C242
EndDialog.USER32(?,00000001), ref: 0057C25C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b1523e3c7d4f66011a615f589ffd417915f56e331152a5c7477434344067839d
Instruction ID: b070d2c997570ee60cd8b1f5bc75c1cd4f8a4f79ddd2167a4b92ce5d657763ff
Opcode Fuzzy Hash: b1523e3c7d4f66011a615f589ffd417915f56e331152a5c7477434344067839d
Instruction Fuzzy Hash: 5A01A234404304ABEB205FA0ED4EF967FB8FF11B06F00466DA5C6A24E1DBE06948AB90

Function 005213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005213BF
StrokeAndFillPath.GDI32(?,?,0055B888,00000000,?), ref: 005213DB
SelectObject.GDI32(?,00000000), ref: 005213EE
DeleteObject.GDI32 ref: 00521401
StrokePath.GDI32(?), ref: 0052141C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9585e99315ec63ee771ccb98c8d6aeec7437e863b41c35bd3646722c1bcb174c
Instruction ID: 05b01307439d5a7c57a814f9ec6c3611bad2a228a05d3ab31ffe271512be2c4f
Opcode Fuzzy Hash: 9585e99315ec63ee771ccb98c8d6aeec7437e863b41c35bd3646722c1bcb174c
Instruction Fuzzy Hash: 37F0CD30008A48DBDB195F66EC8C7593FA5BB3232AF188224E5AA490F1D771459DEF54

Function 00578992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0057899D
CloseHandle.KERNEL32(?), ref: 005789B2
CloseHandle.KERNEL32(?), ref: 005789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 005789C3
HeapFree.KERNEL32(00000000), ref: 005789CA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 40fa2ed2e96c30830c0c3096a780a0dc95788ccd3ba01a0079ea3fb199ca1abe
Instruction ID: f259290f2e9e2bcbee263662e06a61722d1bf11502bd9a5a607436ad774fbef2
Opcode Fuzzy Hash: 40fa2ed2e96c30830c0c3096a780a0dc95788ccd3ba01a0079ea3fb199ca1abe
Instruction Fuzzy Hash: 13E05276104505FFDB011FE5EC0C95ABB69FBAA762B508631F21981470CB329469EB90

Function 00532CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00540DB6: std::exception::exception.LIBCMT ref: 00540DEC
Part of subcall function 00540DB6: __CxxThrowException@8.LIBCMT ref: 00540E01

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 00527A51: _memmove.LIBCMT ref: 00527AAB

__swprintf.LIBCMT ref: 00532ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00532D66

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f1e2c25e22795c39b00b18ff7f25f6042256edc5d027ded462ea664adeb93d71
Instruction ID: 7498173c5e5cdbf38396f58ef9531f8ad5963ca7f1aba6793a668e0b2613f527
Opcode Fuzzy Hash: f1e2c25e22795c39b00b18ff7f25f6042256edc5d027ded462ea664adeb93d71
Instruction Fuzzy Hash: 80913A715087169FC714EF24D89AC6EBFA8FF8A710F00491DF5969B2A1EA30ED44CB52

Function 0058B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00524750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00524743,?,?,005237AE,?), ref: 00524770

CoInitialize.OLE32(00000000), ref: 0058B9BB
CoCreateInstance.COMBASE(005B2D6C,00000000,00000001,005B2BDC,?), ref: 0058B9D4
CoUninitialize.COMBASE ref: 0058B9F1

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

Strings

.lnk, xrefs: 0058B99D, 0058B9AB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: f2bcc261a63f30da2a9dad0c870dac9373908f1c3cefb2b955c3de467602763b
Instruction ID: 5885c8bc36ea52a907fa565310e12601072a6ea1bd0ca86a1cc1fc2452fa72cb
Opcode Fuzzy Hash: f2bcc261a63f30da2a9dad0c870dac9373908f1c3cefb2b955c3de467602763b
Instruction Fuzzy Hash: 82A17A756043129FDB14EF14C484D6ABBE9FF8A314F048998F899AB3A1CB31ED45CB91

Function 0057B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0057B4BE

Strings

%[, xrefs: 0057B561
Container, xrefs: 0057B43B
AutoIt3GUI, xrefs: 0057B436

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%[
API String ID: 3565006973-249053226
Opcode ID: 61db4d18f4eabc6d785adb1f21c1cfb483526cdf2bc72a7349468f9d46c7080e
Instruction ID: 5a91b60d080577a8e49887901d5baba28b47ae3d5db08d265a8af59ca89ac223
Opcode Fuzzy Hash: 61db4d18f4eabc6d785adb1f21c1cfb483526cdf2bc72a7349468f9d46c7080e
Instruction Fuzzy Hash: 12913A70600601AFEB14DF68D884B6ABBF5FF49714F20856EF94ACB291EB71E841DB50

Function 0054501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005450AD

Part of subcall function 005500F0: __87except.LIBCMT ref: 0055012B

Strings

pow, xrefs: 00545085, 005450A2

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 737df89aa651fc99c45d2394c5c3f68857e96858f18a72b7cb386bb74636783c
Instruction ID: d4df99d5c6d9ac025a4de9f7de5d72121b388a22d8626a7a3d37e56006198133
Opcode Fuzzy Hash: 737df89aa651fc99c45d2394c5c3f68857e96858f18a72b7cb386bb74636783c
Instruction Fuzzy Hash: 2F517035908A0687DB117B14CC2D3BE2F90BB80705F205D5AE8D9861DBFE348DCCDA86

Function 00568584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0056862B
_memmove.LIBCMT ref: 00568685

Strings

3cS, xrefs: 0056860C
_S, xrefs: 005686FF, 0056DFDC, 0056DFF8

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _memmove
String ID: 3cS$_S
API String ID: 4104443479-3431193023
Opcode ID: ecb9d526df9f95372d5c92470285efda91a4c363a5943603f5cb6c205db4202f
Instruction ID: 3c1329e02ee3dd4686de4771496d35f4b4c663ddd1a8aa64e6158221327d49d8
Opcode Fuzzy Hash: ecb9d526df9f95372d5c92470285efda91a4c363a5943603f5cb6c205db4202f
Instruction Fuzzy Hash: 27514D70E006099FCF24CFA8C884ABEBBB1FF55304F248529E85AD7250EB31A955CF51

Function 005797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00579296,?,?,00000034,00000800,?,00000034), ref: 005814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0057983F

Part of subcall function 00581487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005814B1

Part of subcall function 005813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00581409
Part of subcall function 005813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0057925A,00000034,?,?,00001004,00000000,00000000), ref: 00581419
Part of subcall function 005813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0057925A,00000034,?,?,00001004,00000000,00000000), ref: 0058142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005798F9

Strings

@, xrefs: 00579911

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d9b7fcb7afa6661de54cbdd7e3e6548a97b81af4ec382b39b37def1b80a3b492
Instruction ID: 16d03349ff2262ee1efa64999147734270e478514a4131ddb355256fb9fcdc52
Opcode Fuzzy Hash: d9b7fcb7afa6661de54cbdd7e3e6548a97b81af4ec382b39b37def1b80a3b492
Instruction Fuzzy Hash: E0416E76900219BFDF10EFA4CC85ADEBBB8FB49300F004099FA45B7191DA716E45DBA1

Function 005A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005AF910,00000000,?,?,?,?), ref: 005A79DF
GetWindowLongW.USER32 ref: 005A79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 005A7A0C

Strings

SysTreeView32, xrefs: 005A79B1

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: adae23e23716d0c69f108f45340cc05cc3fc0e109566be9727495e31ec0ea10f
Instruction ID: a27d15292693c94fea29f39d83473764fc1f2642437dfa0631e229f87ab841a5
Opcode Fuzzy Hash: adae23e23716d0c69f108f45340cc05cc3fc0e109566be9727495e31ec0ea10f
Instruction Fuzzy Hash: 6331CE3120460AAFDB118E78DC45BEB7BA9FF4A324F208725F875922E0D730ED509B50

Function 005A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005A7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005A7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 005A7499

Strings

SysMonthCal32, xrefs: 005A742C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: e2156e59fd2062934464b110b0e31d09bebcef0c3990969a586e011cc1523bb6
Instruction ID: a696e6a766ce2ee62a54b94457efa6e9d5a5ecf6308164391d8da86dd22644ca
Opcode Fuzzy Hash: e2156e59fd2062934464b110b0e31d09bebcef0c3990969a586e011cc1523bb6
Instruction Fuzzy Hash: 5A21B132500219ABDF118EA4CC46FEE3F69FF8D724F110114FE156B1D0DA75AC559BA0

Function 005A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005A6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005A6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005A6D70

Strings

Listbox, xrefs: 005A6D08

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ee1555a664a54ac513a5095d8ef050dbe1b7fe7c5012e58d609fcf03cac62570
Instruction ID: 6bc327b5edea89fd29535e423a7bcd89907d8567a78fa5622a1b727de2bcf67b
Opcode Fuzzy Hash: ee1555a664a54ac513a5095d8ef050dbe1b7fe7c5012e58d609fcf03cac62570
Instruction Fuzzy Hash: A4218032610118BFDF158F54DC45EAF3BAAFF8A760F058124FA459B1A0C6719C519BA0

Function 005939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00593A66

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00593A58
%[, xrefs: 005939F4
, $, xrefs: 00593AA6

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%[
API String ID: 3506404897-741242068
Opcode ID: d15c86547e6253e816a3a4406e533909fe8c2fc41f45e654a78a926645694210
Instruction ID: 5f8a99ee20955743ebbef35e5959287f576c05c160f33bdd49798efdc8fbba53
Opcode Fuzzy Hash: d15c86547e6253e816a3a4406e533909fe8c2fc41f45e654a78a926645694210
Instruction Fuzzy Hash: 6D21503160022AEFCF10EFA4DC86AAE7FB5BF89700F504455E555AB291DA30EA45CB61

Function 005A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005A7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005A7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005A7794

Strings

msctls_trackbar32, xrefs: 005A7749

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 98cd3454500bcd8a34a8f8bb0681d35b687cbb993c9ec845ff6da3f0d6670e83
Instruction ID: 8398c71fa40ca85829179f5afe38e7fafda543de35bab083b9140bf7fc371fe9
Opcode Fuzzy Hash: 98cd3454500bcd8a34a8f8bb0681d35b687cbb993c9ec845ff6da3f0d6670e83
Instruction Fuzzy Hash: BF112332204209BAEF245F64DC05FEB3BA9FF8EB54F010129FA41A60A0D272E811DB20

Function 00546B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00546B93
__calloc_crt.LIBCMT ref: 00546BAC

Strings

], xrefs: 00546BD1
@B^, xrefs: 00546BC3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __calloc_crt
String ID: ]$@B^
API String ID: 3494438863-2679402885
Opcode ID: 3e06157a789f801e38aa6892fe5947dd3d56ea016fa92ff17cd979adc402cf03
Instruction ID: f88fff1bcceee935765de2b0499f6acb6e7a197f31d662f7f55e696f0e296fad
Opcode Fuzzy Hash: 3e06157a789f801e38aa6892fe5947dd3d56ea016fa92ff17cd979adc402cf03
Instruction Fuzzy Hash: 1AF0A475604A128BF7299F18BCA2BE62FD5F75133CB10041BE340CE280FB3088449681

Function 00524B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00524AD0), ref: 00524B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00524B57

Strings

GetNativeSystemInfo, xrefs: 00524B51
kernel32.dll, xrefs: 00524B40

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4ba00842b0c3d53b9f051061a05d32951c68c56e0c0029d307e0e7f84323d071
Instruction ID: 2c6592296a82ab1f323b922d67357e6634960a5cab581d1de091638674b17682
Opcode Fuzzy Hash: 4ba00842b0c3d53b9f051061a05d32951c68c56e0c0029d307e0e7f84323d071
Instruction Fuzzy Hash: C3D01234A10727CFDB209FB1E858B467AE4BF17351B118839D4C6D6190D670D480CF64

Function 00524C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00524BD0,?,00524DEF,?,005E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00524C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00524C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00524C1D
kernel32.dll, xrefs: 00524C0C

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 2569916c0aaece91b96dde0b0c1a8d3026a98bebcbfea5c4eb7ef789b836c817
Instruction ID: eab64be0f4452f7a18d99cdc8b49ee34bc846a6e6b8ed2a47242fb120bf027be
Opcode Fuzzy Hash: 2569916c0aaece91b96dde0b0c1a8d3026a98bebcbfea5c4eb7ef789b836c817
Instruction Fuzzy Hash: DED01230511723CFD720AFB5ED48646BEE5FF1A352B118C3AD485D6190E6B0D880CB60

Function 00524C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00524B83,?), ref: 00524C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00524C56

Strings

kernel32.dll, xrefs: 00524C3F
Wow64RevertWow64FsRedirection, xrefs: 00524C50

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 7f80ff30e4a27e42582447068284f49c457bb35d7948f53bd6a80da2f9ee12ef
Instruction ID: 93018dce92ab62808ff2ea63ace831825d4563af70ad2a1384fc97640830d046
Opcode Fuzzy Hash: 7f80ff30e4a27e42582447068284f49c457bb35d7948f53bd6a80da2f9ee12ef
Instruction Fuzzy Hash: ABD01730510723CFD7209FB9E94864A7BE4BF16351F11883AD496E62A0E670D880CB60

Function 005A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,005A1039), ref: 005A0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005A0E07

Strings

RegDeleteKeyExW, xrefs: 005A0E01
advapi32.dll, xrefs: 005A0DF0

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 961a59df25f42cf7235323652a9f7c11908bc2f7df678183c805cba717bce331
Instruction ID: b311ae7bded1a48482f52065d2828e5937221694113a76d9d76207e5a6c65e74
Opcode Fuzzy Hash: 961a59df25f42cf7235323652a9f7c11908bc2f7df678183c805cba717bce331
Instruction Fuzzy Hash: 0DD01270550712CFD7209FB5D8486467AD9BF26352F119C7FD485D6290D6B0D490D750

Function 005990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00598CF4,?,005AF910), ref: 005990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00599100

Strings

GetModuleHandleExW, xrefs: 005990FA
kernel32.dll, xrefs: 005990E9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: dc6e4d07e6dbe4f2db9e64d9918e30c442bab11faf29cbca10b9c1e8c0f2f3dc
Instruction ID: ae54bea39334c9168a603c77ff93b087f51378e22e955ee9e7711f9933412e94
Opcode Fuzzy Hash: dc6e4d07e6dbe4f2db9e64d9918e30c442bab11faf29cbca10b9c1e8c0f2f3dc
Instruction Fuzzy Hash: B6D01734510713CFDB209FB9D8586467AE4BF16352B168C3ED486D6690EB70C880DBA0

Function 00561714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00561718
__swprintf.LIBCMT ref: 00561749

Strings

WIN_XPe, xrefs: 00561788
%.3d, xrefs: 00561723

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2aa3c964e34093e425c20184ecaf78ac636ef73010fe497ff436ff62dae09303
Instruction ID: 4900fc7b456aca4c008963ae67e551a7fb182adae95b83a9bf278f7dd50bf865
Opcode Fuzzy Hash: 2aa3c964e34093e425c20184ecaf78ac636ef73010fe497ff436ff62dae09303
Instruction Fuzzy Hash: A5D01771804519EACB549A909C888F97F7CFB19301F180962B406E3080E226AB94EA29

Function 0057717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f196a2d0453514c6ca42280da3db1f9d2ac518f05dbc8397510defaf5fbdb93a
Instruction ID: ba1c9a13ed8fba2a2bc84b0d49e6225571760152380c7dbfa3a83bf66aa7b064
Opcode Fuzzy Hash: f196a2d0453514c6ca42280da3db1f9d2ac518f05dbc8397510defaf5fbdb93a
Instruction Fuzzy Hash: 96C16274A0421AEFCB14CFA4E884DAEBBB5FF4C714B158998E809DB251D730DD41EB90

Function 0059E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0059E0BE
CharLowerBuffW.USER32(?,?), ref: 0059E101

Part of subcall function 0059D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0059D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0059E301
_memmove.LIBCMT ref: 0059E314

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f6db6e6c85810c24fc07e1fea34f9457ac1f46e565071bf42c29114c83a12b9c
Instruction ID: 28963d5e1c7c18e13d981de2385d828a77fe49fb64339fa04da278f1e5e5e14e
Opcode Fuzzy Hash: f6db6e6c85810c24fc07e1fea34f9457ac1f46e565071bf42c29114c83a12b9c
Instruction Fuzzy Hash: 86C15971608311DFCB04DF28C485A6ABBE4FF89714F14896DF8999B391D731E946CB82

Function 00598093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005980C3
CoUninitialize.COMBASE ref: 005980CE

Part of subcall function 0057D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0057D5D4

VariantInit.OLEAUT32(?), ref: 005980D9
VariantClear.OLEAUT32(?), ref: 005983AA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 4736af7d0688418116ba19e158092bbe62a6eefead255f3460c80fdad12b6aa9
Instruction ID: 3078221dd348db69288af638844f693473f8918d146524dbed2ce9ff3e109b85
Opcode Fuzzy Hash: 4736af7d0688418116ba19e158092bbe62a6eefead255f3460c80fdad12b6aa9
Instruction Fuzzy Hash: F3A17D756047129FCB04DF64C885B2ABBE4BF8A714F18485CF9969B3A1CB34EC45CB86

Function 00577530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 005776EA
CoTaskMemFree.COMBASE(00000000), ref: 00577702
CLSIDFromProgID.COMBASE(?,?), ref: 00577727
_memcmp.LIBCMT ref: 00577748

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9b34263780c725e0bea2f52d4656295fea7833360f46bd5c045edbc11b415953
Instruction ID: b64ee4345f1a45927da7bc90a20ce5ef8261bc7424d16410ebfa98f67876b38f
Opcode Fuzzy Hash: 9b34263780c725e0bea2f52d4656295fea7833360f46bd5c045edbc11b415953
Instruction Fuzzy Hash: 3B81FD75A00109EFCB04DFA4D988DEEBBB9FF89315F208558E505AB250DB71AE06DB60

Function 0057687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057688E
SysAllocString.OLEAUT32(00000000), ref: 00576937
VariantCopy.OLEAUT32 ref: 00576966
VariantClear.OLEAUT32(?), ref: 0057698D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 59809ab3761342341bfddd519ddb152811573d52a546278cf80894860ff219e7
Instruction ID: a4b346efd1d5941aae218ac29b58ba748037fc682511f22a9f8ac72e589b4db1
Opcode Fuzzy Hash: 59809ab3761342341bfddd519ddb152811573d52a546278cf80894860ff219e7
Instruction Fuzzy Hash: EC51D774704B02DECF24AF65E89962ABBE5BF45310F20D81FE58EE7291DA30D840A701

Function 005A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00FBEE60,?), ref: 005A9863
ScreenToClient.USER32(00000002,00000002), ref: 005A9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 005A9903

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 80cc2af09bbdc1a8c62cbecc0e6380f193e22686cb11bcfdf21a89c754156812
Instruction ID: 5238936009b411f7d672dd53e8df892223450b2d390372126d164ecdb1a0700b
Opcode Fuzzy Hash: 80cc2af09bbdc1a8c62cbecc0e6380f193e22686cb11bcfdf21a89c754156812
Instruction Fuzzy Hash: 79514E34A00219EFCF14CF64D884AAE7FB6FF56360F248169F9559B2A0D730AD41DB90

Function 0058B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0058B89E
GetLastError.KERNEL32(?,00000000), ref: 0058B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0058B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0058B915

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9acb17c7097c3b9b28237211543edffdd10a408ace00e994a76b408561dd7b9e
Instruction ID: 6896e8b6abd1a5550df4a00ea7c2cfed4227ebedd45a0f552684f7534a44452b
Opcode Fuzzy Hash: 9acb17c7097c3b9b28237211543edffdd10a408ace00e994a76b408561dd7b9e
Instruction Fuzzy Hash: 5E411A39600511DFCB14EF55D488A59BBE5BF8A310F098098ED4AAB3A2CB30FD01DB95

Function 005A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005A88DE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 967c5b37c7a65b61139aa187329254089c9e522542368c6cb4995b8a1faa85a3
Instruction ID: 122a2a5c5bf05c7a373c87c7e74026c80377f16930b1925ac17df0f1b1b5e3ec
Opcode Fuzzy Hash: 967c5b37c7a65b61139aa187329254089c9e522542368c6cb4995b8a1faa85a3
Instruction Fuzzy Hash: 8C31D234600109AFEB249A58CC85BBE7FB5FB07310F944912FA51E61A1DE74E940A792

Function 005AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 005AAB60
GetWindowRect.USER32(?,?), ref: 005AABD6
PtInRect.USER32(?,?,005AC014), ref: 005AABE6
MessageBeep.USER32(00000000), ref: 005AAC57

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1d92ff0aed70d677b7a4e85a33954e57824bc096b184f77750fea9077c60b88c
Instruction ID: 08ef2ec524772043f7b59f3f9e6e4d3e9393d752ba233ba9da0f5265615d792e
Opcode Fuzzy Hash: 1d92ff0aed70d677b7a4e85a33954e57824bc096b184f77750fea9077c60b88c
Instruction Fuzzy Hash: 4B418C30600209DFDB11DF58C894A6D7BF5FB4A320F2480A9F9559F260E730AC45DB92

Function 00580AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00580B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00580B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00580BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00580BFB

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e6c4b83a5606910bcaecc514292ef2d3b0cb0e543d4f28600212cbda4710727
Instruction ID: 2fab622546fc16ade56b9f07e20afa90b6d26419b36c6405a4b64e6b37d72d66
Opcode Fuzzy Hash: 1e6c4b83a5606910bcaecc514292ef2d3b0cb0e543d4f28600212cbda4710727
Instruction Fuzzy Hash: A4315A30E40218AFFF70AB658C09BFEBFA9BB45326F04925AEC91721D1C3748D499751

Function 00580C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00580C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00580C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00580CE1
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00580D33

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 252ed86d816a57ce704e97a109dde1a4f782515eacfbcda60709edd0da8cd271
Instruction ID: 4904d4a0980510c31c08888c406d74d6d5f32da081a1829ea668971f27ab8c9f
Opcode Fuzzy Hash: 252ed86d816a57ce704e97a109dde1a4f782515eacfbcda60709edd0da8cd271
Instruction Fuzzy Hash: 50313530941218AEFF70AEA5C8097BEFF6ABB89310F04972AEC85721D1C3359D4D9751

Function 005561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005561FB
__isleadbyte_l.LIBCMT ref: 00556229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00556257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0055628D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ec7f589a153fe1a0d109a2915397b2a14ce50423c9317bee548b3098f84ed498
Instruction ID: 3207df8f2adf0131693902d656ad8539373ef63f3e78be41f186c06a17a17fae
Opcode Fuzzy Hash: ec7f589a153fe1a0d109a2915397b2a14ce50423c9317bee548b3098f84ed498
Instruction Fuzzy Hash: 3331EF34600286AFDF218F64CC58BBA7FA9FF82312F55412AEC20871A1DB30D958DB90

Function 005A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 005A4F02

Part of subcall function 00583641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0058365B
Part of subcall function 00583641: GetCurrentThreadId.KERNEL32 ref: 00583662
Part of subcall function 00583641: AttachThreadInput.USER32(00000000,?,00585005), ref: 00583669

GetCaretPos.USER32(?), ref: 005A4F13
ClientToScreen.USER32(00000000,?), ref: 005A4F4E
GetForegroundWindow.USER32 ref: 005A4F54

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f6fd334aa3f31275ab586f1394c51a1e2e8a2e689a450916485239aa6485c0f2
Instruction ID: 34daa249e11de83e460a8497ddceaee2eb3d83946a31e002b05091fa8bec97b5
Opcode Fuzzy Hash: f6fd334aa3f31275ab586f1394c51a1e2e8a2e689a450916485239aa6485c0f2
Instruction Fuzzy Hash: 47310C72D00119AFDB04EFA5D8859EFBBF9FF99300F10446AE815E7241EA759E058BA0

Function 00578656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0057810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00578121
Part of subcall function 0057810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0057812B
Part of subcall function 0057810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0057813A
Part of subcall function 0057810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00578141
Part of subcall function 0057810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00578157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005786A3
_memcmp.LIBCMT ref: 005786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005786FC
HeapFree.KERNEL32(00000000), ref: 00578703

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: a739730205f5cfc65be58fd1e08279223143873e861020dd81f380cbabbc267a
Instruction ID: fedad3c7e0b748c298e54dd8e89e9a533996b6b78ba4d819e066aa16fcbab7dc
Opcode Fuzzy Hash: a739730205f5cfc65be58fd1e08279223143873e861020dd81f380cbabbc267a
Instruction Fuzzy Hash: E5216B71E80109EBDB10DFA4D949BFEBBB8FF55344F158059E448AB241DB31AE05EB60

Function 0054098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005409AE

Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00587896,?,?,00000000), ref: 00525A2C
Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00587896,?,?,00000000,?,?), ref: 00525A50

_fprintf.LIBCMT ref: 005409E5
OutputDebugStringW.KERNEL32(?), ref: 00575DBB

Part of subcall function 00544AAA: _flsall.LIBCMT ref: 00544AC3

__setmode.LIBCMT ref: 00540A1A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 736211371988f091124cefe36f7f25720f0703d1721db944a378114cfcee7b1e
Instruction ID: 4fce606ba1594dda0b62c759cc8faf509d6674d3b69906018e1cd66337d2ea9f
Opcode Fuzzy Hash: 736211371988f091124cefe36f7f25720f0703d1721db944a378114cfcee7b1e
Instruction Fuzzy Hash: 7E11F3319442066BDB04B6A4AC4BAFE7F68BF92324F644055F205A71C2EE7059469BA4

Function 00591767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005917A3

Part of subcall function 0059182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0059184C
Part of subcall function 0059182D: InternetCloseHandle.WININET(00000000), ref: 005918E9

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a671210bf3de62da52640db95e71f4ad3ca184dad66a122c5e7f335a6d9905fd
Instruction ID: 5e624ff83e2b9c688d72aac6b77ecce8f23e4350b0eb5ac801a81fedfa067744
Opcode Fuzzy Hash: a671210bf3de62da52640db95e71f4ad3ca184dad66a122c5e7f335a6d9905fd
Instruction Fuzzy Hash: B921F631200A13BFEF129FA0DC00FBABFA9FF89710F10442AF91596650DB71D811ABA4

Function 005550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00555101

Part of subcall function 0054571C: __FF_MSGBANNER.LIBCMT ref: 00545733
Part of subcall function 0054571C: __NMSG_WRITE.LIBCMT ref: 0054573A
Part of subcall function 0054571C: RtlAllocateHeap.NTDLL(00FA0000,00000000,00000001), ref: 0054575F

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 215db15b4af215499ff0958ed13d3dd58ff4eb74184910869f503809dd2fbea2
Instruction ID: 5f925da134d2b641a6a739fa019c414728b2b433a43dfba355c1f3f46f6c9189
Opcode Fuzzy Hash: 215db15b4af215499ff0958ed13d3dd58ff4eb74184910869f503809dd2fbea2
Instruction Fuzzy Hash: 5C119471900E12AFCF252F74A86D7AD3F98BB553A6B10092BFD859A161EE308948D790

Function 005785B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005785E2
OpenProcessToken.ADVAPI32(00000000), ref: 005785E9
CloseHandle.KERNEL32(00000004), ref: 00578603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00578632

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: a7955a653f35d9f82bb147bfebe0c5753922ae96cbc723c7cdc85cd15e04dffd
Instruction ID: a0271f0dfebba61fb689677d942fa23ccac059e69cab0e56b3a6c6d64083804e
Opcode Fuzzy Hash: a7955a653f35d9f82bb147bfebe0c5753922ae96cbc723c7cdc85cd15e04dffd
Instruction Fuzzy Hash: 07115C72541209BBDF018FA4ED49BEE7BA9FF09304F048065FE05A2160C7719D64EB60

Function 00596369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00587896,?,?,00000000), ref: 00525A2C
Part of subcall function 00525A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00587896,?,?,00000000,?,?), ref: 00525A50

gethostbyname.WS2_32(?), ref: 00596399
WSAGetLastError.WS2_32(00000000), ref: 005963A4
_memmove.LIBCMT ref: 005963D1
inet_ntoa.WS2_32(?), ref: 005963DC

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: b643bd68511b84630603cd328fe66bb362a048e1a0b45b2d6d20511305e0ce15
Instruction ID: 12f91b10292be85ca2e038b5019a31f3c2d5475677e48b0917181e08a676cf80
Opcode Fuzzy Hash: b643bd68511b84630603cd328fe66bb362a048e1a0b45b2d6d20511305e0ce15
Instruction Fuzzy Hash: AB11337150011AAFCF04FBA4ED8ACEEBFB8BF5A310B544465F505A72A1EB309E14DB61

Function 00578B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00578B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00578B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00578B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00578BA4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 68f1bfae69414f4b70e60f3078e081c6bd0b6bbdb569623878f0c182ff57f159
Instruction ID: 00fddc4d96079b09dd88b91d2b1f6f4cf86ab35094900682db82de0143753873
Opcode Fuzzy Hash: 68f1bfae69414f4b70e60f3078e081c6bd0b6bbdb569623878f0c182ff57f159
Instruction Fuzzy Hash: 15115E79940218FFDB10DF95CC88FADBB74FB48310F204095E904B7250DA716E10EB94

Function 0057D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0057D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0057D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0057D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0057D897

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: fba104b5c68dab906c1a82acabaaef22fc872993eac4ae202147fbb6e1ea7d43
Instruction ID: b9978f937deff33e5ae93ef54ba63e21e9512dc4b593b00a3a8588dca53436dc
Opcode Fuzzy Hash: fba104b5c68dab906c1a82acabaaef22fc872993eac4ae202147fbb6e1ea7d43
Instruction Fuzzy Hash: 14115E75605304DBE7208F90EC08F92BBBCFF04B00F108969A55AD6450D7B0E549BBB2

Function 00556FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00556FDB

Part of subcall function 005576C2: __fltout2.LIBCMT ref: 005576EB

__cftog_l.LIBCMT ref: 00557001
__cftoe_l.LIBCMT ref: 00557033

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 646c0ab97ab650b8c54a19cd4bc38bcc1e901b2cfe48907ba7d34a8d39bbe3d4
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 99017E3244414EBBCF125E84EC29CED3FA2BB1C352B488416FE1859070D236D9B9AF81

Function 005AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005AB2E4
ScreenToClient.USER32(?,?), ref: 005AB2FC
ScreenToClient.USER32(?,?), ref: 005AB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005AB33B

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 678dc2a973adeff4e947340e1c1ee2b36b70f7936246c194fbea6f47c1c2dc5d
Instruction ID: 68a638e85b72687275d81869e58455dc9e02f26dfd504342cfb6ba22dbdc14be
Opcode Fuzzy Hash: 678dc2a973adeff4e947340e1c1ee2b36b70f7936246c194fbea6f47c1c2dc5d
Instruction Fuzzy Hash: C21144B9D00209EFDB41CFA9C8849EEBBF9FF19311F108166E914E3220D735AA559F91

Function 00586BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00586BE6

Part of subcall function 005876C4: _memset.LIBCMT ref: 005876F9

_memmove.LIBCMT ref: 00586C09
_memset.LIBCMT ref: 00586C16
RtlLeaveCriticalSection.NTDLL(?), ref: 00586C26

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 0e794be8c7f7a6f647afda17c4c282a366cb9694a27173165a731de4fe0eb6c0
Instruction ID: 9179be65f1d9fe2bd9a167db7c46097f17c793fd08211199c441d33371997d55
Opcode Fuzzy Hash: 0e794be8c7f7a6f647afda17c4c282a366cb9694a27173165a731de4fe0eb6c0
Instruction Fuzzy Hash: 47F0543A100100ABCF416F95DC89A8ABF29FF85324F148061FE086E267D731E811DBB4

Function 00522218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00522231
SetTextColor.GDI32(?,000000FF), ref: 0052223B
SetBkMode.GDI32(?,00000001), ref: 00522250
GetStockObject.GDI32(00000005), ref: 00522258
GetWindowDC.USER32(?,00000000), ref: 0055BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0055BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0055BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0055BEC2
GetPixel.GDI32(00000000,?,?), ref: 0055BEE2
ReleaseDC.USER32(?,00000000), ref: 0055BEED

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: eabb9e8133848065298f680ee1626fd11e38738e86cf3825e49222c00501b715
Instruction ID: a56b9bb992fa385e778f023fe227779433ca0998e28c39be2e1e406101b887d9
Opcode Fuzzy Hash: eabb9e8133848065298f680ee1626fd11e38738e86cf3825e49222c00501b715
Instruction Fuzzy Hash: FCE0ED32504244EAEF215FA4FC4D7D83F15EB26336F148376FA69580E197724998EB22

Function 00578712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0057871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,005782E6), ref: 00578722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005782E6), ref: 0057872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,005782E6), ref: 00578736

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 5df0a51ff3d96b198cef6295d90966f78714cc806f58e54775dcdcaf598127a3
Instruction ID: 51382764622edce1d92af03845542d9242761b4b7cfd2b1efd3f824d8417bfb7
Opcode Fuzzy Hash: 5df0a51ff3d96b198cef6295d90966f78714cc806f58e54775dcdcaf598127a3
Instruction Fuzzy Hash: 60E086366512119BDB605FF06D0CB973BACFF62792F148828B24AC9040DA348449E750

Function 00526240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%[, xrefs: 0052624E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID:
String ID: %[
API String ID: 0-4034644999
Opcode ID: 545b74240575d34b1f71914c35aabd227ee2330d1641905aff501717bd40472e
Instruction ID: a2fe82e00314424c4fa2556d1fc7ffab50dd8899297d52d77d83db107d0f704e
Opcode Fuzzy Hash: 545b74240575d34b1f71914c35aabd227ee2330d1641905aff501717bd40472e
Instruction Fuzzy Hash: DDB1B07190012A9BCF14EF94E8959FEBFB8FF5A310F144426E942A71D1EB309E85C791

Function 0059AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0059AFAE

Strings

xb^, xrefs: 0059B010
xb^, xrefs: 0059AFE4

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: __itow_s
String ID: xb^$xb^
API String ID: 3653519197-777972382
Opcode ID: a771ced108de321c96f778cc90cfd22c569adae54130b6245fe45e6b60bdd530
Instruction ID: 11d5d50d7702b06fad397d746a2adf5da5fb2e95b5f9515ac9e36371a032ff2d
Opcode Fuzzy Hash: a771ced108de321c96f778cc90cfd22c569adae54130b6245fe45e6b60bdd530
Instruction Fuzzy Hash: F8B18E74A0020AAFEF14DF54D994DBABFB9FF99300F148459F9459B291EB30E940DBA0

Function 0058AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0053FC86: _wcscpy.LIBCMT ref: 0053FCA9

Part of subcall function 00529837: __itow.LIBCMT ref: 00529862
Part of subcall function 00529837: __swprintf.LIBCMT ref: 005298AC

__wcsnicmp.LIBCMT ref: 0058B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0058B0F6

Strings

LPT, xrefs: 0058B027

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 417408cffdab936c598498ada76e908f07a49134650e51f772a4ee2a4336008b
Instruction ID: 6c54081a440143db6a424f30a5165a5fa15e8c9df811ec08ed2b21ce100c9a09
Opcode Fuzzy Hash: 417408cffdab936c598498ada76e908f07a49134650e51f772a4ee2a4336008b
Instruction Fuzzy Hash: 1C617F75A00219EFDB18EF94D899EAEBBB8FF49310F144059F916AB391D730AE40CB54

Function 00532957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00532968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00532981

Strings

@, xrefs: 00532975

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0f91fedfb630b32e6cb87094797e6e04bcccbe81b769b1ac9a8a9e451dc530f4
Instruction ID: 1b2fb735f85bc3f71574b60755f0c9bca5a9a687c124b8d9f213bee822c4e1ca
Opcode Fuzzy Hash: 0f91fedfb630b32e6cb87094797e6e04bcccbe81b769b1ac9a8a9e451dc530f4
Instruction Fuzzy Hash: E15138724087559BD320EF50E88ABABBBE8FFD6354F42485DF2D8411A1DB308529CB56

Function 00589734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00524F0B: __fread_nolock.LIBCMT ref: 00524F29

_wcscmp.LIBCMT ref: 00589824
_wcscmp.LIBCMT ref: 00589837

Strings

FILE, xrefs: 00589770

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 37a76150a873182f8cd81a1fe3ee830bc83f4f8008e4219400f64010c0f2bb4d
Instruction ID: d6582229a965fc29a448b6fcd9c9814600152e7562edb5d06586521f0679afd4
Opcode Fuzzy Hash: 37a76150a873182f8cd81a1fe3ee830bc83f4f8008e4219400f64010c0f2bb4d
Instruction Fuzzy Hash: C8418571A0021ABADF21AAA4DC49FFFBFB9EFC6714F014469B904B7181D67199048B61

Function 00560574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0056057F

Strings

Dd^, xrefs: 0052A317
Dd^, xrefs: 0052A151

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClearVariant
String ID: Dd^$Dd^
API String ID: 1473721057-3975118295
Opcode ID: c1b88d1cc4340cd3f2f13a28b7b4cf6a4f1605593f82332dc384f7ab0011287b
Instruction ID: 04bf32fdf14ba15a6229a98e1f8b49a6109d764200c0be5d23759b903363f84d
Opcode Fuzzy Hash: c1b88d1cc4340cd3f2f13a28b7b4cf6a4f1605593f82332dc384f7ab0011287b
Instruction Fuzzy Hash: A451E3786043518FDB54CF19D584A1ABBF1BFAA394F54485CE9858B3A1D331EC85CF42

Function 0059258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0059259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005925D4

Strings

|, xrefs: 005925A5

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: d57ceba50224e100463ba4c6f74343667c2aa77e1687e477e9ac6b21bffadee2
Instruction ID: 23d8ecbed53f4f98d981461c1c3f40393c6f4d939b81d18ea8525a9aa28b3533
Opcode Fuzzy Hash: d57ceba50224e100463ba4c6f74343667c2aa77e1687e477e9ac6b21bffadee2
Instruction Fuzzy Hash: 71311A7180011AEBCF11EFA1DC89EEEBFB8FF49310F140059F915AA162EB315956DB60

Function 005A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 005A7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005A7B76

Strings

', xrefs: 005A7ACA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 04eca3e9820ceb19c5282f2b1c025c5e3e3819be946f46dd4afcb87196786060
Instruction ID: b2d858f3b0abc7a040a158ca4c9927de83e8e8b1cbeb197b21389be37d89f11f
Opcode Fuzzy Hash: 04eca3e9820ceb19c5282f2b1c025c5e3e3819be946f46dd4afcb87196786060
Instruction Fuzzy Hash: 5B410A74A0520EAFDB14CF64C981BDEBBB5FF09300F14016AE904AB351E770AA51DFA0

Function 005A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 005A6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005A6B53

Strings

static, xrefs: 005A6AB3

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0cc2deb9c07a5533b74e05cbdbc6481725e7e749f442925bfb64179f3d5f9c64
Instruction ID: 73f60e6d5efb29f0fc716755467c6ea5220e6df6b4b65588243418c8fae0feae
Opcode Fuzzy Hash: 0cc2deb9c07a5533b74e05cbdbc6481725e7e749f442925bfb64179f3d5f9c64
Instruction Fuzzy Hash: 7A318171100608AEDB109F74DC81BFF7BA9FF89760F148619F9A5D7190DA31AC91D760

Function 005828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0058294C

Strings

0, xrefs: 0058290A

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e6d288c8b067e9bb5622123aa479ff64a9a8eff9c4706187f61e0a236e60fbb1
Instruction ID: 8377994acb9a81d2cd6e8f311a28040bb2665de5765848050aa93abe85a4843a
Opcode Fuzzy Hash: e6d288c8b067e9bb5622123aa479ff64a9a8eff9c4706187f61e0a236e60fbb1
Instruction Fuzzy Hash: BA31C331A00305AFEB28EF58C985BAEBFB8FF45354F140029ED85B61A0E7709984CB51

Function 005A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005A6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005A676C

Strings

Combobox, xrefs: 005A672E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3ff3fb81d2a4f108a4ae1a5b722e63d7bb153f37dc05972e06b7c2cf7e5cdddb
Instruction ID: cf8b002cc221a7634996ac4bc045fd27388bd1bc2abe279b1426c612dd2c7fbd
Opcode Fuzzy Hash: 3ff3fb81d2a4f108a4ae1a5b722e63d7bb153f37dc05972e06b7c2cf7e5cdddb
Instruction Fuzzy Hash: 6011B675210209AFEF159F54DC84EBF3F6AFB9A368F150125F91497290D631DC5187A0

Function 005A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00521D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00521D73
Part of subcall function 00521D35: GetStockObject.GDI32(00000011), ref: 00521D87
Part of subcall function 00521D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00521D91

GetWindowRect.USER32(00000000,?), ref: 005A6C71
GetSysColor.USER32(00000012), ref: 005A6C8B

Strings

static, xrefs: 005A6C4E

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d30b584e3a65afa63314af376d6a3de70d977bf63bd432047743577835651b93
Instruction ID: 0bb000d1fe70283bb1d68aca0950078c72ed7290c34f1055fceea41bbfe45f64
Opcode Fuzzy Hash: d30b584e3a65afa63314af376d6a3de70d977bf63bd432047743577835651b93
Instruction Fuzzy Hash: E721597651021AAFDF04DFB8CC45AEE7BA9FB19314F044628F995D3250E635E850DB60

Function 005A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 005A69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005A69B1

Strings

edit, xrefs: 005A6986

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 549ad49ff765463829330f947b706caa2ff205c3e103a749e83cdf223eb8ef64
Instruction ID: b2e8d611109a72ea0cabc63d2fbb2fa1a04b4feefeafe158224bdc1cc5a866ec
Opcode Fuzzy Hash: 549ad49ff765463829330f947b706caa2ff205c3e103a749e83cdf223eb8ef64
Instruction Fuzzy Hash: B5116D71500108AFEB108E64DC44AEF3B69FB16374F544724F9A5971E0C731DC55A760

Function 005829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00582A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00582A41

Strings

0, xrefs: 00582A18

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 530f539edfd35715952e410842a0f55d7bfa3600f47ab66623b2323aa90290d8
Instruction ID: c9205b1e3fba5680264cbfd775eb404ece5d05316831b05b7be2081dd6a2e247
Opcode Fuzzy Hash: 530f539edfd35715952e410842a0f55d7bfa3600f47ab66623b2323aa90290d8
Instruction Fuzzy Hash: A511D036901114ABCB39EA98D984BAA7FA8BF45304F144029EC55FB290E7B0AD0AC791

Function 005921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0059222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00592255

Strings

<local>, xrefs: 0059221D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: c44a35076fa49a58c5c8a38ebba888665ecb5d2bbb31fec79c74fa7114ed6031
Instruction ID: 22a3e36d780a0cfb35edea1f0b00c72434468ab0d1b52498bfccd8c21c63b75d
Opcode Fuzzy Hash: c44a35076fa49a58c5c8a38ebba888665ecb5d2bbb31fec79c74fa7114ed6031
Instruction Fuzzy Hash: 3A11CE74541225BADF299F518C88EFBFFA8FF16751F10862AF91586100D3706994EAF0

Function 00578E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00578E73

Strings

ComboBox, xrefs: 00578E12
ListBox, xrefs: 00578E3D

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ed5db7c92904d40af8cfe2bedcce1d0f76a602e43dd173f7f8f8b6bf84e71027
Instruction ID: 4ab4b24202cd0bde69c7eb85933c48ee2ed24e63dad6c75c725a374a7c60e91e
Opcode Fuzzy Hash: ed5db7c92904d40af8cfe2bedcce1d0f76a602e43dd173f7f8f8b6bf84e71027
Instruction Fuzzy Hash: F501F57164122AAB8B14EBA4DC4DCFE7B6CBF86320B044A1AF835572D1EF315808E750

Function 00578CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00578D6B

Strings

ComboBox, xrefs: 00578D0A
ListBox, xrefs: 00578D35

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 72a2f476194e4103fba720915a4638da7261891266d86b58383f88e7ba28493c
Instruction ID: ca2d2a59272460bfda72b294da71c62e3fad91614ff28266ab36206a46f4d21f
Opcode Fuzzy Hash: 72a2f476194e4103fba720915a4638da7261891266d86b58383f88e7ba28493c
Instruction Fuzzy Hash: 9901D871641119ABCB24EBA0D95AEFE7FA8BF56340F1040167405632D1EE215E08E3B1

Function 00578D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00527DE1: _memmove.LIBCMT ref: 00527E22

Part of subcall function 0057AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0057AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00578DEE

Strings

ComboBox, xrefs: 00578D8F
ListBox, xrefs: 00578DBA

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 54acd7c41167cbaeaadc957ae80e25385c855240eeea1fb18927f9cc3329b35d
Instruction ID: c43416d7d72881b6088ac91238ba2867ca2c4d20a6b4b2513f62d314797335d8
Opcode Fuzzy Hash: 54acd7c41167cbaeaadc957ae80e25385c855240eeea1fb18927f9cc3329b35d
Instruction Fuzzy Hash: 2D01FC7164111967CB25E6A4E94DEFE7F5CBF56300F144016B805632D1DD214E08F271

Function 0057C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0057C534

Part of subcall function 0057C816: _memmove.LIBCMT ref: 0057C860
Part of subcall function 0057C816: VariantInit.OLEAUT32(00000000), ref: 0057C882
Part of subcall function 0057C816: VariantCopy.OLEAUT32(00000000,?), ref: 0057C88C

VariantClear.OLEAUT32(?), ref: 0057C556

Strings

d}], xrefs: 0057C517

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}]
API String ID: 2932060187-1070895132
Opcode ID: ec47de1e3c882874fa958eeb720e3a974b341c1f70dd8af95b0756d2c2ca8e91
Instruction ID: 181a23f8e1ba70d884bef23a5c3f97004936487e5064d0a2997fe72b5103978a
Opcode Fuzzy Hash: ec47de1e3c882874fa958eeb720e3a974b341c1f70dd8af95b0756d2c2ca8e91
Instruction Fuzzy Hash: 1A1112719007099FC720DF99D88489AFBF8FF18310B50856FE58AD7651E771AA48CF90

Function 00584F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00584F46
_wcscmp.LIBCMT ref: 00584F58

Strings

#32770, xrefs: 00584F52

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 28275b88761ddf3f82d609d5efaeb5f11ad9d968c256a58cd0b7f4c893e548ae
Instruction ID: b94bb1ee462a761ac2b64ec18c7f5839f696ebbec3f9ee15946bd9ea71f7e6d1
Opcode Fuzzy Hash: 28275b88761ddf3f82d609d5efaeb5f11ad9d968c256a58cd0b7f4c893e548ae
Instruction Fuzzy Hash: 83E0D13260032927D7209799AC49FF7FBACFB65B71F000157FD04D7151D5609A4587D0

Function 0055B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0055B314: _memset.LIBCMT ref: 0055B321

Part of subcall function 00540940: InitializeCriticalSectionAndSpinCount.KERNEL32(005E4158,00000000,005E4144,0055B2F0,?,?,?,0052100A), ref: 00540945

IsDebuggerPresent.KERNEL32(?,?,?,0052100A), ref: 0055B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0052100A), ref: 0055B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0055B2FE

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 455788b0b0e9ee66ae7a2344661c6b27c7dfcae51187c40a5820e126ff1b27ee
Instruction ID: acfab3f0be059ecae2dc0a78b0ecddfd696f023999e3ef33e6d2250ae822f579
Opcode Fuzzy Hash: 455788b0b0e9ee66ae7a2344661c6b27c7dfcae51187c40a5820e126ff1b27ee
Instruction Fuzzy Hash: CBE06D742007118FE7209F68E8087427EE8BF10305F018E6EE896DB281E7B4E40CDBA1

Function 00561935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00561775

Part of subcall function 0059BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0056195E,?), ref: 0059BFFE
Part of subcall function 0059BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0059C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0056196D

Strings

WIN_XPe, xrefs: 00561788

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 1b3fd526c6af37c3fa9e866e03084f9bf765525e558c06fb9342e7a1d3c8723c
Instruction ID: 671e775bf7f256673fd4b7cf1b62bd9abf2b94cdb073620e8dfe77b92d883629
Opcode Fuzzy Hash: 1b3fd526c6af37c3fa9e866e03084f9bf765525e558c06fb9342e7a1d3c8723c
Instruction Fuzzy Hash: 72F0A571800109DBDB15DB95D988AECBEB8FB18301F580495E102A7091D7715E88EF64

Function 005A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005A5981

Part of subcall function 00585244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

Strings

Shell_TrayWnd, xrefs: 005A5967

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: dc117d586c517c3ec82da875c9428212dd2fe6389980e21e0b9ab4cca8820653
Instruction ID: c57b61279ee1657502073fea42796b95bc736d6cb3efe31e42f4f14f8c882b26
Opcode Fuzzy Hash: dc117d586c517c3ec82da875c9428212dd2fe6389980e21e0b9ab4cca8820653
Instruction Fuzzy Hash: 90D0C935784311B7E674BBB0AC4FFA67A54BB55B50F000826B64AAA1D0D9E0A804C754

Function 005A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005A59AE
PostMessageW.USER32(00000000), ref: 005A59B5

Part of subcall function 00585244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005852BC

Strings

Shell_TrayWnd, xrefs: 005A59A7

Memory Dump Source

Source File: 00000000.00000002.1699069497.0000000000521000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true

Associated: 00000000.00000002.1699035980.0000000000520000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.00000000005FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699069497.0000000000641000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699524593.0000000000647000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1699572052.0000000000648000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_520000_LMxd0gpIxe.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ea2a5bd12355bdd31932298cc4825547a73c05cb95e9624123be0d27fe09c649
Instruction ID: c033d8215dd9a9cc3e0afd4ebe8b8e8c3acc31deaf90deb9295b43e0ebe41a3a
Opcode Fuzzy Hash: ea2a5bd12355bdd31932298cc4825547a73c05cb95e9624123be0d27fe09c649
Instruction Fuzzy Hash: 94D0C9357813117BE674BBB0AC4FF967A54BB55B50F000826B646AA1D0D9E0A804C754

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LMxd0gpIxe.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autA0AC.tmp

C:\Users\user\AppData\Local\Temp\carryover

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
LMxd0gpIxe.exe

Function 00523B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00523633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 005249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00524E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00589155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0052708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00523A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00523766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00523015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Function 00523041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 0052F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 0119E938 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0052686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Function 0119E6F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
fileCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre