Edit tour

Windows Analysis Report
uEuTtkxAqq.exe

Overview

General Information

Sample name:	uEuTtkxAqq.exe renamed because original name is a hash value
Original sample name:	66d03b788fb30b48ae88976c7f558f4da002665d2c493914addf9449126b9daa.exe
Analysis ID:	1588593
MD5:	c1724dddbf52cc09ecdae09749d97cfc
SHA1:	8365d90f6a0acdaa5346d74d8d52b2f82a488625
SHA256:	66d03b788fb30b48ae88976c7f558f4da002665d2c493914addf9449126b9daa
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

uEuTtkxAqq.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\uEuTtkxAqq.exe" MD5: C1724DDDBF52CC09ECDAE09749D97CFC)

RegSvcs.exe (PID: 5396 cmdline: "C:\Users\user\Desktop\uEuTtkxAqq.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3523908642.0000000002845000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Process Memory Space: uEuTtkxAqq.exe PID: 1364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: uEuTtkxAqq.exe PID: 1364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: uEuTtkxAqq.exe PID: 1364	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 5396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5396	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.uEuTtkxAqq.exe.5a0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.uEuTtkxAqq.exe.5a0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.uEuTtkxAqq.exe.5a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32641:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3273d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32839:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x328ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32941:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.uEuTtkxAqq.exe.5a0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f7d3:$s2: GetPrivateProfileString 0x2eea1:$s3: get_OSFullName 0x304d3:$s5: remove_Key 0x306aa:$s5: remove_Key 0x315db:$s6: FtpWebRequest 0x32623:$s7: logins 0x32b95:$s7: logins 0x358a6:$s7: logins 0x35958:$s7: logins 0x372ad:$s7: logins 0x364f2:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Multi AV Scanner detection for submitted file

Source: uEuTtkxAqq.exe	Virustotal: Detection: 64%			Perma Link
Source: uEuTtkxAqq.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: uEuTtkxAqq.exe

Joe Sandbox ML: detected

Source: uEuTtkxAqq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: uEuTtkxAqq.exe, 00000000.00000003.2286987560.0000000003630000.00000004.00001000.00020000.00000000.sdmp, uEuTtkxAqq.exe, 00000000.00000003.2286295908.0000000003490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: uEuTtkxAqq.exe, 00000000.00000003.2286987560.0000000003630000.00000004.00001000.00020000.00000000.sdmp, uEuTtkxAqq.exe, 00000000.00000003.2286295908.0000000003490000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003E445A
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EC6D1 FindFirstFileW,FindClose,	0_2_003EC6D1
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003EC75C
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003EEF95
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003EF0F2
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003EF3F3
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003E37EF
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003E3B12
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003EBCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.6:49331 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_003F22EE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3523908642.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002811000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: uEuTtkxAqq.exe, 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002811000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523193056.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3523193056.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hostingW
Source: RegSvcs.exe, 00000002.00000002.3523908642.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: uEuTtkxAqq.exe, 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003F4164

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003F4164

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_003F3F66

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_003E001C

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_0040CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0040CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00383B3A
Source: uEuTtkxAqq.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: uEuTtkxAqq.exe, 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_dbdd3132-2
Source: uEuTtkxAqq.exe, 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3a59b8a6-7

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00383633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00383633
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0040C1AC
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0040C498
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C57D SendMessageW,NtdllDialogWndProc_W,	0_2_0040C57D
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0040C5FE
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C860 NtdllDialogWndProc_W,	0_2_0040C860
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C88F NtdllDialogWndProc_W,	0_2_0040C88F
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C8BE NtdllDialogWndProc_W,	0_2_0040C8BE
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C909 NtdllDialogWndProc_W,	0_2_0040C909
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040C93E ClientToScreen,NtdllDialogWndProc_W,	0_2_0040C93E
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040CA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0040CA7C
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0040CABC
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00381290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00381290
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00381287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,	0_2_00381287
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040D3B8 NtdllDialogWndProc_W,	0_2_0040D3B8
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0040D43E
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0038167D NtdllDialogWndProc_W,	0_2_0038167D
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003816B5 NtdllDialogWndProc_W,	0_2_003816B5
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003816DE GetParent,NtdllDialogWndProc_W,	0_2_003816DE
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040D78C NtdllDialogWndProc_W,	0_2_0040D78C
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0038189B NtdllDialogWndProc_W,	0_2_0038189B
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040BC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0040BC5D
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040BF30 NtdllDialogWndProc_W,	0_2_0040BF30
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0040BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0040BF8C

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_003EA1EF

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74BD5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_003D8310

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003E51BD

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0038E6A0	0_2_0038E6A0
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003AD975	0_2_003AD975
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0038FCE0	0_2_0038FCE0
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A21C5	0_2_003A21C5
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003B62D2	0_2_003B62D2
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_004003DA	0_2_004003DA
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003B242E	0_2_003B242E
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A25FA	0_2_003A25FA
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003DE616	0_2_003DE616
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003966E1	0_2_003966E1
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003B878F	0_2_003B878F
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00400857	0_2_00400857
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00398808	0_2_00398808
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003B6844	0_2_003B6844
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E8889	0_2_003E8889
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003ACB21	0_2_003ACB21
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003B6DB6	0_2_003B6DB6
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00396F9E	0_2_00396F9E
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00393030	0_2_00393030
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A3187	0_2_003A3187
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003AF1D9	0_2_003AF1D9
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00381287	0_2_00381287
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A1484	0_2_003A1484
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00395520	0_2_00395520
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A7696	0_2_003A7696
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00395760	0_2_00395760
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A1978	0_2_003A1978
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003B9AB5	0_2_003B9AB5
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00407DDB	0_2_00407DDB
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003ABDA6	0_2_003ABDA6
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A1D90	0_2_003A1D90
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0038DF00	0_2_0038DF00
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00393FE0	0_2_00393FE0
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00FFFB40	0_2_00FFFB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D3C70A	2_2_00D3C70A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D34A80	2_2_00D34A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D3DA40	2_2_00D3DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D33E68	2_2_00D33E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00D341B0	2_2_00D341B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060A2438	2_2_060A2438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060A1288	2_2_060A1288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060A3BD8	2_2_060A3BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060A34F0	2_2_060A34F0

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: String function: 003A8900 appears 42 times
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: String function: 00387DE1 appears 36 times
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: String function: 003A0AE3 appears 70 times

Source: uEuTtkxAqq.exe, 00000000.00000003.2286295908.00000000035B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs uEuTtkxAqq.exe
Source: uEuTtkxAqq.exe, 00000000.00000003.2286436330.000000000375D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs uEuTtkxAqq.exe
Source: uEuTtkxAqq.exe, 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs uEuTtkxAqq.exe

Source: uEuTtkxAqq.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003EA06A GetLastError,FormatMessageW,

0_2_003EA06A

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003D81CB AdjustTokenPrivileges,CloseHandle,		0_2_003D81CB
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003D87E1

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003EB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003EB333

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_003FEE0D

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003F83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_003F83BB

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_00384E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00384E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

File created: C:\Users\user\AppData\Local\Temp\autFB2C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Command line argument: @Z

0_2_003847D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3523908642.0000000002922000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002910000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: uEuTtkxAqq.exe	Virustotal: Detection: 64%
Source: uEuTtkxAqq.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\uEuTtkxAqq.exe "C:\Users\user\Desktop\uEuTtkxAqq.exe"
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uEuTtkxAqq.exe"
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uEuTtkxAqq.exe"	Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: uEuTtkxAqq.exe, 00000000.00000003.2286987560.0000000003630000.00000004.00001000.00020000.00000000.sdmp, uEuTtkxAqq.exe, 00000000.00000003.2286295908.0000000003490000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: uEuTtkxAqq.exe, 00000000.00000003.2286987560.0000000003630000.00000004.00001000.00020000.00000000.sdmp, uEuTtkxAqq.exe, 00000000.00000003.2286295908.0000000003490000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_004989F0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_004989F0

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_0038C4C7 push A30038BAh; retn 0038h	0_2_0038C50D
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003A8945 push ecx; ret	0_2_003A8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060AC6E0 push esp; iretd	2_2_060AC702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060ACB60 push es; ret	2_2_060ACB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060AD408 push esp; iretd	2_2_060AD414
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060AD415 push esp; iretd	2_2_060AD434
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060AD44E push esp; iretd	2_2_060AD454
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_060AD3E0 push esp; iretd	2_2_060AD3F4

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003848D7
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00405376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00405376

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003A3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_003A3187

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: uEuTtkxAqq.exe PID: 1364, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

API/Special instruction interceptor: Address: FFF764

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: uEuTtkxAqq.exe, 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.00000000028F2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002845000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102585

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

API coverage: 4.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003E445A
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EC6D1 FindFirstFileW,FindClose,	0_2_003EC6D1
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003EC75C
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003EEF95
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003EF0F2
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003EF3F3
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003E37EF
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003E3B12
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003EBCBC

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003849A0

Source: RegSvcs.exe, 00000002.00000002.3523908642.0000000002845000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.3523908642.0000000002845000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.3525286409.0000000005ACB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	API call chain: ExitProcess graph end node			graph_0-101200
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	API call chain: ExitProcess graph end node			graph_0-103180

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_00D37068 CheckRemoteDebuggerPresent,

2_2_00D37068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003F3F09 BlockInput,

0_2_003F3F09

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_00383B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00383B3A

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003B5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_003B5A7C

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_004989F0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_004989F0

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00FFE390 mov eax, dword ptr fs:[00000030h]	0_2_00FFE390
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00FFF9D0 mov eax, dword ptr fs:[00000030h]	0_2_00FFF9D0
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_00FFFA30 mov eax, dword ptr fs:[00000030h]	0_2_00FFFA30

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003D80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_003D80A9

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003AA124 SetUnhandledExceptionFilter,		0_2_003AA124
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_003AA155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 64C008

Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003D87B1 LogonUserW,

0_2_003D87B1

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_00383B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00383B3A

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003848D7

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003E4C27 mouse_event,

0_2_003E4C27

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\uEuTtkxAqq.exe"

Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003D7CAF

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003D874B

Source: uEuTtkxAqq.exe, 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: uEuTtkxAqq.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003A862B cpuid

0_2_003A862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_003B4E87

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003C1E06 GetUserNameW,

0_2_003C1E06

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_003B3F3A

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe

Code function: 0_2_003849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003849A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uEuTtkxAqq.exe PID: 1364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5396, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: uEuTtkxAqq.exe	Binary or memory string: WIN_81
Source: uEuTtkxAqq.exe	Binary or memory string: WIN_XP
Source: uEuTtkxAqq.exe	Binary or memory string: WIN_XPe
Source: uEuTtkxAqq.exe	Binary or memory string: WIN_VISTA
Source: uEuTtkxAqq.exe	Binary or memory string: WIN_7
Source: uEuTtkxAqq.exe	Binary or memory string: WIN_8
Source: uEuTtkxAqq.exe, 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3523908642.0000000002845000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uEuTtkxAqq.exe PID: 1364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5396, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.uEuTtkxAqq.exe.5a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uEuTtkxAqq.exe PID: 1364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5396, type: MEMORYSTR

Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_003F6283
Source: C:\Users\user\Desktop\uEuTtkxAqq.exe	Code function: 0_2_003F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_003F6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	21 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
uEuTtkxAqq.exe	65%	Virustotal		Browse
uEuTtkxAqq.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
uEuTtkxAqq.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
ip-api.com	208.95.112.1	true	false	high
ax-0001.ax-msedge.net	150.171.27.10	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://ip-api.com/line/?fields=hostingW	RegSvcs.exe, 00000002.00000002.3523193056.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.dyn.com/	uEuTtkxAqq.exe, 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3523908642.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3523908642.00000000028D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.0000000002811000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3523908642.00000000028F2000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588593
Start date and time:	2025-01-11 02:51:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uEuTtkxAqq.exe renamed because original name is a hash value
Original Sample Name:	66d03b788fb30b48ae88976c7f558f4da002665d2c493914addf9449126b9daa.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 52.149.20.212, 40.126.31.71, 20.199.58.43, 2.23.227.208, 150.171.27.10, 20.223.35.26
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	150.171.27.10
	295963673155714664.js	Get hash	malicious	Strela Downloader	Browse	150.171.28.10
	24928193762733825739.js	Get hash	malicious	Strela Downloader	Browse	150.171.28.10
	299273933818721331.js	Get hash	malicious	Strela Downloader	Browse	150.171.28.10
	lock.exe	Get hash	malicious	Unknown	Browse	150.171.27.10
	nested-Please Review%3A].eml	Get hash	malicious	Unknown	Browse	150.171.27.10
	http://atozpdfbooks.com	Get hash	malicious	Unknown	Browse	150.171.27.10
	http://infarmbureau.com	Get hash	malicious	Unknown	Browse	150.171.27.10
s-part-0017.t-0009.t-msedge.net	23754232101540928500.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	CGk5FtIq0N.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	wOBmA8bj8d.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	KtPCqWWnqM.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	kQibsaGS2E.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	1907125702104121563.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	2937924646314313784.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	RdichqztBg.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	AraK29dzhH.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
ip-api.com	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\uEuTtkxAqq.exe
File Type:	data
Category:	dropped
Size (bytes):	158408
Entropy (8bit):	7.91841861781415
Encrypted:	false
SSDEEP:	3072:KWfuw7eaFzxGZP3IJxGyAelHQ++B9wFAfBtWiSKT+dEqfxftCsiPuYaHk:KWFdxjJQ+/niS3JEuRHk
MD5:	7F1CEEC9D7C465B3614F11981F8C0567
SHA1:	B62E03DE1F9C2E686A7F4E8B1D05B33263A89652
SHA-256:	7B165E491B1B15387FFCD41E7374D801848BD96FA2205BCEB54A846859D42BE7
SHA-512:	7C5BE9637D674BA7F5472A18E4E9941B85FB6D2004D765C7262B25974F6273E8EE91B12C410C373FB17FF339F3ECB9412956A42E9997771CE916AEA3D3BCB560
Malicious:	false
Reputation:	low
Preview:	EA06......83zmB.Y..hS..:.U...Zef.P..+....4T...L.U...fj.5....G.zks....m....2U8.[.....w#.ZjS).~.A...)...x.......>.I..y.z...N..X.Gf...7...4k.5.V)5....M...,I.....,.hnh .Db.Q..A...&..i....UY.:..i.\.'...Ze$.i.P.2p..T.4;Z......aQ..i.._=.^........N.J....5.D..;g...P..q...#........'z.P.......Z.h.N]..B`.4z. ._..sI..d.J.j.L.....L.h ..........x...8..z...@..`......hU`....k..}Z.6.!\|.....{.o.W..-..E...4QjlFA...(,Z......u...M.3....ou8....X..Z......gTy.v?...../3.k.[nr...?..>..~.....OdG....m...?F.Y.<......V.7y...T.. UiD.A0.R.......y.>./..@../.J.:.K...:.7..G..3.].Rx..O.4....2..!...x.@..u....^..E.[11..u...B^.h_.......Sf.\|..yB..G..c.r...>$.C~..0.y...m..s:,..'s...N.~u..B...b....o=...SV.]..Z..U.W...t..z..<.y..\.U.3....\|.jp......m..z.W.......llj....1...u....k....G.]7.T5...'.9.W.Sz.N+A..f.Z5^i4.E..H4&.9.U. 7X.S.Tj..`...W.UN.H....Z..e.W+4....Rc...v.H.NlT. .......e%..........[l.m3.A...Ed...R.p.A......4.k1.D.R...b.....m?[H.q......6....Rkg.o...F....h

C:\Users\user\AppData\Local\Temp\biopsies

Download File

Process:	C:\Users\user\Desktop\uEuTtkxAqq.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.693187763452063
Encrypted:	false
SSDEEP:	6144:63wcRWKtKu8x58mgwuI9uR3Q6HppNMOlR9B1bqHg:SLos8PfgwiRdTBtqHg
MD5:	C4F2964940463971B6EE7FA3E8B32A9C
SHA1:	C327EC42CFB5D0A168698FC61F52E2FE4146C956
SHA-256:	C7DD9ABD3ECAED30C19CF62C582395CDF5147D41379ED32771593104C298D2F5
SHA-512:	9A2DFA5548530826AAC0A13DF2227798D30E1DE020ED8A69BA804EDC3409D79B73CE72343E035E9C092BEF4E51DFEA232A21E39185D42C01CB1F8012E1CDDC64
Malicious:	false
Reputation:	low
Preview:	...7MPRYWIB9..SU.655LYBPu8XBQ7NPRYSIB9I1SU1655LYBP58XBQ7NPRY.IB9G..[1.<.m.C....*8Dn 64;#TiR2;_YA..<b"@Vx+?....y>&&\g<^_.655LYBPe}XB.6MP...,B9I1SU16.5NXIQ>8X.R7NXRYSIB9'.PU1.55L.AP58.BQ.NPR[SIF9I1SU1615LYBP58XbU7NRRYSIB9K1..16%5LIBP58HBQ'NPRYSIR9I1SU1655LYZ.68.BQ7N.QY.LB9I1SU1655LYBP58XBQ7JP^YSIB9I1SU1655LYBP58XBQ7NPRYSIB9I1SU1655LYBP58XBQ7NPRySIJ9I1SU1655LYJp58.BQ7NPRYSIB9gE6-E6558.AP5.XBQ.MPR[SIB9I1SU1655LYbP5Xv0"E-PRY.LB9I.PU1055L.AP58XBQ7NPRYSI.9Iq}'TZZVLYNP58XBU7NRRYS.A9I1SU1655LYBPu8X.Q7NPRYSIB9I1SU16e.OYBP58.BQ7LPWY..@9..RU2655MYBV58XBQ7NPRYSIB9I1SU1655LYBP58XBQ7NPRYSIB9I1SU1655Q....\|.JpZ0^.o.^.2.."..L..M. .#V...._....nDU.x6.:\|..<....B.XW R....k5:G;]..m_T.E..k.ms-...?'.).K..7Dt......m....F6g...!.VZ!w# ET=l.V(1 0.K.8I1SU........\@..\|4ANfK+...gGI`....<P58<BQ7<PRY2IB9.1SU^655"YBPK8XB/7NP.YSI.9I1dU16.5LY/P58\|BQ70PRY.4M6..<B..5LYBP...r.Z.....~...".OmW....4.s..Td._:.$..~..]..]y.[.)V.v.EP1JUP^WJN.Gz....71H\@W1;T._\|...x.o..p...@....#.,58XBQ7.PR.SIB..1.U16.5.Y..58X.7.P.Y...9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.934474358369442
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	uEuTtkxAqq.exe
File size:	619'520 bytes
MD5:	c1724dddbf52cc09ecdae09749d97cfc
SHA1:	8365d90f6a0acdaa5346d74d8d52b2f82a488625
SHA256:	66d03b788fb30b48ae88976c7f558f4da002665d2c493914addf9449126b9daa
SHA512:	4e6102405e7a857f8071a5678e3855bb4b09c75711df1becc8e7633cb5266b299940e9bbe6b780de180553f81339e22b73d34d443b5b4dc67ccb3f46812e42ff
SSDEEP:	12288:squErHF6xC9D6DmR1J98w4oknqOOCyQf5gjnVfHWfiOn80lH8Myrw8il+f:9rl6kD68JmlotQfGVLOn8QKE8pf
TLSH:	FAD4229596C2C967CA5867B080799E941A787872CFD9A34CC729E21FFC30307C85BB5E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5189f0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67518A50 [Thu Dec 5 11:11:12 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004C3000h
lea edi, dword ptr [esi-000C2000h]
push edi
jmp 00007F19155A5A9Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F19155A5A7Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F19155A5A9Dh
jne 00007F19155A5ABAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F19155A5AB1h
dec eax
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F19155A5A66h
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F19155A5AE4h
xor ecx, ecx
sub eax, 03h
jc 00007F19155A5AA3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F19155A5B07h
sar eax, 1
mov ebp, eax
jmp 00007F19155A5A9Dh
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F19155A5A5Eh
inc ecx
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F19155A5A50h
add ebx, ebx
jne 00007F19155A5A99h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F19155A5A81h
jne 00007F19155A5A9Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F19155A5A76h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F19155A5AA0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x159ca0	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x119000	0x40ca0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15a0c4	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x118bd4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xc2000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xc3000	0x56000	0x55e00	3d663a173c32413fbe3f1182eb1e8fe1	False	0.9870360262008734	data	7.935091153360481	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x119000	0x42000	0x41200	56c0d2e093afbb41a3e648e98f97fc12	False	0.9216500719769674	data	7.88220341938833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1195ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1196d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x119804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x119930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x119c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x119d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x11abf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x11b4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x11ba0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x11dfb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x11f064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xcda84	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xce110	0x490	SysEx File -	English	Great Britain	1.009417808219178
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xcf660	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x11f4d0	0x3a235	data			1.000340146052836
RT_GROUP_ICON	0x15970c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x159788	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1597a0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1597b8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1597d0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1598b0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:52:43.692909002 CET	49771	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:52:43.697690964 CET	80	49771	208.95.112.1	192.168.2.6
Jan 11, 2025 02:52:43.697750092 CET	49771	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:52:43.698581934 CET	49771	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:52:43.703424931 CET	80	49771	208.95.112.1	192.168.2.6
Jan 11, 2025 02:52:44.165122986 CET	80	49771	208.95.112.1	192.168.2.6
Jan 11, 2025 02:52:44.213028908 CET	49771	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:52:55.032042980 CET	49331	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:52:55.036866903 CET	53	49331	1.1.1.1	192.168.2.6
Jan 11, 2025 02:52:55.036962032 CET	49331	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:52:55.041877031 CET	53	49331	1.1.1.1	192.168.2.6
Jan 11, 2025 02:52:55.490643024 CET	49331	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:52:55.495563030 CET	53	49331	1.1.1.1	192.168.2.6
Jan 11, 2025 02:52:55.495754004 CET	49331	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:53:43.293299913 CET	80	49771	208.95.112.1	192.168.2.6
Jan 11, 2025 02:53:43.293370962 CET	49771	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:54:24.183769941 CET	49771	80	192.168.2.6	208.95.112.1
Jan 11, 2025 02:54:24.189459085 CET	80	49771	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 02:52:43.678987026 CET	64170	53	192.168.2.6	1.1.1.1
Jan 11, 2025 02:52:43.685713053 CET	53	64170	1.1.1.1	192.168.2.6
Jan 11, 2025 02:52:55.029840946 CET	53	50895	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 02:52:43.678987026 CET	192.168.2.6	1.1.1.1	0xaaec	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 02:52:34.473728895 CET	1.1.1.1	192.168.2.6	0x301b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:52:34.473728895 CET	1.1.1.1	192.168.2.6	0x301b	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:52:43.685713053 CET	1.1.1.1	192.168.2.6	0xaaec	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:53:37.479340076 CET	1.1.1.1	192.168.2.6	0x35c2	No error (0)	g-bing-com.ax-0001.ax-msedge.net	ax-0001.ax-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 02:53:37.479340076 CET	1.1.1.1	192.168.2.6	0x35c2	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Jan 11, 2025 02:53:37.479340076 CET	1.1.1.1	192.168.2.6	0x35c2	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49771	208.95.112.1	80	5396	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 02:52:43.698581934 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 02:52:44.165122986 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 01:52:43 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	20:52:38
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\uEuTtkxAqq.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uEuTtkxAqq.exe"
Imagebase:	0x380000
File size:	619'520 bytes
MD5 hash:	C1724DDDBF52CC09ECDAE09749D97CFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.2289667767.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:52:42
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\uEuTtkxAqq.exe"
Imagebase:	0x500000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3522399601.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3523908642.0000000002845000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00383B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00383B68
IsDebuggerPresent.KERNEL32 ref: 00383B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004452F8,004452E0,?,?), ref: 00383BEB

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

Part of subcall function 0039092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00383C14,004452F8,?,?,?), ref: 0039096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00383C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00437770,00000010), ref: 003BD281
SetCurrentDirectoryW.KERNEL32(?,004452F8,?,?,?), ref: 003BD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00434260,004452F8,?,?,?), ref: 003BD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 003BD346

Part of subcall function 00383A46: GetSysColorBrush.USER32(0000000F), ref: 00383A50
Part of subcall function 00383A46: LoadCursorW.USER32(00000000,00007F00), ref: 00383A5F
Part of subcall function 00383A46: LoadIconW.USER32(00000063), ref: 00383A76
Part of subcall function 00383A46: LoadIconW.USER32(000000A4), ref: 00383A88
Part of subcall function 00383A46: LoadIconW.USER32(000000A2), ref: 00383A9A
Part of subcall function 00383A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00383AC0
Part of subcall function 00383A46: RegisterClassExW.USER32(?), ref: 00383B16

Part of subcall function 003839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00383A03
Part of subcall function 003839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00383A24
Part of subcall function 003839D5: ShowWindow.USER32(00000000,?,?), ref: 00383A38
Part of subcall function 003839D5: ShowWindow.USER32(00000000,?,?), ref: 00383A41

Part of subcall function 0038434A: _memset.LIBCMT ref: 00384370
Part of subcall function 0038434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00384415

Strings

runas, xrefs: 003BD33A
%A, xrefs: 00383C44
This is a third-party compiled AutoIt script., xrefs: 003BD279

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%A
API String ID: 529118366-2845487603
Opcode ID: 8a1e815392b566f40be939194ed8689307a8a0a11505f9f609e242e53bd70d15
Instruction ID: 1e061db88ce6595678c365f388ce0cd2400fbedc2d549da6c12838fa3c9cd166
Opcode Fuzzy Hash: 8a1e815392b566f40be939194ed8689307a8a0a11505f9f609e242e53bd70d15
Instruction Fuzzy Hash: 7751F375908348ABDF12FBB4DC05AED7B79BB05700F1040F6F451BA2A2DBB49605CB29

Function 00383633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 003836D2
KillTimer.USER32(?,00000001), ref: 003836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0038371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0038372A
CreatePopupMenu.USER32 ref: 0038373E
PostQuitMessage.USER32(00000000), ref: 0038374D

Strings

TaskbarCreated, xrefs: 00383725
%A, xrefs: 003BD081, 003BD0CF

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%A
API String ID: 157504867-1239895088
Opcode ID: 45b1ec15ed67eea5a269978fcfa3cc2a631e343322e7896748459dec4484b3ab
Instruction ID: ef777364722a100b5c7a6f1c879e19846ef175cf3d79129c5f7f86ae5b53f2a7
Opcode Fuzzy Hash: 45b1ec15ed67eea5a269978fcfa3cc2a631e343322e7896748459dec4484b3ab
Instruction Fuzzy Hash: 894149B2100705BBDF237F68DC49B7D3758EB01700F1005B6F602A77A2EAB59E15976A

Function 003849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003849CD

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

GetCurrentProcess.KERNEL32(?,0040FAEC,00000000,00000000,?), ref: 00384A9A
IsWow64Process.KERNEL32(00000000), ref: 00384AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00384AE7
FreeLibrary.KERNEL32(00000000), ref: 00384AF2
GetSystemInfo.KERNEL32(00000000), ref: 00384B23
GetSystemInfo.KERNEL32(00000000), ref: 00384B2F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: aa0a40a2ed1bfbb73b4cd8a16cb25fbddae481b14496d19faca9463ede339236
Instruction ID: b393445b03bb1b2d474ad42aa9d75368c5a927f07ec31b7e3e788a4530459577
Opcode Fuzzy Hash: aa0a40a2ed1bfbb73b4cd8a16cb25fbddae481b14496d19faca9463ede339236
Instruction Fuzzy Hash: A791D3319897C1DAC737EB7885501AABFF5AF2A304B4449AED0C797E01E234E908C75D

Function 00384E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00384E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00384D8E,?,?,00000000,00000000), ref: 00384EB0
LoadResource.KERNEL32(?,00000000,?,?,00384D8E,?,?,00000000,00000000,?,?,?,?,?,?,00384E2F), ref: 003BD937
SizeofResource.KERNEL32(?,00000000,?,?,00384D8E,?,?,00000000,00000000,?,?,?,?,?,?,00384E2F), ref: 003BD94C
LockResource.KERNEL32(00384D8E,?,?,00384D8E,?,?,00000000,00000000,?,?,?,?,?,?,00384E2F,00000000), ref: 003BD95F

Strings

SCRIPT, xrefs: 00384EA6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1a086991c6517f1d581376de411962981439e4ded6f666b6d29a33b54b30b705
Instruction ID: 19386167899331d434d68212a48ab1149d5b4732b885f25b27c816ec8be5fbfa
Opcode Fuzzy Hash: 1a086991c6517f1d581376de411962981439e4ded6f666b6d29a33b54b30b705
Instruction Fuzzy Hash: 6C119E71200701BFD7219B65EC48F677BBAFBC5B11F2082BCF40596A50EB71E8048A60

Function 0038FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

%A, xrefs: 0038FCF3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharUpper
String ID: %A
API String ID: 3964851224-219755901
Opcode ID: a472230ddd55df204035b24251461cdbeeec119ac92b067f741a8ffe06996188
Instruction ID: 4a0dff52b815f053d29e31ab0e26c4f67e986fefab43b7be6f90b3cf98153a49
Opcode Fuzzy Hash: a472230ddd55df204035b24251461cdbeeec119ac92b067f741a8ffe06996188
Instruction Fuzzy Hash: 22929A746083418FDB26DF24C480B2AB7E5FF89304F15896DE89A9B362D771EC45CB92

Function 004989F0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00498B2A
GetProcAddress.KERNEL32(?,00491FF9), ref: 00498B48
ExitProcess.KERNEL32(?,00491FF9), ref: 00498B59
VirtualProtect.KERNELBASE(00380000,00001000,00000004,?,00000000), ref: 00498BA7
VirtualProtect.KERNELBASE(00380000,00001000), ref: 00498BBC

Memory Dump Source

Source File: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 8d2a63175934a3ee110bf495a5867ec3ae634b9785888d03280cfd327958e73e
Instruction ID: 29840956c37d466ce0606e497bbd3b7d2bb5fd914f7633e219711f8bc1d181c5
Opcode Fuzzy Hash: 8d2a63175934a3ee110bf495a5867ec3ae634b9785888d03280cfd327958e73e
Instruction Fuzzy Hash: C851F8B2A452524EDF218E7C8C806617F94EB5336472C073FD5E2D73C5EFA858068369

Function 003847D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

74A3C8D0.UXTHEME ref: 00384834

Part of subcall function 003A336C: __lock.LIBCMT ref: 003A3372
Part of subcall function 003A336C: RtlDecodePointer.NTDLL(00000001), ref: 003A337E
Part of subcall function 003A336C: RtlEncodePointer.NTDLL(?), ref: 003A3389

Part of subcall function 003848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00384915
Part of subcall function 003848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0038492A

Part of subcall function 00383B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00383B68
Part of subcall function 00383B3A: IsDebuggerPresent.KERNEL32 ref: 00383B7A
Part of subcall function 00383B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004452F8,004452E0,?,?), ref: 00383BEB
Part of subcall function 00383B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00383C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00384874

Strings

@Z, xrefs: 003847D6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID: @Z
API String ID: 2688871447-1314040393
Opcode ID: 848d8891b07d78f8fd6f0af4f6748a33f5e486fa5601ef635b32a885f535748f
Instruction ID: d96f829f510106c763cda76f1f029fe88be81e11ff54ab343f39ffbb69ece73b
Opcode Fuzzy Hash: 848d8891b07d78f8fd6f0af4f6748a33f5e486fa5601ef635b32a885f535748f
Instruction Fuzzy Hash: 60118C759083029BCB01EF28E80591ABFE8FB86750F10496BF041972B2DBB09548CB9A

Function 003E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,003BE398), ref: 003E446A
FindFirstFileW.KERNELBASE(?,?), ref: 003E447B
FindClose.KERNEL32(00000000), ref: 003E448B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: bf597a56167d1e0abfd0c6922e4d3e5f68be5a6c28ea05813f2fd5490c3bdae3
Instruction ID: 22518554708c23cc3784685c38f2d816b63b10ec84b5d5cb7ed526ca991909a8
Opcode Fuzzy Hash: bf597a56167d1e0abfd0c6922e4d3e5f68be5a6c28ea05813f2fd5490c3bdae3
Instruction Fuzzy Hash: 6DE0203351455167C220AB39EC0D4E9779C9F09335F100775FD35D15D0E7749D0499D9

Function 0038E6A0 Relevance: 3.6, Strings: 2, Instructions: 1102COMMON

Download Yara Rule

Strings

0-, xrefs: 0038E7AD, 0038E7B4, 0038EABA, 0038EAC1, 003C3AF5, 003C3B2E, 003C3DAA
Variable must be of type 'Object'., xrefs: 003C3E62

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID: 0-$Variable must be of type 'Object'.
API String ID: 0-48138956
Opcode ID: 3e8d55622ac9ead86c5c5c8716c1b5bb786fc82884cdba2fa9ddf405a5818073
Instruction ID: 4c8e5a1ba059b0f4414b6a641ce006533a8f85dd7239f276cc5f351fef2f56dd
Opcode Fuzzy Hash: 3e8d55622ac9ead86c5c5c8716c1b5bb786fc82884cdba2fa9ddf405a5818073
Instruction Fuzzy Hash: 9DA2CF75A00315CFCB26EF94C480AAEB7B6FF59314F2580A9E906AB351D774ED42CB81

Function 003909D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00390A5B
timeGetTime.WINMM ref: 00390D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00390E53
Sleep.KERNEL32(0000000A), ref: 00390E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00390EFA
DestroyWindow.USER32 ref: 00390F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00390F20
Sleep.KERNEL32(0000000A,?,?), ref: 003C4E83
TranslateMessage.USER32(?), ref: 003C5C60
DispatchMessageW.USER32(?), ref: 003C5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003C5C82

Strings

@COM_EVENTOBJ, xrefs: 003C54F0
@GUI_CTRLHANDLE, xrefs: 003C4FE4
@GUI_CTRLID, xrefs: 003C4F3A
@GUI_WINHANDLE, xrefs: 003C4F8F
@TRAY_ID, xrefs: 003C578F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 3e050fb260903889925c888af75a076e7a11d42ec0b6f62a54dadfcaf7575275
Instruction ID: 917d389f3f5a1f7a078aedb124938c74927db4b910643a86475ab99a0b9dd1de
Opcode Fuzzy Hash: 3e050fb260903889925c888af75a076e7a11d42ec0b6f62a54dadfcaf7575275
Instruction Fuzzy Hash: ECB29070608741DFDB2ADF24C884F6AB7E5BF85304F15496DE49A9B2A1CB71EC84CB42

Function 003E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003E8F5F: __time64.LIBCMT ref: 003E8F69

Part of subcall function 00384EE5: _fseek.LIBCMT ref: 00384EFD

__wsplitpath.LIBCMT ref: 003E9234

Part of subcall function 003A40FB: __wsplitpath_helper.LIBCMT ref: 003A413B

_wcscpy.LIBCMT ref: 003E9247
_wcscat.LIBCMT ref: 003E925A
__wsplitpath.LIBCMT ref: 003E927F
_wcscat.LIBCMT ref: 003E9295
_wcscat.LIBCMT ref: 003E92A8

Part of subcall function 003E8FA5: _memmove.LIBCMT ref: 003E8FDE
Part of subcall function 003E8FA5: _memmove.LIBCMT ref: 003E8FED

_wcscmp.LIBCMT ref: 003E91EF

Part of subcall function 003E9734: _wcscmp.LIBCMT ref: 003E9824
Part of subcall function 003E9734: _wcscmp.LIBCMT ref: 003E9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003E9452
_wcsncpy.LIBCMT ref: 003E94C5
DeleteFileW.KERNEL32(?,?), ref: 003E94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003E9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003E9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003E9534

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 692a1790da4788d65aed31cda3e3cda1b47ea7f659170666b022d9fed3f40085
Instruction ID: 804454d6a445230644aa16af9b834253d320eb5eff6128949795e5367005aa4e
Opcode Fuzzy Hash: 692a1790da4788d65aed31cda3e3cda1b47ea7f659170666b022d9fed3f40085
Instruction Fuzzy Hash: B7C13EB1D00229ABDF22DF95CC85ADEB7BDEF55310F0041AAF609EB191DB309A448F65

Function 0038708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00384706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004452F8,?,003837AE,?), ref: 00384724

Part of subcall function 003A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00387165), ref: 003A052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003871A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003BE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003BE909
RegCloseKey.ADVAPI32(?), ref: 003BE947
_wcscat.LIBCMT ref: 003BE9A0

Strings

\Include\, xrefs: 00387165
\, xrefs: 003BE9C3
Include, xrefs: 003BE8BF, 003BE900
Software\AutoIt v3\AutoIt, xrefs: 0038719E
X&, xrefs: 0038710E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$X&$\$\Include\
API String ID: 2673923337-1918254323
Opcode ID: 0517fb3d5e20544ed30f679f1be5990366a667d8fd6e65b117b02789e2c4737f
Instruction ID: 88e8b8de145a47bd4119410fc364f30e07e7fe5dc7593a4921640f7eff857f0f
Opcode Fuzzy Hash: 0517fb3d5e20544ed30f679f1be5990366a667d8fd6e65b117b02789e2c4737f
Instruction Fuzzy Hash: 4771CE75108301AEC315FF29EC419ABBBE8FF86310B51497EF5448B1A0EBB0D948CB96

Function 00383A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00383A50
LoadCursorW.USER32(00000000,00007F00), ref: 00383A5F
LoadIconW.USER32(00000063), ref: 00383A76
LoadIconW.USER32(000000A4), ref: 00383A88
LoadIconW.USER32(000000A2), ref: 00383A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00383AC0
RegisterClassExW.USER32(?), ref: 00383B16

Part of subcall function 00383041: GetSysColorBrush.USER32(0000000F), ref: 00383074
Part of subcall function 00383041: RegisterClassExW.USER32(00000030), ref: 0038309E
Part of subcall function 00383041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 003830AF
Part of subcall function 00383041: LoadIconW.USER32(000000A9), ref: 003830F2

Strings

#, xrefs: 00383AFB
AutoIt v3, xrefs: 00383B05
0, xrefs: 00383AF4
@Z, xrefs: 00383AA1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$@Z$AutoIt v3
API String ID: 2880975755-313518423
Opcode ID: fc6736137c515f5c858f486e9844fd45e2b86ca7bbeed941399f115b7bd21aa4
Instruction ID: b09943e5724ec0e8a0bf08f4612b19421da8d30d797ab5fdc74211b3b2157355
Opcode Fuzzy Hash: fc6736137c515f5c858f486e9844fd45e2b86ca7bbeed941399f115b7bd21aa4
Instruction Fuzzy Hash: 98213778900708AFEF12DFA4ED49B9D7BB4FB09711F1001BAE500AB2A2D3B556448F89

Function 00383766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003837AE
/AutoIt3OutputDebug, xrefs: 00383892
CMDLINERAW, xrefs: 003837FB
/AutoIt3ExecuteLine, xrefs: 003838A7
/AutoIt3ExecuteScript, xrefs: 003838BC
/ErrorStdOut, xrefs: 0038387D
CMDLINE, xrefs: 00383822

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 78181823079f6c2daca44ca0ee511d30cf1524baf41a66cb38bdfd7fb91a1717
Instruction ID: d2a396cdffd787169a33a3bf51b24503a09d4e806a0c3f0e7426b2c1796614c4
Opcode Fuzzy Hash: 78181823079f6c2daca44ca0ee511d30cf1524baf41a66cb38bdfd7fb91a1717
Instruction Fuzzy Hash: 2FA15E7290031D9ADF16FBA4DC51AEEB779BF15700F4404AAE415BB192EB74AA08CB60

Function 0038301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00383074
RegisterClassExW.USER32(00000030), ref: 0038309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 003830AF
LoadIconW.USER32(000000A9), ref: 003830F2

Strings

+, xrefs: 0038305D
0, xrefs: 00383056
TaskbarCreated, xrefs: 003830A4
AutoIt v3 GUI, xrefs: 00383090

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 18d28fd9947859a78bb75ba5b4efd4a284059faa6d274a04e6d5ee6789326330
Instruction ID: 5b973674d3b0f40e8ba5f4bdd0f466da3ea0cc8b7f543579292cf89a963a3184
Opcode Fuzzy Hash: 18d28fd9947859a78bb75ba5b4efd4a284059faa6d274a04e6d5ee6789326330
Instruction Fuzzy Hash: 6E3149B5840309EFDB50DFA4D885ACDBBF0FB0A310F10457AE580E62A1D7B90595CF99

Function 00383041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00383074
RegisterClassExW.USER32(00000030), ref: 0038309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 003830AF
LoadIconW.USER32(000000A9), ref: 003830F2

Strings

+, xrefs: 0038305D
0, xrefs: 00383056
TaskbarCreated, xrefs: 003830A4
AutoIt v3 GUI, xrefs: 00383090

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: fd15156ca58d7cab0be897ef174b51048b28feb97e5f88831d84418bf21ecd43
Instruction ID: 2262c4d4c51983bded9fcc8d971dc468453b9d169fb7ffbd8658fc837ec73986
Opcode Fuzzy Hash: fd15156ca58d7cab0be897ef174b51048b28feb97e5f88831d84418bf21ecd43
Instruction Fuzzy Hash: EE21F7B5910208AFDF10EFA4ED48B9DBBF4FB09700F00413AF910B62A1D7B545588F99

Function 00FFEB20 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00FFEBF1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FFEE17

Memory Dump Source

Source File: 00000000.00000002.2290297116.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffc000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 60bf4f7366937ac4f180b4b2d4d17ebedcfe01f64bc9fc34fa15b6c665873368
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: C0A10671E0020DEBDB14CFA4C894BFEBBB5BF48314F208559E601BB2A0D7759A84DB94

Function 00387285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 003BEA39
75D3D0D0.COMDLG32(?), ref: 003BEA83

Part of subcall function 00384750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00384743,?,?,003837AE,?), ref: 00384770

Part of subcall function 003A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003A07B0

Strings

X, xrefs: 003BEA51
Run Script:, xrefs: 003BEA58
AutoIt script files (*.au3, *.a3x), xrefs: 003BEA67
au3, xrefs: 003BEA7C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: NamePath$FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3051022977-1954568251
Opcode ID: 0e119bca4e6c3ae57df7c96a363c6706709135a399ba936b6a717cc53fb2230c
Instruction ID: 4a5d2454613fb1ead9c0d70575f940718fbc0a598ba897769892133d53c59d3e
Opcode Fuzzy Hash: 0e119bca4e6c3ae57df7c96a363c6706709135a399ba936b6a717cc53fb2230c
Instruction Fuzzy Hash: A521D870A003489BDF52EF94C845BDEBBFDAF49314F10805AF508BB241DBB499498F91

Function 003839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00383A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00383A24
ShowWindow.USER32(00000000,?,?), ref: 00383A38
ShowWindow.USER32(00000000,?,?), ref: 00383A41

Strings

AutoIt v3, xrefs: 003839FB, 00383A00, 00383A01
edit, xrefs: 00383A1E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 33445a47caf383b99f60b25b09ac92250a76492854a65c5134b65a74a92a5af7
Instruction ID: 65b47d4c0923c3e3bd981c5e57c5788cfc9d60d7325eec7c722e0dc0ef9f8e04
Opcode Fuzzy Hash: 33445a47caf383b99f60b25b09ac92250a76492854a65c5134b65a74a92a5af7
Instruction Fuzzy Hash: 43F01278640290BBEE315B27AC08E2B3E7DE7C7F50B00407BB900F21A1C2B50800CEB8

Function 0038686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00384DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00384E0F

_free.LIBCMT ref: 003BE263
_free.LIBCMT ref: 003BE2AA

Part of subcall function 00386A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00386BAD

Strings

/v8, xrefs: 003BE084, 003BE0BD
>>>AUTOIT SCRIPT<<<, xrefs: 003BE039
Bad directive syntax error, xrefs: 003BE292

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: /v8$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-2886451541
Opcode ID: a948cb1ca35228b83498d8409159475bcf9a725ebb27e8dc6ab698a1c61df28d
Instruction ID: b69722c1e2cb087fba1518f80ca7156c03a1a2e1245a366898db9f0bb5fe4c32
Opcode Fuzzy Hash: a948cb1ca35228b83498d8409159475bcf9a725ebb27e8dc6ab698a1c61df28d
Instruction Fuzzy Hash: 43918D71900219EFCF16EFA8CC819EDB7B8FF09314B10456AF916AF6A1DB74A905CB50

Function 00FFE8D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FFE7C0: Sleep.KERNELBASE(000001F4), ref: 00FFE7D1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FFEA10

Strings

XBQ7NPRYSIB9I1SU1655LYBP58, xrefs: 00FFEA73, 00FFEA76

Memory Dump Source

Source File: 00000000.00000002.2290297116.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffc000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateFileSleep
String ID: XBQ7NPRYSIB9I1SU1655LYBP58
API String ID: 2694422964-1652704026
Opcode ID: 2a8c823fe42a70faf5d356cc509abc2c88ed6b1c65f7d8e9eebaa3883cd29b62
Instruction ID: 13e264955d3157d5532387208d19d9ef5de4e533aaf10e5e53f77102a0edbafc
Opcode Fuzzy Hash: 2a8c823fe42a70faf5d356cc509abc2c88ed6b1c65f7d8e9eebaa3883cd29b62
Instruction Fuzzy Hash: FC618031D0428CDAEF11DBF4C858BEEBBB9AF15304F044199E2487B2D1D6B91B48DBA5

Function 0038407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003BD3D7

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

_memset.LIBCMT ref: 003840FC
_wcscpy.LIBCMT ref: 00384150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00384160

Strings

Line: , xrefs: 003BD400

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: f9fbe9d4af15a457396cef59aa98fcec352f98631348ce62af7fdf335188bb41
Instruction ID: 4a1e463088d756deb579c2c5b1ee223690d3e8b2bf3f139f5971017436812af0
Opcode Fuzzy Hash: f9fbe9d4af15a457396cef59aa98fcec352f98631348ce62af7fdf335188bb41
Instruction Fuzzy Hash: 4031E171008705ABDB22FB60DC46FDB77DCAF45304F2045AAF6859A0A2EB749648CB96

Function 003A541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A547B
_memcpy_s.LIBCMT ref: 003A54ED
__read_nolock.LIBCMT ref: 003A554B
__filbuf.LIBCMT ref: 003A556E
_memset.LIBCMT ref: 003A55B2

Part of subcall function 003A8B28: __getptd_noexit.LIBCMT ref: 003A8B28

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: c8f4b1983acb9478922cdaa499c9f23089aa0616444fdf782ed0b73aeca4495b
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 0251E670E00B05DBCB268F69D84456E77B6EF47321F258729F836966D1D770DD508B40

Function 0038F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 003A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 003A0193
Part of subcall function 003A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 003A019B
Part of subcall function 003A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003A01A6
Part of subcall function 003A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003A01B1
Part of subcall function 003A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003A01B9
Part of subcall function 003A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003A01C1

Part of subcall function 003960F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00396154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0038F9CD
OleInitialize.OLE32(00000000), ref: 0038FA4A
CloseHandle.KERNEL32(00000000), ref: 003C45C8

Strings

%A, xrefs: 0038F796, 0038F7A8, 0038F96E, 0038FA51

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: %A
API String ID: 3094916012-219755901
Opcode ID: 54afd3fcb0a216252bdd5b5d6506cad99eebebf71fc884e916652c748dc3a882
Instruction ID: 23d27347041ee38bc41fab83be0bc08e3d708a65537d52b59eb5519b58f2b288
Opcode Fuzzy Hash: 54afd3fcb0a216252bdd5b5d6506cad99eebebf71fc884e916652c748dc3a882
Instruction Fuzzy Hash: 9B81BAB8901A408FDF95EF39A9457187BE5EB8A316B90813AD419CF273EB744484CF1C

Function 003835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003835A1,SwapMouseButtons,00000004,?), ref: 003835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003835A1,SwapMouseButtons,00000004,?,?,?,?,00382754), ref: 003835F5
RegCloseKey.KERNELBASE(00000000,?,?,003835A1,SwapMouseButtons,00000004,?,?,?,?,00382754), ref: 00383617

Strings

Control Panel\Mouse, xrefs: 003835D2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 779ae0112357383ac9d521deb7152f8c1ba3809de7084dcc41b3358bd272c669
Instruction ID: 7ef71aeb68e36b582b21a28ef9a38f02bc7e4b4c784fcd2aeb0164a4d69a6818
Opcode Fuzzy Hash: 779ae0112357383ac9d521deb7152f8c1ba3809de7084dcc41b3358bd272c669
Instruction Fuzzy Hash: 99115A71514208BFDB219F68DC80DAEB7BCEF44B40F0184A9F805E7310E2719F449764

Function 00FFD7C0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00FFDFED
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FFE011
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FFE033

Memory Dump Source

Source File: 00000000.00000002.2290297116.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffc000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 3cac2a7ca3e33aad3ff91e3a59742268425319fe7e0fd930ea890e580a0a199b
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: B362F030A14258DBEB24CFA4C854BEEB775EF58300F1091A9D20DEB3A0E7759E81DB59

Function 003E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00384EE5: _fseek.LIBCMT ref: 00384EFD

Part of subcall function 003E9734: _wcscmp.LIBCMT ref: 003E9824
Part of subcall function 003E9734: _wcscmp.LIBCMT ref: 003E9837

_free.LIBCMT ref: 003E96A2
_free.LIBCMT ref: 003E96A9
_free.LIBCMT ref: 003E9714

Part of subcall function 003A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,003A9A24), ref: 003A2D69
Part of subcall function 003A2D55: GetLastError.KERNEL32(00000000,?,003A9A24), ref: 003A2D7B

_free.LIBCMT ref: 003E971C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: f4fb4436a214dc429b22766253e7644fe94e7e67e4a8c4750670b7648151f979
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: F3515EB1D04259AFDF269F65CC81B9EBBB9EF48300F10059EF609A7291DB715A80CF58

Function 003A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A47A0
__flush.LIBCMT ref: 003A47C0
__write.LIBCMT ref: 003A47F3
__flsbuf.LIBCMT ref: 003A4821

Part of subcall function 003A8B28: __getptd_noexit.LIBCMT ref: 003A8B28

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 3905357a3224638c43459a49d41ef87bafd99103b769be80d34e3aa07091e5c5
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: E641D775B007859FDB1ACF69D8809AE77A9EFC3360B24813DE825CB640E7B6DD418B40

Function 003844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003844CF

Part of subcall function 0038407C: _memset.LIBCMT ref: 003840FC
Part of subcall function 0038407C: _wcscpy.LIBCMT ref: 00384150
Part of subcall function 0038407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00384160

KillTimer.USER32(?,00000001,?,?), ref: 00384524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00384533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003BD4B9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2f8d4a97936c10ce3c3a3b60242a8749f2efe315575852135279648349eac591
Instruction ID: feb647c6e27e31745847380167ec053e6d57fcce56709e2a1954bbe72c43b4a6
Opcode Fuzzy Hash: 2f8d4a97936c10ce3c3a3b60242a8749f2efe315575852135279648349eac591
Instruction Fuzzy Hash: E82107B45047949FE7339B259845BEBBBECAF02308F0400EEE79E57542D7742A88CB45

Function 00384C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00384CBA

Strings

AU3!P/A, xrefs: 00384CB4
EA06, xrefs: 003BD8CC

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/A$EA06
API String ID: 4104443479-2655839585
Opcode ID: a690d7f6cc525a09d68a9fc6eaaf7384ee7ea40a6e0f7eb8f62bab894b5b3f0b
Instruction ID: a36d240983011f38d05abc629d022c7f8947bf0bb6a0690234d10d2ce2ad393c
Opcode Fuzzy Hash: a690d7f6cc525a09d68a9fc6eaaf7384ee7ea40a6e0f7eb8f62bab894b5b3f0b
Instruction Fuzzy Hash: 49415C21A0435A67DF23BB6488517BE7FB59B45300F6844F5EC829FA83D6309D4883A1

Function 003E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003E8DAC
__fread_nolock.LIBCMT ref: 003E8DC1

Strings

EA06, xrefs: 003E8DF3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f8d92c1cf00f017697f560a621265a5c8e943656aa1d967c1d2b94b99db145f8
Instruction ID: 457fe92716e6e632ad8047a608ae8238c5afa02d72c09229bd69bc525b8b1384
Opcode Fuzzy Hash: f8d92c1cf00f017697f560a621265a5c8e943656aa1d967c1d2b94b99db145f8
Instruction Fuzzy Hash: 0E01F971C042587EDB19CBA8CC16EEEBBF8DB15301F00459FF556D61C1E975A6048760

Function 003A0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003A571C: __FF_MSGBANNER.LIBCMT ref: 003A5733
Part of subcall function 003A571C: __NMSG_WRITE.LIBCMT ref: 003A573A
Part of subcall function 003A571C: RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001), ref: 003A575F

std::exception::exception.LIBCMT ref: 003A0DEC
__CxxThrowException@8.LIBCMT ref: 003A0E01

Part of subcall function 003A859B: RaiseException.KERNEL32(?,?,00000000,00439E78,?,00000001,?,?,?,003A0E06,00000000,00439E78,00389E8C,00000001), ref: 003A85F0

Strings

bad allocation, xrefs: 003A0DE1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: 2639967aa29fdd9c33c5892bf1ec79b5652da7dc227c1c772d4431af139e0df1
Instruction ID: 8aa242fb1922655fcf988a490772d30a26dac3d6ea9acf1e681fe676c8a57106
Opcode Fuzzy Hash: 2639967aa29fdd9c33c5892bf1ec79b5652da7dc227c1c772d4431af139e0df1
Instruction Fuzzy Hash: 37F0F432800219A6CF1AABA4EC02ADE77ACDF07310F104426FD04AA281DFB19A9092D5

Function 003E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003E98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003E990F

Strings

aut, xrefs: 003E9909

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 6ba4f9a3e53582e2d15fa56e8cf4d921c693d07d4cb7ec92986631ecd0608ee0
Instruction ID: efed29c9d9618d657454c5e5284b04b8472d457cf32cf3e41f91b4d1668eb308
Opcode Fuzzy Hash: 6ba4f9a3e53582e2d15fa56e8cf4d921c693d07d4cb7ec92986631ecd0608ee0
Instruction Fuzzy Hash: BDD05B7554030D6BDB60AB90DC0DF96773CD704700F0002F5BA5491091D97165588B95

Function 003FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3c586e7590212ae34cbd60942fbe9bf6074b403bb53fcb3c62b7b0b907e48a
Instruction ID: e6a3e3c369bee59d489e3e6e4c478392e0edeeebc2f64b468febc40377f6ac65
Opcode Fuzzy Hash: 1e3c586e7590212ae34cbd60942fbe9bf6074b403bb53fcb3c62b7b0b907e48a
Instruction Fuzzy Hash: DBF146716083099FCB15DF28C580A6ABBE5FF88314F14896EF9999B351D730E945CF82

Function 0038434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00384370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00384415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00384432

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: a05820bdf2c34194a9d753f209778201b5040bdfc336403e2711ff55ef12e5d1
Instruction ID: b28188a9b9ca4e93d2fa2914d3d05f73e1fe97a83a2d636d4cd851e235e69b6e
Opcode Fuzzy Hash: a05820bdf2c34194a9d753f209778201b5040bdfc336403e2711ff55ef12e5d1
Instruction Fuzzy Hash: 1F3191B45047028FD722EF34D88469BBBF8FB59308F00097EE69A87651E7B1A944CB56

Function 003A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 003A5733

Part of subcall function 003AA16B: __NMSG_WRITE.LIBCMT ref: 003AA192
Part of subcall function 003AA16B: __NMSG_WRITE.LIBCMT ref: 003AA19C

__NMSG_WRITE.LIBCMT ref: 003A573A

Part of subcall function 003AA1C8: GetModuleFileNameW.KERNEL32(00000000,004433BA,00000104,00000000,00000001,00000000), ref: 003AA25A
Part of subcall function 003AA1C8: ___crtMessageBoxW.LIBCMT ref: 003AA308

Part of subcall function 003A309F: ___crtCorExitProcess.LIBCMT ref: 003A30A5
Part of subcall function 003A309F: ExitProcess.KERNEL32 ref: 003A30AE

Part of subcall function 003A8B28: __getptd_noexit.LIBCMT ref: 003A8B28

RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001), ref: 003A575F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: fe35dfc969196392d9d88dd47ac102839d7c504fbab56869fbc21a3922ff7043
Instruction ID: 84448dd5228a7d539052769b5284954e0dbd7140ccf3bba142c74d525ed3ba18
Opcode Fuzzy Hash: fe35dfc969196392d9d88dd47ac102839d7c504fbab56869fbc21a3922ff7043
Instruction Fuzzy Hash: 4601B535240B01EAD6172B34EC82A2E7358DB43762F210535F505BE1C1DFB29C404665

Function 003E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003E9548,?,?,?,?,?,00000004), ref: 003E98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003E98D1
CloseHandle.KERNEL32(00000000,?,003E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003E98D8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2ffd575e0fd9cd17320c5cebec00b5acda71919d63c3ea60478866f8442ce9f6
Instruction ID: 48cd619035ffb5d6a34bacaf2754dcffaedcf76cb5f3829cca3fb609912c9874
Opcode Fuzzy Hash: 2ffd575e0fd9cd17320c5cebec00b5acda71919d63c3ea60478866f8442ce9f6
Instruction Fuzzy Hash: 0DE08632140228F7D7312B54ED09FCA7B19AB06B70F104230FB14794E087B1291597DC

Function 003E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003E8D1B

Part of subcall function 003A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,003A9A24), ref: 003A2D69
Part of subcall function 003A2D55: GetLastError.KERNEL32(00000000,?,003A9A24), ref: 003A2D7B

_free.LIBCMT ref: 003E8D2C
_free.LIBCMT ref: 003E8D3E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: f2a79e2e7325e9792027d13493cbb3960edc2098345e525e092907040a4daab6
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 55E012A1A016514ACB27A67DAD40A9363DC8F593527150E1DB41DDB1C7CE64F8428124

Function 0038A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 003BFC01

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 2b22cea2598a1a1949c272d6fa90a957edb79fe45e7141f966196d676070796d
Instruction ID: 55ec5510507a702c557f13e09e9c184327efb291060f52c0fab931770b201d45
Opcode Fuzzy Hash: 2b22cea2598a1a1949c272d6fa90a957edb79fe45e7141f966196d676070796d
Instruction Fuzzy Hash: 04226870508701DFDB2AEF14C490B6AB7E1BF85304F1589AEE98A8B761D735EC45CB82

Function 00387A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00387AAB
_memmove.LIBCMT ref: 00387B16

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: eca8df9e7660454c1b8a6757b23c56e24f7de0d8e1454be81d35e806a334b5e6
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 6A310AB2600606AFC709EF68C8D1D69F3AAFF493107258269E419CB791EB34ED50CB90

Function 003A55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A562C
__lock_file.LIBCMT ref: 003A564D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 8f8ffed55a4c8ee13ef8782d5276cbcd23d5ee9c1d21c000e8c046563de5c8c4
Instruction ID: 24a608c949f67bf55446999d696146073060bedca7dcfc0fdec8770e6d7d5eec
Opcode Fuzzy Hash: 8f8ffed55a4c8ee13ef8782d5276cbcd23d5ee9c1d21c000e8c046563de5c8c4
Instruction Fuzzy Hash: 5301A271800A08EBCF13AF699D0689F7B71EFA3362F554115F8245F1A1DB318A61DF91

Function 003A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003A8B28: __getptd_noexit.LIBCMT ref: 003A8B28

__lock_file.LIBCMT ref: 003A53EB

Part of subcall function 003A6C11: __lock.LIBCMT ref: 003A6C34

__fclose_nolock.LIBCMT ref: 003A53F6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 5c8c19209cea9bfb94ee5bbeefa40f62c61e0af3adcf92cfdd1eb84ff89ad3a7
Instruction ID: 5df489fd5e8088bd1eaa2cba093c6968762258002152a83a169f0e96b7355d7c
Opcode Fuzzy Hash: 5c8c19209cea9bfb94ee5bbeefa40f62c61e0af3adcf92cfdd1eb84ff89ad3a7
Instruction Fuzzy Hash: 32F09032800A049ADF13AF6698067AE76E0EF83374F258609E464AF1C1CBBC89419B52

Function 00FFD7BD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00FFDFED
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FFE011
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FFE033

Memory Dump Source

Source File: 00000000.00000002.2290297116.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffc000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 6c94d8e1ddedc2d3ed1367b6d66907047698bd3fb361e013864b4712bdee77a3
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 8712CF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 0038750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003875EA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d93461ddb9033374b9fc62f0e2b075a85cfa7a40800dcf4ccaba7e949e56f972
Instruction ID: c98a26f8b4a8e51da58c46cf1fc6cbcdfd1964b8e123ee0a0d683e3cb142ea11
Opcode Fuzzy Hash: d93461ddb9033374b9fc62f0e2b075a85cfa7a40800dcf4ccaba7e949e56f972
Instruction Fuzzy Hash: 4C31C675608B02DFC72AEF18C040962F7A5FF0A310725C5ADE98A8B791E730EC81DB84

Function 003A0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 003A0CB7

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: bdd63f98e7135bd7664fde5169790f08dd15d75ad955b65ed5d1937a4c2db011
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5A31D270A001059BC71EDF58C484A69F7A6FB5A320B6587A5E80ACF752DB31EDD1DBC0

Function 003BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003BFCB7

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: afb95f03d70122b9e513c2d32d7ecb6939631bb889261268d1504697fafd7e95
Instruction ID: 6db997b93f5c3af9c3047298c69c42f9d4a2a55e5a5f05d18ab280a3d0eac09c
Opcode Fuzzy Hash: afb95f03d70122b9e513c2d32d7ecb6939631bb889261268d1504697fafd7e95
Instruction Fuzzy Hash: 8841F5745047418FDB26DF14C454B1ABBE0BF49318F0988ADE9998B762C732EC45CB52

Function 00387B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00387BB3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d036ba9a9ee5abd8e57b507f092b0bb7b1c60536c6b8904960af91239af74041
Instruction ID: 78ed42eb7e367816a39f1931c06a78dd6aefa0967bdf80d92d175b7c95a65f8c
Opcode Fuzzy Hash: d036ba9a9ee5abd8e57b507f092b0bb7b1c60536c6b8904960af91239af74041
Instruction Fuzzy Hash: 4A214472A04A08EBCB169F29E8417E97FB9FF14354F318469E586C9590EB30C4D0C745

Function 00384DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00384BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00384BEF

Part of subcall function 003A525B: __wfsopen.LIBCMT ref: 003A5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00384E0F

Part of subcall function 00384B6A: FreeLibrary.KERNEL32(00000000), ref: 00384BA4

Part of subcall function 00384C70: _memmove.LIBCMT ref: 00384CBA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: ee83c73196eacbd68197fb177b24df4d55d2a9cf4a18da7f33c47c208265de39
Instruction ID: 11ac66b48ed400554055cc11129a299edf9cf7146ea130df52f8d9508bf51f72
Opcode Fuzzy Hash: ee83c73196eacbd68197fb177b24df4d55d2a9cf4a18da7f33c47c208265de39
Instruction Fuzzy Hash: D311E331600706ABCF23FF70C812FAE77A9AF44710F10886DF541AF981EA71AA049B51

Function 003BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 003BFD91

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2443a019496387dab560441b2a5ebe08db7ce59bd82bb90c11c46ee5165fe8ce
Instruction ID: 1b0e92b3a88a7aa482b1c4ec4ad6f16b34dfec16debb3858ea6f147d244cb3cd
Opcode Fuzzy Hash: 2443a019496387dab560441b2a5ebe08db7ce59bd82bb90c11c46ee5165fe8ce
Instruction Fuzzy Hash: 52213770508741DFDB1AEF54C444B1ABBE0BF89304F0588ADE8899B722C731E809CB92

Function 00387DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00387E22

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 764d19061aae93da2a2e37bd39a30dfaa5a115982b79c77d832f6c7cc35e9409
Instruction ID: eca9cd8cbbe3ecf80acc2665fc3c3dada70ed77e2f6a4219cab760ea94effff0
Opcode Fuzzy Hash: 764d19061aae93da2a2e37bd39a30dfaa5a115982b79c77d832f6c7cc35e9409
Instruction Fuzzy Hash: 5D01FE732047016ED326AF78CC06F677799DB45750F10856DF51ACE1D1DA31F5409790

Function 003A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003A48A6

Part of subcall function 003A8B28: __getptd_noexit.LIBCMT ref: 003A8B28

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: e9889fdffb07b68dd541d679897d3e3288ae69d59b6513ce95ba376008f34ff0
Instruction ID: 24ddf82f9f4a3653ea6d2f6890f993b57fe0ce359ec64a9fb8bc31c679b16ce3
Opcode Fuzzy Hash: e9889fdffb07b68dd541d679897d3e3288ae69d59b6513ce95ba376008f34ff0
Instruction Fuzzy Hash: 33F0FF31800208ABDF13AFA49C063AE36A4EF42320F168418F4209F182CBFDC950DB51

Function 00384E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00384E7E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 47ce0ab81767c9bbb4a27359c6a472888b2dce3f31d8d4a6bd9047d6235e1c48
Instruction ID: 1cc7a0f3408501c48c4b4c000c674b01bc702d3c26d24ffa9a86e1e5e8582389
Opcode Fuzzy Hash: 47ce0ab81767c9bbb4a27359c6a472888b2dce3f31d8d4a6bd9047d6235e1c48
Instruction Fuzzy Hash: 3CF03971505712CFCB36AF64E494822BBE5BF553293218ABEE2D686E20C732A844DF40

Function 003A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003A07B0

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 7ac110f4ac3d398a392df11993cb500eabd76f9327aff890d9bc045281156815
Instruction ID: 991fdf23dc26057fcc1057fd12dc4fdb41a969ce6add31839ae17d76a28aacb9
Opcode Fuzzy Hash: 7ac110f4ac3d398a392df11993cb500eabd76f9327aff890d9bc045281156815
Instruction Fuzzy Hash: 24E0863690422857C721A6589C05FEA779DDBC86A0F0441F5FD08D7205D9619C8086D0

Function 003E8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003E8EC1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: b2a8084c27a207e8e4e8e62c5907133751d2c170176d747924712539fdb0b3b7
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 3CE092B0504B509BD7398B24D800BA373E1EB06304F00091DF6AA83281EB6278418759

Function 003A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 003A5266

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 685bd78f83bac5adc378ae1f18106e39e42c5333e42c56a18fd88b5d93e04094
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 44B0927644020C77CE022A82EC02B893B299B42764F408020FB0C1C162A673A6649A89

Function 00FFE7C0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00FFE7D1

Memory Dump Source

Source File: 00000000.00000002.2290297116.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FFC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ffc000_uEuTtkxAqq.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e135798507474f0d8efd788f5a04d067a0d9780705829ddf76132abc569a7b89
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 0EE0E67594010DDFDB00EFB4D5496AE7FB4EF04301F100161FD01D2290D6309D509A62

Non-executed Functions

Function 0040CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0040CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0040CB95
GetWindowLongW.USER32(?,000000F0), ref: 0040CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040CC00
SendMessageW.USER32 ref: 0040CC29
_wcsncpy.LIBCMT ref: 0040CC95
GetKeyState.USER32(00000011), ref: 0040CCB6
GetKeyState.USER32(00000009), ref: 0040CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0040CCD9
GetKeyState.USER32(00000010), ref: 0040CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040CD0C
SendMessageW.USER32 ref: 0040CD33
SendMessageW.USER32(?,00001030,?,0040B348), ref: 0040CE37
SetCapture.USER32(?), ref: 0040CE69
ClientToScreen.USER32(?,?), ref: 0040CECE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0040CEF5
ReleaseCapture.USER32 ref: 0040CF00
GetCursorPos.USER32(?), ref: 0040CF3A
ScreenToClient.USER32(?,?), ref: 0040CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0040CFA3
SendMessageW.USER32 ref: 0040CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040D00E
SendMessageW.USER32 ref: 0040D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0040D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0040D06D
GetCursorPos.USER32(?), ref: 0040D08D
ScreenToClient.USER32(?,?), ref: 0040D09A
GetParent.USER32(?), ref: 0040D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0040D123
SendMessageW.USER32 ref: 0040D154
ClientToScreen.USER32(?,?), ref: 0040D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0040D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040D20C
SendMessageW.USER32 ref: 0040D22F
ClientToScreen.USER32(?,?), ref: 0040D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0040D2B5

Part of subcall function 003825DB: GetWindowLongW.USER32(?,000000EB), ref: 003825EC

GetWindowLongW.USER32(?,000000F0), ref: 0040D351

Strings

@GUI_DRAGID, xrefs: 0040CE9C
F, xrefs: 0040D235

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: 4dcefb023ab4c93212a7245c10982e2245d2193e79b99b01f59e9c81044c23e5
Instruction ID: d787d3e2103ba82d0d41318590384d2c1a69affff72873780dbb7411c0719d69
Opcode Fuzzy Hash: 4dcefb023ab4c93212a7245c10982e2245d2193e79b99b01f59e9c81044c23e5
Instruction Fuzzy Hash: 4042BC34604240EFDB20DF24D884AAABBF5FF49310F140A3AF555A72E1C735E855DB5A

Function 00396F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003971C3
_memset.LIBCMT ref: 00397539
_memmove.LIBCMT ref: 003976AC

Strings

\b(?=\w), xrefs: 003D3769
[:<:]], xrefs: 00397479
3c9, xrefs: 003D23A0
_9, xrefs: 003D23CB
\b(?<=\w), xrefs: 003D3773
[:>:]], xrefs: 00397492
DEFINE, xrefs: 003D2103
Q\E, xrefs: 00397FCB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3c9$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_9
API String ID: 1357608183-1944825980
Opcode ID: 1c2c714bc43d66c6921dcfea855c93f9623b6d978a08b79e4c79f1d52f2d17a4
Instruction ID: 754bc7e195edfeee3d87a34104b384039299fda7e71f803094d60bd108896575
Opcode Fuzzy Hash: 1c2c714bc43d66c6921dcfea855c93f9623b6d978a08b79e4c79f1d52f2d17a4
Instruction Fuzzy Hash: 1E939176E04215DBDF26CF98D881BADB7B1FF58310F25816AE945AB381E7709E81CB40

Function 003848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 003848DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003BD665
IsIconic.USER32(?), ref: 003BD66E
ShowWindow.USER32(?,00000009), ref: 003BD67B
SetForegroundWindow.USER32(?), ref: 003BD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003BD69B
GetCurrentThreadId.KERNEL32 ref: 003BD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 003BD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003BD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 003BD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 003BD6CF
SetForegroundWindow.USER32(?), ref: 003BD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 003BD6E7
keybd_event.USER32(00000012,00000000), ref: 003BD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 003BD6FC
keybd_event.USER32(00000012,00000000), ref: 003BD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 003BD70A
keybd_event.USER32(00000012,00000000), ref: 003BD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 003BD719
keybd_event.USER32(00000012,00000000), ref: 003BD71E
SetForegroundWindow.USER32(?), ref: 003BD721
AttachThreadInput.USER32(?,?,00000000), ref: 003BD748

Strings

Shell_TrayWnd, xrefs: 003BD660

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e64e48d290dd95696d9ae43002c4a717584ac86af158bd9bf0196caa789c730b
Instruction ID: 5f6a85e7ecca1b5c338b07ada4ead1cb7cc0f71b87f7d783e9e066ea7c3fd486
Opcode Fuzzy Hash: e64e48d290dd95696d9ae43002c4a717584ac86af158bd9bf0196caa789c730b
Instruction Fuzzy Hash: 54319D71A40318BAEB316F618C8AFBE7F6CEB44B50F114035FA04BA591DAB15901AAA4

Function 003D8310 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 003D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003D882B
Part of subcall function 003D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003D8858
Part of subcall function 003D87E1: GetLastError.KERNEL32 ref: 003D8865

_memset.LIBCMT ref: 003D8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003D83A5
CloseHandle.KERNEL32(?), ref: 003D83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003D83CD
GetProcessWindowStation.USER32 ref: 003D83E6
SetProcessWindowStation.USER32(00000000), ref: 003D83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003D840A

Part of subcall function 003D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003D8309), ref: 003D81E0
Part of subcall function 003D81CB: CloseHandle.KERNEL32(?,?,003D8309), ref: 003D81F2

Strings

winsta0\default, xrefs: 003D848B
default, xrefs: 003D8405
winsta0, xrefs: 003D83C8
, xrefs: 003D8362

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: 65b6ba848cbe3c78c0092fb07c53ad541811aaac65ffa4a709a3df9edfdd6e19
Instruction ID: 3cf1d457ded37e3bb339542651a1b816fef9682f131901929ffc5bffeba03a2d
Opcode Fuzzy Hash: 65b6ba848cbe3c78c0092fb07c53ad541811aaac65ffa4a709a3df9edfdd6e19
Instruction Fuzzy Hash: 99818DB2800209AFDF12DFA4ED45AEE7B79FF05304F14416AF810B6261DB35AE19DB24

Function 003EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003EC78D
FindClose.KERNEL32(00000000), ref: 003EC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003EC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003EC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 003EC844
__swprintf.LIBCMT ref: 003EC890
__swprintf.LIBCMT ref: 003EC8D3

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

__swprintf.LIBCMT ref: 003EC927

Part of subcall function 003A3698: __woutput_l.LIBCMT ref: 003A36F1

__swprintf.LIBCMT ref: 003EC975

Part of subcall function 003A3698: __flsbuf.LIBCMT ref: 003A3713
Part of subcall function 003A3698: __flsbuf.LIBCMT ref: 003A372B

__swprintf.LIBCMT ref: 003EC9C4
__swprintf.LIBCMT ref: 003ECA13
__swprintf.LIBCMT ref: 003ECA62

Strings

%4d, xrefs: 003EC8CD
%02d, xrefs: 003EC91B, 003EC925, 003EC973, 003EC9C2, 003ECA11, 003ECA60
%4d%02d%02d%02d%02d%02d, xrefs: 003EC88A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: c4500fc190f0031cf5745a508da789dbcaf5e0911007bec1e73497dadf4a6e8e
Instruction ID: f733377476a673aba0b1029c0d0f19d64767c12d3068888d0053ae3c1a0150d7
Opcode Fuzzy Hash: c4500fc190f0031cf5745a508da789dbcaf5e0911007bec1e73497dadf4a6e8e
Instruction Fuzzy Hash: 6BA14DB2404344ABC751FBA4C885EBFB7ECEF84704F44096AF5959A191EB34DA08CB62

Function 003EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003EEFB6
_wcscmp.LIBCMT ref: 003EEFCB
_wcscmp.LIBCMT ref: 003EEFE2
GetFileAttributesW.KERNEL32(?), ref: 003EEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 003EF00E
FindNextFileW.KERNEL32(00000000,?), ref: 003EF026
FindClose.KERNEL32(00000000), ref: 003EF031
FindFirstFileW.KERNEL32(*.*,?), ref: 003EF04D
_wcscmp.LIBCMT ref: 003EF074
_wcscmp.LIBCMT ref: 003EF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 003EF09D
SetCurrentDirectoryW.KERNEL32(00438920), ref: 003EF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 003EF0C5
FindClose.KERNEL32(00000000), ref: 003EF0D2
FindClose.KERNEL32(00000000), ref: 003EF0E4

Strings

*.*, xrefs: 003EF048

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 5e62df95c13311663e5e26997bb88fc33d4ea720efc15df3c305049f3e7ded50
Instruction ID: 4311e1a166785f2864966906b69e38f5f9848bcfc1648e0546d30da2460b69c1
Opcode Fuzzy Hash: 5e62df95c13311663e5e26997bb88fc33d4ea720efc15df3c305049f3e7ded50
Instruction Fuzzy Hash: 0D31C5325012686FDB25EFA5DC48BEE77AC9F49360F1102B6F804E20D1DBB5DE44CA55

Function 00400857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00400953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0040F910,00000000,?,00000000,?,?), ref: 004009C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00400A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00400A92
RegCloseKey.ADVAPI32(?), ref: 00400DB2
RegCloseKey.ADVAPI32(00000000), ref: 00400DBF

Strings

REG_SZ, xrefs: 00400AD0
REG_EXPAND_SZ, xrefs: 00400A2F
REG_DWORD, xrefs: 00400C83
REG_MULTI_SZ, xrefs: 00400B7A
REG_QWORD, xrefs: 00400D00
REG_BINARY, xrefs: 00400D4D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9dbe210d07af23f1e58d5fb5613fd584ce8f0e849805931f1d90ad433a9425de
Instruction ID: 9256db920e67e217d82f22a1a9ce3384d4a792c2f1d2c5d971af9d104334914d
Opcode Fuzzy Hash: 9dbe210d07af23f1e58d5fb5613fd584ce8f0e849805931f1d90ad433a9425de
Instruction Fuzzy Hash: 81024A756006019FCB15EF18C841E2AB7E5FF89314F04846EF89AAB3A2CB34ED45CB85

Function 0040C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

DragQueryPoint.SHELL32(?,?), ref: 0040C627

Part of subcall function 0040AB37: ClientToScreen.USER32(?,?), ref: 0040AB60
Part of subcall function 0040AB37: GetWindowRect.USER32(?,?), ref: 0040ABD6
Part of subcall function 0040AB37: PtInRect.USER32(?,?,0040C014), ref: 0040ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0040C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0040C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0040C6BE
_wcscat.LIBCMT ref: 0040C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0040C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0040C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0040C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0040C757
DragFinish.SHELL32(?), ref: 0040C75E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0040C851

Strings

@GUI_DROPID, xrefs: 0040C77E
@GUI_DRAGID, xrefs: 0040C7C9
@GUI_DRAGFILE, xrefs: 0040C800

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 5665d778e2f0f9baaf38da9701705c46bda5ee7541ff7606e72ad47f740af7c9
Instruction ID: 513d32963f66f93b891f3d0e18495e30dc0b42b0a910edc222dcfb0b80a72ac5
Opcode Fuzzy Hash: 5665d778e2f0f9baaf38da9701705c46bda5ee7541ff7606e72ad47f740af7c9
Instruction Fuzzy Hash: 5E618E72108301AFC711EF64CC85EAFBBE8EF89310F500A2EF595A71A1DB719949CB56

Function 003EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003EF113
_wcscmp.LIBCMT ref: 003EF128
_wcscmp.LIBCMT ref: 003EF13F

Part of subcall function 003E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003E43A0

FindNextFileW.KERNEL32(00000000,?), ref: 003EF16E
FindClose.KERNEL32(00000000), ref: 003EF179
FindFirstFileW.KERNEL32(*.*,?), ref: 003EF195
_wcscmp.LIBCMT ref: 003EF1BC
_wcscmp.LIBCMT ref: 003EF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 003EF1E5
SetCurrentDirectoryW.KERNEL32(00438920), ref: 003EF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 003EF20D
FindClose.KERNEL32(00000000), ref: 003EF21A
FindClose.KERNEL32(00000000), ref: 003EF22C

Strings

*.*, xrefs: 003EF190

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 8eaf6376f91ddeedeafb21fc226bd5329edcabd4364092bb671aee6b0d34212c
Instruction ID: f97837ded94442df344da3884e4aade99f011c7e43b409a4882f3065e1a4a0e1
Opcode Fuzzy Hash: 8eaf6376f91ddeedeafb21fc226bd5329edcabd4364092bb671aee6b0d34212c
Instruction Fuzzy Hash: B631E93A50026D6EDB21ABB5EC45BEE776C9F4A360F110275F904E20D0DB71DE45CA58

Function 003EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003EA20F
__swprintf.LIBCMT ref: 003EA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 003EA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003EA293
_memset.LIBCMT ref: 003EA2B2
_wcsncpy.LIBCMT ref: 003EA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003EA323
CloseHandle.KERNEL32(00000000), ref: 003EA32E
RemoveDirectoryW.KERNEL32(?), ref: 003EA337
CloseHandle.KERNEL32(00000000), ref: 003EA341

Strings

\??\%s, xrefs: 003EA22B
\, xrefs: 003EA247
:, xrefs: 003EA252

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 2d187f11e6dff45616fd07332ee6de81d0b986c4fefc6682f909d1e6dc7e7d43
Instruction ID: 8ca30a129212415a02b6aaa2dbd4f0dd3eea56138ebbc9bdcd39c1fa71ca131e
Opcode Fuzzy Hash: 2d187f11e6dff45616fd07332ee6de81d0b986c4fefc6682f909d1e6dc7e7d43
Instruction Fuzzy Hash: 7D31E775500259ABDB22DFA1DC49FEB77BCEF89700F1041B6FA09E61A0E770A6448B25

Function 003966E1 Relevance: 22.1, Strings: 17, Instructions: 889COMMON

Download Yara Rule

Strings

CR), xrefs: 003D1287
UCP), xrefs: 003D110D
3c9, xrefs: 003968FF
NO_START_OPT), xrefs: 003D114F
BSR_UNICODE), xrefs: 003D1338
UTF16), xrefs: 003D10CF
UTF), xrefs: 003D10FA
LIMIT_MATCH=, xrefs: 003D1170
_9, xrefs: 003D1465, 003D150C, 003D15B4
NO_AUTO_POSSESS), xrefs: 003D112E
ANYCRLF), xrefs: 003D12FB
SER_APP_PROFILE_STRING=Internet Explorer, xrefs: 003D1349
BSR_ANYCRLF), xrefs: 003D131E
ANY), xrefs: 003D12DE
LIMIT_RECURSION=, xrefs: 003D11FC
LF), xrefs: 003D12A4
CRLF), xrefs: 003D12C1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID: 3c9$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$SER_APP_PROFILE_STRING=Internet Explorer$UCP)$UTF)$UTF16)$_9
API String ID: 0-2112147887
Opcode ID: 76456e8a3dde8121db6e98eef467a1e4a6db9b1faaa4e8cde764878b40f344fc
Instruction ID: 1ebc6c11da62ef515c6efc541a4331f53424f8162c19ae760b3a2cd43f61302a
Opcode Fuzzy Hash: 76456e8a3dde8121db6e98eef467a1e4a6db9b1faaa4e8cde764878b40f344fc
Instruction Fuzzy Hash: AC727F76E002199BDF26CF59D8817AEB7B5FF48310F15816AE809EB780E7749D81CB90

Function 0040C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0040C1FC
GetFocus.USER32 ref: 0040C20C
GetDlgCtrlID.USER32(00000000), ref: 0040C217
_memset.LIBCMT ref: 0040C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0040C36D
GetMenuItemCount.USER32(?), ref: 0040C38D
GetMenuItemID.USER32(?,00000000), ref: 0040C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0040C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0040C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0040C454
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0040C489

Strings

0, xrefs: 0040C33A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 27ecfd53299ae30b47cf5acd65f0dd7ea5510d1c1bf9491407e4facd9a89cf72
Instruction ID: bf26328d172fb5dfd2ba6c7eca06a2eed6808faa38b6380d5073470804f26266
Opcode Fuzzy Hash: 27ecfd53299ae30b47cf5acd65f0dd7ea5510d1c1bf9491407e4facd9a89cf72
Instruction Fuzzy Hash: 55818070608301EFDB20DF64D894A6BBBE4FB88714F004A3EF995A7291D734D905CB9A

Function 003E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003E0097
SetKeyboardState.USER32(?), ref: 003E0102
GetAsyncKeyState.USER32(000000A0), ref: 003E0122
GetKeyState.USER32(000000A0), ref: 003E0139
GetAsyncKeyState.USER32(000000A1), ref: 003E0168
GetKeyState.USER32(000000A1), ref: 003E0179
GetAsyncKeyState.USER32(00000011), ref: 003E01A5
GetKeyState.USER32(00000011), ref: 003E01B3
GetAsyncKeyState.USER32(00000012), ref: 003E01DC
GetKeyState.USER32(00000012), ref: 003E01EA
GetAsyncKeyState.USER32(0000005B), ref: 003E0213
GetKeyState.USER32(0000005B), ref: 003E0221

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 254e209deb016cedcab7ebb29b61369af3f83348e3cc62092ca4fc89f6453f52
Instruction ID: 70630c8f6a9b2020d7efe03dd3708970eed00838fe3b1164488c1bddd77cd6dc
Opcode Fuzzy Hash: 254e209deb016cedcab7ebb29b61369af3f83348e3cc62092ca4fc89f6453f52
Instruction Fuzzy Hash: 2451FA249047E829FB3ADBB188547EABFB49F01380F09479985C65A5C3DAE49FCCC761

Function 004003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00400E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FFDAD,?,?), ref: 00400E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004004AC

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004005E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00400822
RegCloseKey.ADVAPI32(00000000), ref: 0040082F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 6fd7a7f4d4f65ac9100739fd1747237a5341f6ecde4cc09870bf31a9af545ab5
Instruction ID: d571dc28c52acff1f4f898b0244ec8a0547d120caef52a4c3eeca6375f3cb702
Opcode Fuzzy Hash: 6fd7a7f4d4f65ac9100739fd1747237a5341f6ecde4cc09870bf31a9af545ab5
Instruction Fuzzy Hash: 8CE14E71204200AFCB15DF24C895E6BBBE5FF89314F04896EF44ADB2A1DA34E905CB96

Function 003F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

CoInitialize.OLE32 ref: 003F8403
CoUninitialize.COMBASE ref: 003F840E
CoCreateInstance.COMBASE(?,00000000,00000017,00412BEC,?), ref: 003F846E
IIDFromString.COMBASE(?,?), ref: 003F84E1
VariantInit.OLEAUT32(?), ref: 003F857B
VariantClear.OLEAUT32(?), ref: 003F85DC

Strings

Failed to create object, xrefs: 003F8479, 003F852F
NULL Pointer assignment, xrefs: 003F84B3
Invalid parameter, xrefs: 003F84FA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: fad961e22f2b7a46152f7557ab4f369809d9ed4385f2956f7caba8feac9cfd2b
Instruction ID: 21f74d692d86558178fab81c2a82ff8ba728338d438f6b138a384165d75dbd7a
Opcode Fuzzy Hash: fad961e22f2b7a46152f7557ab4f369809d9ed4385f2956f7caba8feac9cfd2b
Instruction Fuzzy Hash: F061DF716083169FC716EF25C848F6EB7E8AF49714F04485EFA859B291CB70ED48CB92

Function 003F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003F418B
EmptyClipboard.USER32 ref: 003F4191
GlobalAlloc.KERNEL32(00000002,?), ref: 003F41A6
CloseClipboard.USER32 ref: 003F4245

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 677bede696b3dada97a5ed0f2527593935c93aa410f246e5b5f5ed9aa5e0b578
Instruction ID: 6f02bd26f1043d627443a40caa532383b05f7fbbf322ce896f761a6912a2382e
Opcode Fuzzy Hash: 677bede696b3dada97a5ed0f2527593935c93aa410f246e5b5f5ed9aa5e0b578
Instruction Fuzzy Hash: 4621A2352002149FDB12AF14ED09B7A7BA8EF45310F04847AF946EB261DB31AC01CB88

Function 003E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00384750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00384743,?,?,003837AE,?), ref: 00384770

Part of subcall function 003E4A31: GetFileAttributesW.KERNEL32(?,003E370B), ref: 003E4A32

FindFirstFileW.KERNEL32(?,?), ref: 003E38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003E394B
MoveFileW.KERNEL32(?,?), ref: 003E395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003E397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 003E399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 003E39B9

Strings

\*.*, xrefs: 003E384E, 003E3857, 003E386C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 679dcff7d57fe9887da0b1d05e46ce1c351a4577806cc22e885781b186b03eb2
Instruction ID: e6e28f47f2073875409cf855a6b521dc704dc2eb776917f4eac4a90804d847e9
Opcode Fuzzy Hash: 679dcff7d57fe9887da0b1d05e46ce1c351a4577806cc22e885781b186b03eb2
Instruction Fuzzy Hash: 9E51713180529DAACF12FBA1DA969EDB779AF14310F6001A9F405BB1D2EB316F0DCB50

Function 003EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003EF440
Sleep.KERNEL32(0000000A), ref: 003EF470
_wcscmp.LIBCMT ref: 003EF484
_wcscmp.LIBCMT ref: 003EF49F
FindNextFileW.KERNEL32(?,?), ref: 003EF53D
FindClose.KERNEL32(00000000), ref: 003EF553

Strings

*.*, xrefs: 003EF425

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 35063e9f7c4845311c8d60435ba93cd0b93a828a22b4b27dc220925a6be9af7e
Instruction ID: ed0b3f3ff37db86d7bf21ed9e0898f892b927a6b0d8a11f3e221b53d0e5b97b0
Opcode Fuzzy Hash: 35063e9f7c4845311c8d60435ba93cd0b93a828a22b4b27dc220925a6be9af7e
Instruction Fuzzy Hash: F1416D719002599FCF12EF65DC45AEEBBB4FF16310F2045A6E815A71D1DB70AA44CF50

Function 0040D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

GetSystemMetrics.USER32(0000000F), ref: 0040D47C
GetSystemMetrics.USER32(0000000F), ref: 0040D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0040D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0040D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0040D716
ShowWindow.USER32(00000003,00000000), ref: 0040D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0040D75A
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0040D77D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 95952c760e14db6c7c3af0176bf46e083ecad1ce31640056f45b69fc6bbda17a
Instruction ID: fd64a84ad1aed0f911c9cd73f14ef1e059dd7bee91f7a160c4ce99716372ef81
Opcode Fuzzy Hash: 95952c760e14db6c7c3af0176bf46e083ecad1ce31640056f45b69fc6bbda17a
Instruction Fuzzy Hash: D6B19C75A00215EFDF14CFA8C9857AE7BB1BF04701F08817AEC48AB295D739A958CB54

Function 00393030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c9, xrefs: 00393225
_9, xrefs: 00393322

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c9$_9
API String ID: 674341424-1310868050
Opcode ID: 706c9c064b762c37a728af532b9f4a64e1c6c438d24511b0d285702a97faba96
Instruction ID: 552dfa9d71e0d64c808ee711ee70ffd5e47be770f0a05ccde43a0bbcad9172af
Opcode Fuzzy Hash: 706c9c064b762c37a728af532b9f4a64e1c6c438d24511b0d285702a97faba96
Instruction Fuzzy Hash: 50229EB16083019FCB26EF24C881B6FB7E4AF85314F15492DF49A9B291DB71ED44CB92

Function 003DE616 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003DE628

Strings

(, xrefs: 003DE66E
InterfaceDispatch, xrefs: 003DE7DE
QueryInterface, xrefs: 003DE871
AddRef, xrefs: 003DE8FE
|, xrefs: 003DE658
Release, xrefs: 003DE946

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 11afb9fd1f1be1f0f3ce838b5bfc11ca82ef5eb1829ca02aa74538df11eea627
Instruction ID: 37e2ce686bb2ddb025bfccdb64590fb5be309f1e23fad91fe05f4db5884a7052
Opcode Fuzzy Hash: 11afb9fd1f1be1f0f3ce838b5bfc11ca82ef5eb1829ca02aa74538df11eea627
Instruction Fuzzy Hash: CE323676A007059FD729DF19D48196ABBF0FF48320B16C46EE89ADB7A1E770E941CB40

Function 00395760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003958A5
_memmove.LIBCMT ref: 003958F5
_memmove.LIBCMT ref: 0039595B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8362c2e482c51ae563443369121ccb9251a20aa3eb51ca28f9062383772b2fbe
Instruction ID: 86f121604c864573abc441f7ad2ff8ea9b122257e3d3ddfa4071466370366e84
Opcode Fuzzy Hash: 8362c2e482c51ae563443369121ccb9251a20aa3eb51ca28f9062383772b2fbe
Instruction Fuzzy Hash: A7129E71A00609DFDF0ADFA5D981AAEB7F5FF48300F10456AE806EB250EB36AD54CB54

Function 003E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003D882B
Part of subcall function 003D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003D8858
Part of subcall function 003D87E1: GetLastError.KERNEL32 ref: 003D8865

ExitWindowsEx.USER32(?,00000000), ref: 003E51F9

Strings

SeShutdownPrivilege, xrefs: 003E51C9
@, xrefs: 003E51EC
, xrefs: 003E51E7

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 8f955b23533b5f8a81a4ba89d62391730c7a7bc3fa53f440882ee6d5b27e4f13
Instruction ID: 83dddd2c5c2009683b350c2f7bf55072e3e904d2bc76bf4b2e894ecd3be49747
Opcode Fuzzy Hash: 8f955b23533b5f8a81a4ba89d62391730c7a7bc3fa53f440882ee6d5b27e4f13
Instruction Fuzzy Hash: 840170357916762BF73A1365AC4BFBB725CDB05348F210E35FA03E64C2D9612C004194

Function 003F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 003F62DC
WSAGetLastError.WS2_32(00000000), ref: 003F62EB
bind.WS2_32(00000000,?,00000010), ref: 003F6307
listen.WS2_32(00000000,00000005), ref: 003F6316
WSAGetLastError.WS2_32(00000000), ref: 003F6330
closesocket.WS2_32(00000000), ref: 003F6344

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: e4cf84e8bdde6456a0d233809d6e46659498074b185260c345284ae8cf9f0714
Instruction ID: 92b0fbb65632d5d62f4aea5bea08001ec62716b65d47d86b009101dc52e33d93
Opcode Fuzzy Hash: e4cf84e8bdde6456a0d233809d6e46659498074b185260c345284ae8cf9f0714
Instruction Fuzzy Hash: 0E21F2352002049FCB11EF64CD46B7EB7E9EF48320F14816AF916AB3A1C770AD04CB51

Function 00395520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 003A0DB6: std::exception::exception.LIBCMT ref: 003A0DEC
Part of subcall function 003A0DB6: __CxxThrowException@8.LIBCMT ref: 003A0E01

_memmove.LIBCMT ref: 003D0258
_memmove.LIBCMT ref: 003D036D
_memmove.LIBCMT ref: 003D0414

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 3a72990ee8e6f98e9b3c444c6b6e688a55462e46270608c74710de8506a1ee55
Instruction ID: 3310d4e413ce80d03939be4b762c38554a5f1dc98d8648184b154464caf2c432
Opcode Fuzzy Hash: 3a72990ee8e6f98e9b3c444c6b6e688a55462e46270608c74710de8506a1ee55
Instruction Fuzzy Hash: C902B1B1A00205DBCF0ADF64E981AAE7BB5FF45300F5580AAE806DF355EB35D950CB91

Function 00381287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 003819FA
GetSysColor.USER32(0000000F), ref: 00381A4E
SetBkColor.GDI32(?,00000000), ref: 00381A61

Part of subcall function 00381290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 003812D8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 996712efea387b6fd428f974982a27d84698db1182b5096f2f2373b5c5b4762c
Instruction ID: 4578965187b49e5c11b345ac03d73630029b9b99753901eabb2c0850ddffbe11
Opcode Fuzzy Hash: 996712efea387b6fd428f974982a27d84698db1182b5096f2f2373b5c5b4762c
Instruction Fuzzy Hash: AFA14B71102744FBEA2FBB29CC84DBB355CDB42349B15026AF502E69D2CF689D0393B9

Function 003F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7D8B: inet_addr.WS2_32(00000000), ref: 003F7DB6

socket.WS2_32(00000002,00000002,00000011), ref: 003F679E
WSAGetLastError.WS2_32(00000000), ref: 003F67C7
bind.WS2_32(00000000,?,00000010), ref: 003F6800
WSAGetLastError.WS2_32(00000000), ref: 003F680D
closesocket.WS2_32(00000000), ref: 003F6821

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 2cae262094d8bdedeb0d3cd5f86c24abdc7a7dd8dcd6799f32eda7d914a77dd0
Instruction ID: 1431ada50e35bf1655e8c3bf7c3a08143633410039ee07b19604585b3e531c96
Opcode Fuzzy Hash: 2cae262094d8bdedeb0d3cd5f86c24abdc7a7dd8dcd6799f32eda7d914a77dd0
Instruction Fuzzy Hash: 0F41A275A00314AFDB52BF248C86F7E77E89B49714F4484ADFA1AAF3D2CA709D048791

Function 00405376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004053C5
IsWindowEnabled.USER32 ref: 004053D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004053E0
IsIconic.USER32 ref: 004053EE
IsZoomed.USER32 ref: 004053FC

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 82a276363ada83393f523e4888ea003c42c8e3e3aaa7bca0203230a6d725532b
Instruction ID: f2d641b7635167fe5581792fc68509ebe77a59c6a9d50ce90f71212f5e2a95bb
Opcode Fuzzy Hash: 82a276363ada83393f523e4888ea003c42c8e3e3aaa7bca0203230a6d725532b
Instruction Fuzzy Hash: D31186317006116BD7316F269C44B6BBB99EF457A1B44443AF846E7281CB789D028AA9

Function 003D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003D80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003D80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003D80D9
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 003D80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003D80F6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 91e45e47007526dbc8e1bdaf2dd499844904cceeda0995cd25783a2f5a3db08b
Instruction ID: 2be81834043fac49b034b39436cd7ae4d696233444963432d92051fdc80a3029
Opcode Fuzzy Hash: 91e45e47007526dbc8e1bdaf2dd499844904cceeda0995cd25783a2f5a3db08b
Instruction Fuzzy Hash: 87F06231240304AFEB314FA5EC8DE673BACEF49B55B000036F945E6250CB71AC59DA60

Function 003FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003FEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 003FEE4B

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Process32NextW.KERNEL32(00000000,?), ref: 003FEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 003FEF1A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 97858fb0bfa31f67e611f5b601c9ff95706932423b0e7eaffe7e79802f032ae1
Instruction ID: d819a471dcbce093332f2a8994ec869c44791ccb16456c532ac0f2f86c961202
Opcode Fuzzy Hash: 97858fb0bfa31f67e611f5b601c9ff95706932423b0e7eaffe7e79802f032ae1
Instruction Fuzzy Hash: 6B5170715043159FD321EF24DC81E6BB7E8EF94710F50486DF5959B2A1EB70E908CB92

Function 0040C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

GetCursorPos.USER32(?), ref: 0040C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003BB9AB,?,?,?,?,?), ref: 0040C4E7
GetCursorPos.USER32(?), ref: 0040C534
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,003BB9AB,?,?,?), ref: 0040C56E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 75e8a78d3d6531846c8c1596bc9a0faf1322a57b44cf07b76becedea2265445a
Instruction ID: 540bbb8d91be2519e82b7fb6b5c624548215740bcd41855982e1aa2874a0c6d9
Opcode Fuzzy Hash: 75e8a78d3d6531846c8c1596bc9a0faf1322a57b44cf07b76becedea2265445a
Instruction Fuzzy Hash: AE315039500068FFCB259F58CC98EAB7BB5EB09310F444176F905AB2A2C735A951DBA8

Function 00381290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 003812D8
GetClientRect.USER32(?,?), ref: 003BB5FB
GetCursorPos.USER32(?), ref: 003BB605
ScreenToClient.USER32(?,?), ref: 003BB610

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: ed772159b0842a88c378cf01fd5b51001e530c2f51c82c6f1e53325399602afe
Instruction ID: dc92195fc5919796a3e9d56f20f8974e986ac3fc3fb1536ee3c610c891224c1c
Opcode Fuzzy Hash: ed772159b0842a88c378cf01fd5b51001e530c2f51c82c6f1e53325399602afe
Instruction Fuzzy Hash: 62112835500219FBCF11EF98D9859EE77BCEB05311F4008A6F901E7541D731BA568BA9

Function 003F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003F180A,00000000), ref: 003F23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003F2418

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4cefc88f8fd0023ca70e161bc872ddf636c58984b4ca33b339492f9c9fc47eba
Instruction ID: 31232b13911fa31e993de8b56210c360d92ea52029c86d721e0635475bdd87ff
Opcode Fuzzy Hash: 4cefc88f8fd0023ca70e161bc872ddf636c58984b4ca33b339492f9c9fc47eba
Instruction Fuzzy Hash: BD41C4B590420DFFEB22DE96DC85FBBB7ACEB40314F10406BFB01A7541DAB99E419650

Function 003EB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003EB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003EB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003EB3EA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 21e2e996726e22672358e0b4c035b2165af4a4a774c66d39cad8bc5ccfe0773f
Instruction ID: d66c066ee911e7da3d6841af50db8eaad0832d0013b68fc9ae2b475424400ec2
Opcode Fuzzy Hash: 21e2e996726e22672358e0b4c035b2165af4a4a774c66d39cad8bc5ccfe0773f
Instruction Fuzzy Hash: 9D217135A00218EFCB01EFA5D885AEEFBB8FF49314F1481AAE905AB351CB319D15CB55

Function 003D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 003A0DB6: std::exception::exception.LIBCMT ref: 003A0DEC
Part of subcall function 003A0DB6: __CxxThrowException@8.LIBCMT ref: 003A0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003D882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003D8858
GetLastError.KERNEL32 ref: 003D8865

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 59e37141da71367c7a7f152b2da8660d50c53d068eda77254f7e75815723a6b3
Instruction ID: 093a32b7a2a3370142e86c38e08356c3856eab6a44c6c672981698c4533a008e
Opcode Fuzzy Hash: 59e37141da71367c7a7f152b2da8660d50c53d068eda77254f7e75815723a6b3
Instruction Fuzzy Hash: 33118CB2814204AFE729EFA4EC85D6BB7FDEB45710B20852EF45697641EB30BC448B60

Function 003D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003D8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003D878B
FreeSid.ADVAPI32(?), ref: 003D879B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9c1f8870f4719ffe94ec1e7cc0c705b19de182723894f3cdc36afc0bb1d900fc
Instruction ID: e6f4e21fbd849012fe89d109f2becf67b8bc55b9d03f47fab43acf5945410b25
Opcode Fuzzy Hash: 9c1f8870f4719ffe94ec1e7cc0c705b19de182723894f3cdc36afc0bb1d900fc
Instruction Fuzzy Hash: 4CF04975A1130CBFDF00DFF4DD89AAEBBBCEF08601F1044B9A901E2681E6716A088B54

Function 003816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

Part of subcall function 003825DB: GetWindowLongW.USER32(?,000000EB), ref: 003825EC

GetParent.USER32(?), ref: 003BB7BA
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,003819B3,?,?,?,00000006,?), ref: 003BB834

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 934fef0e21206e527aeb37f704a46207979133e675d0057e461f9bd20e131e3e
Instruction ID: 383a68686537bcc22065a3b0616d29e11167e45b824b452d2798c55f3bdbe35b
Opcode Fuzzy Hash: 934fef0e21206e527aeb37f704a46207979133e675d0057e461f9bd20e131e3e
Instruction Fuzzy Hash: F421EA34201244AFCF22AF28C885DE97BDAEF4A324F5542B4F6255B6F2CB719D12DB50

Function 003EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003EC6FB
FindClose.KERNEL32(00000000), ref: 003EC72B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 01b02d0e0efda2b93690530d19ebcc3d14561fa25a489242f7a257c489cc49c8
Instruction ID: 490cd9c26c5bc12f507dae18cfa40bcd8abc045ef015aaf2986b7901c5d86d2e
Opcode Fuzzy Hash: 01b02d0e0efda2b93690530d19ebcc3d14561fa25a489242f7a257c489cc49c8
Instruction Fuzzy Hash: 1611A9715002009FDB10EF29D845A2AF7E5FF45324F04855EF9A5DB291DB30AC05CF81

Function 0040C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,003BB93A,?,?,?), ref: 0040C5F1

Part of subcall function 003825DB: GetWindowLongW.USER32(?,000000EB), ref: 003825EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0040C5D7

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 378d83445d5123eafca5ab1927a29211a120f45cd83b54ef7f37e69399eaadd7
Instruction ID: dbe0ad9935c7685d907e79068d7df05c7d8f96c81258ec63fce04894405ba4fc
Opcode Fuzzy Hash: 378d83445d5123eafca5ab1927a29211a120f45cd83b54ef7f37e69399eaadd7
Instruction Fuzzy Hash: 5601D835200214FBCB25AF14DC84E6B7BA6FF89364F14067AF9412B2E1CB75A813EB55

Function 0040C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0040C961
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,003BBA16,?,?,?,?,?), ref: 0040C98A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 83a19a11f2724e07f42e1784e9977aeb80e0a36bc69a7631ebbb0450044b9bc1
Instruction ID: db10eb1defd37a1ca81e7ff2d144ce2d21f96acdcded6af320a0074580828e04
Opcode Fuzzy Hash: 83a19a11f2724e07f42e1784e9977aeb80e0a36bc69a7631ebbb0450044b9bc1
Instruction Fuzzy Hash: 50F01772400218FFEF149F85DD099AE7BB9FB48311F00417AF901A2161D7716A64EBA8

Function 003EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003F9468,?,0040FB84,?), ref: 003EA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003F9468,?,0040FB84,?), ref: 003EA0A9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2496b966ad6f986940f0ae68ba279d5b58d5d21599b252ac693b2571f24d7ff4
Instruction ID: 0d21a9cdfca5e50410bfcf4025c4b9c43a0ff3709ea894dcfa800b8310935e13
Opcode Fuzzy Hash: 2496b966ad6f986940f0ae68ba279d5b58d5d21599b252ac693b2571f24d7ff4
Instruction Fuzzy Hash: 61F0823510522DABDB22AFA4CC48FEA776DBF08361F004265F909D6181D630AA48CBA1

Function 0040CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0040CA84
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,003BB995,?,?,?,?), ref: 0040CAB2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 16ebde5cc1a4376922eea76f656b91b06ca298ba29d539350447ef7905c14074
Instruction ID: 1ff38d1f23600fa2e6e0b7cd28b80433dcb2c578d425dfa3d0f6ecf00522770b
Opcode Fuzzy Hash: 16ebde5cc1a4376922eea76f656b91b06ca298ba29d539350447ef7905c14074
Instruction Fuzzy Hash: 15E0DF30200208BBEB249F19CC0AFBA3B58EB00750F408636F856E91E1C67498509B64

Function 003D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003D8309), ref: 003D81E0
CloseHandle.KERNEL32(?,?,003D8309), ref: 003D81F2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 31234ec173c34db6e467060a6ba765b47c2d5991ff7174c9c15ae34af09158d5
Instruction ID: c4157ffcfe9c9aea593667891b7fc828b3fb6452169dcf369cc9997566b3e29c
Opcode Fuzzy Hash: 31234ec173c34db6e467060a6ba765b47c2d5991ff7174c9c15ae34af09158d5
Instruction Fuzzy Hash: 6AE0E672010610AFEB2A2B60FC05D7777EDEF04310714883DF85584470DB716C95DB14

Function 003AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00414178,003A8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 003AA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003AA163

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0266b3185fd43271c65e66d33e46d7f687f8defd57cbbdd570dd5a57865c0474
Instruction ID: e4c9387df813b85c50f4b228e8cc042d813253d78273940c529b6a79853a48cf
Opcode Fuzzy Hash: 0266b3185fd43271c65e66d33e46d7f687f8defd57cbbdd570dd5a57865c0474
Instruction Fuzzy Hash: E2B09231058208ABCA102B91ED09B883F68EB45AB2F404030FA0D94C60CB7254548A99

Function 003AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d1fcbdd3a92ff4941318f7f363715f25e20749dce479d2dc22f5c4e1a1fcc4
Instruction ID: 330ad97bb8db3c7ac0e454a9b34f0eba3448fae5a80e7ba59e5b75fb0a5f3bb0
Opcode Fuzzy Hash: e3d1fcbdd3a92ff4941318f7f363715f25e20749dce479d2dc22f5c4e1a1fcc4
Instruction Fuzzy Hash: 5C32F122D69F014DD7239634D832336A25DEFB73D8F15D737E82AB5AA6EB28D4834104

Function 003B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7d8e4b486c812f31dafcdd99db992e6e8e9f079036606ce9dd588599cbda30
Instruction ID: de8504848010383f3442514e3b42a5e5cce3f741ba7c1fc028b0b8ac0d2f984b
Opcode Fuzzy Hash: 2b7d8e4b486c812f31dafcdd99db992e6e8e9f079036606ce9dd588599cbda30
Instruction Fuzzy Hash: 38B1F120E2AF514DD32396398831336F65CAFBB2D9F51D72BFC2A74D22EB2185934145

Function 003E8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 003E889B

Part of subcall function 003A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003E8F6E,00000000,?,?,?,?,003E911F,00000000,?), ref: 003A5213
Part of subcall function 003A520A: __aulldiv.LIBCMT ref: 003A5233

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 5592af09d24a2141b295f9402480fa8b432403bd8153789d492745132ed4d1c5
Instruction ID: 4257f34c365a3a4d6057d4612b70dd3cb48c73f215e014e55e0a3afd970a4575
Opcode Fuzzy Hash: 5592af09d24a2141b295f9402480fa8b432403bd8153789d492745132ed4d1c5
Instruction Fuzzy Hash: 5C21A536A255108BC729CF29D441A51B3E1EFA6311B698F6CD5F5CB2C0CA34A945CB54

Function 0040D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0040D838

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 96585906eda6b3f586e9277e61765ca7b96304f04cd88d2312084e4cb74d1a56
Instruction ID: 1cdb1ae817e484120e3acddadaf567d9c44179413ff2256a1d850d106c9f249c
Opcode Fuzzy Hash: 96585906eda6b3f586e9277e61765ca7b96304f04cd88d2312084e4cb74d1a56
Instruction Fuzzy Hash: 5D110435604215BBEB256A6CCC06F7A3614D746720F20833BF9227B6E3CA789D1592AD

Function 0040D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 003825DB: GetWindowLongW.USER32(?,000000EB), ref: 003825EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,003BB952,?,?,?,?,00000000,?), ref: 0040D432

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b23a3d1c30cbac57552b394757b0bf6f4d7c5480a1283efdabdf570cce7db000
Instruction ID: 3516b4b60cab2f4ba0873f804df0cae131854a41c8b5a5c34f0f0516173ac889
Opcode Fuzzy Hash: b23a3d1c30cbac57552b394757b0bf6f4d7c5480a1283efdabdf570cce7db000
Instruction Fuzzy Hash: 0A01F531A00114ABDF149F65C845BBB3B51EF46325F444136F9063B2D2C334BC1697A8

Function 0038189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00381B04,?,?,?,?,?), ref: 003818E2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8e390db05ce3dd09a5656038a35f921379d52a2af3d6071b10db5f3089759b47
Instruction ID: c48a637f70d09dedb4f453f1012e9008ab0694de6c32786a6da998231abab258
Opcode Fuzzy Hash: 8e390db05ce3dd09a5656038a35f921379d52a2af3d6071b10db5f3089759b47
Instruction Fuzzy Hash: 74F0BE34200215EFDF19EF04C85192637E6EB00310F50813AF8524B2A2DB31D860DB50

Function 0040C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0040C8FE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 0154299cc552ca158712c36761df6f28b98d9020f612292e7dae358e22e18f35
Instruction ID: 6bcacdf7d047ab4db4fc18cbe1da0a3a487ef99f9bf0bbb4fea06dc56fe6950b
Opcode Fuzzy Hash: 0154299cc552ca158712c36761df6f28b98d9020f612292e7dae358e22e18f35
Instruction Fuzzy Hash: FDF06D35200255FFDF21EF58DC45FC63B95EB09320F448029FA11672E2CB746820D7A8

Function 003E4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003E4C4A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: da73e4d2be13077fab55d2f21d0ed67c2bcbc042bc227f2049e296387165ad25
Instruction ID: 501633caefd29be45a9afc960011b1132e238e6afb3f2b71e196f2ad6b5996fd
Opcode Fuzzy Hash: da73e4d2be13077fab55d2f21d0ed67c2bcbc042bc227f2049e296387165ad25
Instruction Fuzzy Hash: 43D05E911652BA38EC2E0722AE0FF7E0108E308782FF283997102CB4C2EC906C445030

Function 003D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003D8389), ref: 003D87D1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: efaee2c0e0cfb4d077d545f7e8d033c962ec9b703b071a8141cd0871891ac423
Instruction ID: d539fd809d70131e932e3cb5afb23daacf1f9d1e434b95c64e4e77541d2e5430
Opcode Fuzzy Hash: efaee2c0e0cfb4d077d545f7e8d033c962ec9b703b071a8141cd0871891ac423
Instruction Fuzzy Hash: B8D05E3226050EABEF019EA4DD01EAF3B69EB04B01F408121FE15D50A1C775E835AB60

Function 0040C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,003BB9BC,?,?,?,?,?,?), ref: 0040C934

Part of subcall function 0040B635: _memset.LIBCMT ref: 0040B644
Part of subcall function 0040B635: _memset.LIBCMT ref: 0040B653
Part of subcall function 0040B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00446F20,00446F64), ref: 0040B682
Part of subcall function 0040B635: CloseHandle.KERNEL32 ref: 0040B694

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: a4cd2c966234d8c30dad37293f997a822c1dfbec37158f784f8fd89762689783
Instruction ID: a82a566fd006a1300b5fec56dc0c50d0c672b7b9bb68515c149c6714a52b1e8a
Opcode Fuzzy Hash: a4cd2c966234d8c30dad37293f997a822c1dfbec37158f784f8fd89762689783
Instruction Fuzzy Hash: 01E01275100208EFCB01AF44DD50E8637A1FB18305F018026FA06272B2CB31A821EF99

Function 0038167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00381AEE,?,?,?), ref: 003816AB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 957857a6ddcd3a2b305e06a6b2b471e8086377ccfe99a92648bd32cbf221c86e
Instruction ID: 404af28348bfffc543c0bbe982ae0a0fb123c21d947ea48bfd15828830809474
Opcode Fuzzy Hash: 957857a6ddcd3a2b305e06a6b2b471e8086377ccfe99a92648bd32cbf221c86e
Instruction Fuzzy Hash: F9E0EC35100208FBCF16BF90DC11E653B26FB49315F508469FA451E2A2CB76A522DB54

Function 0040C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0040C885

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: c40465c06e3ab16af9a9d3ad65d8002b79fde6f34663ef0b5f55cfcd7c02a45e
Instruction ID: c59366f9012d24e92beb83372abbbeac1341639b9680f0a485ece6c0107dc900
Opcode Fuzzy Hash: c40465c06e3ab16af9a9d3ad65d8002b79fde6f34663ef0b5f55cfcd7c02a45e
Instruction Fuzzy Hash: BBE0E239200209EFCB01EF88DC84E863BA5AB1D300F004064FE0557262CB71A830EB61

Function 0040C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0040C8B4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ac31733c09544a6d5b72385e104c453cc66e59013b6185390a765ee7ce579263
Instruction ID: 205631ad9c831c166522743de9038593836d0767a3c00c75b80a373c4e78dd3b
Opcode Fuzzy Hash: ac31733c09544a6d5b72385e104c453cc66e59013b6185390a765ee7ce579263
Instruction Fuzzy Hash: B7E0E239200209EFCB01EF88D944D863BA5AB1D300F404064FE0557263CB71A830EBA1

Function 003816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

Part of subcall function 0038201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003820D3
Part of subcall function 0038201B: KillTimer.USER32(-00000001,?,?,?,?,003816CB,00000000,?,?,00381AE2,?,?), ref: 0038216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00381AE2,?,?), ref: 003816D4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: c63728a06bcf46a45b139b988da2043c801a37191f5f6d133f676061e51722a1
Instruction ID: c54bab9d4bdb53eb5e8e9f6fba120d5c6b723bf0ef5638acb5612efb1e77af92
Opcode Fuzzy Hash: c63728a06bcf46a45b139b988da2043c801a37191f5f6d133f676061e51722a1
Instruction Fuzzy Hash: 0AD01270140308B7DE217B50DD17F4A3A1D9B14750F80C431BA047D1D3DBB16810A65C

Function 003AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 003AA12A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d7b58d9fd59b022537eae07f5b804e6f8182bb2e09c27c80ac0890567e565ab7
Instruction ID: 64db4507908e7d4f6b33a9ebb8cc09db4c554c13b7aee737cb144930f61c864c
Opcode Fuzzy Hash: d7b58d9fd59b022537eae07f5b804e6f8182bb2e09c27c80ac0890567e565ab7
Instruction Fuzzy Hash: B4A0113000820CABCA002B82EC08888BFACEA002A0B008030F80C80C228B32A8208A88

Function 00398808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c350858633a749dddf92a61e737547e665933ab32a74843a3ceb8c79c105d27a
Instruction ID: 4d129ae6d01921800fb40a3e143d78d0fad4c9b4be4b5c95c1849532f4f14e57
Opcode Fuzzy Hash: c350858633a749dddf92a61e737547e665933ab32a74843a3ceb8c79c105d27a
Instruction Fuzzy Hash: 48222531A04506CBDF2B8B24D49477CB7A1FF82344F3A846BD9568BA92DB70DD92C741

Function 003A21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: aeb85a2e742dec3e7adedb93639ad5a627aa4e1db8aded701200a2cc90049917
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 90C180362050A30ADF6E463E843413FFAA19FA37B171B076DD8B2DB5D4EE24C925D620

Function 003A25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: bdb6708b71c75c2e6b457b9e7e0129645c6e0fee8720c429c32c2b36775fac6f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 56C162322051A30ADF6F463E843413FBAA19FA37B171B076DE4B2DB1D5EE24C925D620

Function 003A1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 335112fe7d821c859905adde304eca2a8ec1f4e51a9821bdffdea87b4dd1e30c
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 61C171322091A309DF2E463AC47413EBAA1DFA37B171B176DD4B3DB1D5EE20C965D620

Function 003F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003F785B
DeleteObject.GDI32(00000000), ref: 003F786D
DestroyWindow.USER32 ref: 003F787B
GetDesktopWindow.USER32 ref: 003F7895
GetWindowRect.USER32(00000000), ref: 003F789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003F79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003F79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7A35
GetClientRect.USER32(00000000,?), ref: 003F7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003F7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7ABB
GlobalLock.KERNEL32(00000000), ref: 003F7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7AD3
GlobalUnlock.KERNEL32(00000000), ref: 003F7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7AE3
GlobalFree.KERNEL32(00000000), ref: 003F7AEE
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 003F7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00412CAC,00000000), ref: 003F7B16
GlobalFree.KERNEL32(00000000), ref: 003F7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 003F7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 003F7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F7D7A

Strings

static, xrefs: 003F7A75, 003F7BCC
AutoIt v3, xrefs: 003F7A2D
, xrefs: 003F7D00
DISPLAY, xrefs: 003F7BDD

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ece62cbb6cd8adb507d1d28e0c70e13301d5253c72587ada98af1feb24751dc8
Instruction ID: 0ad3b21d224375407eb8f2f5942833e3c0fa64e8f5037acf9874498a741c8910
Opcode Fuzzy Hash: ece62cbb6cd8adb507d1d28e0c70e13301d5253c72587ada98af1feb24751dc8
Instruction Fuzzy Hash: 73029C71900209EFDB15DFA4DD89EAE7BB9FF49310F148169F905AB2A1CB70AD01CB64

Function 0040356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0040F910), ref: 00403627
IsWindowVisible.USER32(?), ref: 0040364B

Strings

SHOWDROPDOWN, xrefs: 004036E0
SENDCOMMANDID, xrefs: 004039DA
GETCURRENTLINE, xrefs: 004038ED
CHECK, xrefs: 0040386D
GETLINE, xrefs: 0040399B
ADDSTRING, xrefs: 00403716
SETCURRENTSELECTION, xrefs: 004037B6
DELSTRING, xrefs: 00403749
ISCHECKED, xrefs: 00403839
HIDEDROPDOWN, xrefs: 00403700
FINDSTRING, xrefs: 00403776
EDITPASTE, xrefs: 0040395F
UNCHECK, xrefs: 00403883
SELECTSTRING, xrefs: 00403806
ISVISIBLE, xrefs: 00403637
TABRIGHT, xrefs: 0040369D
TABLEFT, xrefs: 00403687
GETLINECOUNT, xrefs: 004038C6
ISENABLED, xrefs: 0040366B
GETCURRENTSELECTION, xrefs: 004037E3
GETCURRENTCOL, xrefs: 00403928
CURRENTTAB, xrefs: 004036BD
GETSELECTED, xrefs: 004038A3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: b0cd512aaa148a336b20f0dc40d082c04929ff91d5c3f6ac66c5b299e4f9814e
Instruction ID: f62a7b58287eac7136217c725e4c9c4b07343f6e38f7a049f75e9ebc8376f0c8
Opcode Fuzzy Hash: b0cd512aaa148a336b20f0dc40d082c04929ff91d5c3f6ac66c5b299e4f9814e
Instruction Fuzzy Hash: 4AD1A4712043019BCB15EF10C451A6E7BE9EF95354F18886AF8866F3E2CB75EE0ACB45

Function 0040A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0040A630
GetSysColorBrush.USER32(0000000F), ref: 0040A661
GetSysColor.USER32(0000000F), ref: 0040A66D
SetBkColor.GDI32(?,000000FF), ref: 0040A687
SelectObject.GDI32(?,00000000), ref: 0040A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0040A6C1
GetSysColor.USER32(00000010), ref: 0040A6C9
CreateSolidBrush.GDI32(00000000), ref: 0040A6D0
FrameRect.USER32(?,?,00000000), ref: 0040A6DF
DeleteObject.GDI32(00000000), ref: 0040A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0040A731
FillRect.USER32(?,?,00000000), ref: 0040A763
GetWindowLongW.USER32(?,000000F0), ref: 0040A78E

Part of subcall function 0040A8CA: GetSysColor.USER32(00000012), ref: 0040A903
Part of subcall function 0040A8CA: SetTextColor.GDI32(?,?), ref: 0040A907
Part of subcall function 0040A8CA: GetSysColorBrush.USER32(0000000F), ref: 0040A91D
Part of subcall function 0040A8CA: GetSysColor.USER32(0000000F), ref: 0040A928
Part of subcall function 0040A8CA: GetSysColor.USER32(00000011), ref: 0040A945
Part of subcall function 0040A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0040A953
Part of subcall function 0040A8CA: SelectObject.GDI32(?,00000000), ref: 0040A964
Part of subcall function 0040A8CA: SetBkColor.GDI32(?,00000000), ref: 0040A96D
Part of subcall function 0040A8CA: SelectObject.GDI32(?,?), ref: 0040A97A
Part of subcall function 0040A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0040A999
Part of subcall function 0040A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0040A9B0
Part of subcall function 0040A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0040A9C5
Part of subcall function 0040A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0040A9ED

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 2468b3cb7dfd7961bdaa092d1853a4eaa3ba532a32523821591d124c5efb8e67
Instruction ID: 8cfee5bd2ad00be62e735042a6ae3a642bf87b238536e0012f81f58e1ebd5b72
Opcode Fuzzy Hash: 2468b3cb7dfd7961bdaa092d1853a4eaa3ba532a32523821591d124c5efb8e67
Instruction Fuzzy Hash: E0917D72008301FFC7209F64DD08A5B7BA9FB89321F104B3AF9A2A61E1D775D949CB56

Function 003F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003F74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003F759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003F75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003F75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003F7633
GetClientRect.USER32(00000000,?), ref: 003F763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003F7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003F7692
GetStockObject.GDI32(00000011), ref: 003F76A2
SelectObject.GDI32(00000000,00000000), ref: 003F76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003F76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003F76BF
DeleteDC.GDI32(00000000), ref: 003F76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003F76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 003F770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003F7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003F775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 003F776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003F779B
GetStockObject.GDI32(00000011), ref: 003F77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003F77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003F77BB

Strings

AutoIt v3, xrefs: 003F762B
static, xrefs: 003F767D, 003F7795
msctls_progress32, xrefs: 003F773C
DISPLAY, xrefs: 003F7688

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: bd7582523b3b43c66e9244ab359e36f2b71b9298987c5b944cd20c2c37b62a1a
Instruction ID: 6e691f08b27bb51b10a464c1ad24e03ce83d8f8ce23e8fba414c3bcddb7aa4b4
Opcode Fuzzy Hash: bd7582523b3b43c66e9244ab359e36f2b71b9298987c5b944cd20c2c37b62a1a
Instruction Fuzzy Hash: 00A18371A00609BFEB15DBA4DD49FAE7BB9EB49710F004165FA14AB2E1C7B0AD04CF64

Function 003EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003EAD1E
GetDriveTypeW.KERNEL32(?,0040FAC0,?,\\.\,0040F910), ref: 003EADFB
SetErrorMode.KERNEL32(00000000,0040FAC0,?,\\.\,0040F910), ref: 003EAF59

Strings

SAS, xrefs: 003EAF05
Unknown, xrefs: 003EAE1B, 003EAEBF
SSA, xrefs: 003EAEE2
CDROM, xrefs: 003EAE2F
\\.\, xrefs: 003EAD70
ATAPI, xrefs: 003EAECD
iSCSI, xrefs: 003EAEFE
Fixed, xrefs: 003EAE43
FileBackedVirtual, xrefs: 003EAF28
RAID, xrefs: 003EAEF7
SSD, xrefs: 003EAE86
SCSI, xrefs: 003EAEC6
MMC, xrefs: 003EAF1A
PhysicalDrive, xrefs: 003EADA7
SATA, xrefs: 003EAF0C
1394, xrefs: 003EAEDB
Fibre, xrefs: 003EAEE9
USB, xrefs: 003EAEF0
Removable, xrefs: 003EAE4D
ATA, xrefs: 003EAED4
Network, xrefs: 003EAE39
RAMDisk, xrefs: 003EAE25
Virtual, xrefs: 003EAF21

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 22e36803431d5456e743873b55cbab368e84f61081e514095f8548d47bf16bb3
Instruction ID: 1a99001b73754907cc8642879422227940664a25740b5250d07da2e154be45da
Opcode Fuzzy Hash: 22e36803431d5456e743873b55cbab368e84f61081e514095f8548d47bf16bb3
Instruction Fuzzy Hash: 7F51A2B0648B559ACB12EB12CD52D79B3A5EF48700B30436BF406AB6D0CA74BD02DB56

Function 003868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00386931
__wcsnicmp.LIBCMT ref: 00386949
__wcsnicmp.LIBCMT ref: 00386961
__wcsnicmp.LIBCMT ref: 00386979
__wcsnicmp.LIBCMT ref: 00386991
__wcsnicmp.LIBCMT ref: 003869A9
__wcsnicmp.LIBCMT ref: 003869C1
__wcsnicmp.LIBCMT ref: 003869D5
__wcsnicmp.LIBCMT ref: 00386A16
__wcsnicmp.LIBCMT ref: 00386A2A
__wcsnicmp.LIBCMT ref: 00386A3E
__wcsnicmp.LIBCMT ref: 00386A52

Strings

#requireadmin, xrefs: 0038695B
#notrayicon, xrefs: 00386943
#include, xrefs: 003869A3
#include-once, xrefs: 0038698B
#ce, xrefs: 00386A4C
#OnAutoItStartRegister, xrefs: 00386973
#pragma compile, xrefs: 0038692B
Unterminated group of comments, xrefs: 003BE403
#comments-start, xrefs: 003869BB, 00386A10
Cannot parse #include, xrefs: 003BE3F0
#cs, xrefs: 003869CF, 00386A24
Bad directive syntax error, xrefs: 003BE31A
#comments-end, xrefs: 00386A38

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: a224a8901a88c7e7b90c51ebb81e4c117f4f0dcb9a922ba2c6b2d91d4c7d074d
Instruction ID: f80a87d1c46a896a301f5bbc33ae13064d6df0b0e9beddfa66c273a6a21bb583
Opcode Fuzzy Hash: a224a8901a88c7e7b90c51ebb81e4c117f4f0dcb9a922ba2c6b2d91d4c7d074d
Instruction Fuzzy Hash: 218110B1600305ABCB27BA65EC83FEE37A8EF15704F140065FA05AF5C2EB65DA45C7A1

Function 00409A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00409AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00409B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00409BA7

Strings

0, xrefs: 00409BE4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ef37a025edca87800611ae45a8048038602f64716812835cd725e3c377749921
Instruction ID: d3caa2a6f49aff8b04e5167ee52fe5676cb88476de1e411ebe9ee109052650e9
Opcode Fuzzy Hash: ef37a025edca87800611ae45a8048038602f64716812835cd725e3c377749921
Instruction Fuzzy Hash: 9502AE70104201ABE725CF24C948BABBBE5FF45314F04853EF995A62E2C7399C45CB96

Function 0040A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0040A903
SetTextColor.GDI32(?,?), ref: 0040A907
GetSysColorBrush.USER32(0000000F), ref: 0040A91D
GetSysColor.USER32(0000000F), ref: 0040A928
CreateSolidBrush.GDI32(?), ref: 0040A92D
GetSysColor.USER32(00000011), ref: 0040A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0040A953
SelectObject.GDI32(?,00000000), ref: 0040A964
SetBkColor.GDI32(?,00000000), ref: 0040A96D
SelectObject.GDI32(?,?), ref: 0040A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0040A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0040A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0040A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0040A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0040AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0040AA32
DrawFocusRect.USER32(?,?), ref: 0040AA3D
GetSysColor.USER32(00000011), ref: 0040AA4B
SetTextColor.GDI32(?,00000000), ref: 0040AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0040AA67
SelectObject.GDI32(?,0040A5FA), ref: 0040AA7E
DeleteObject.GDI32(?), ref: 0040AA89
SelectObject.GDI32(?,?), ref: 0040AA8F
DeleteObject.GDI32(?), ref: 0040AA94
SetTextColor.GDI32(?,?), ref: 0040AA9A
SetBkColor.GDI32(?,?), ref: 0040AAA4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0e250da715f1cbb232fe692cb075b150c1bf1989ef10d7eeea4924b78c353c0d
Instruction ID: a3e1368d38dee59852f43981b895fda02c10567d8a371280dee298362c472785
Opcode Fuzzy Hash: 0e250da715f1cbb232fe692cb075b150c1bf1989ef10d7eeea4924b78c353c0d
Instruction Fuzzy Hash: 59515A71900208FFDB209FA4DD48EAEBBB9EB08320F114636F911BB2A1D7759954DF94

Function 004089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00408AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00408AD2
CharNextW.USER32(0000014E), ref: 00408B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00408B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00408B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00408B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00408B86
SetWindowTextW.USER32(?,0000014E), ref: 00408BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00408BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00408C1F
_memset.LIBCMT ref: 00408C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00408C8D
_memset.LIBCMT ref: 00408CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00408D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00408D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00408E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00408E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00408E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00408EB4
DrawMenuBar.USER32(?), ref: 00408EC3
SetWindowTextW.USER32(?,0000014E), ref: 00408EEB

Strings

0, xrefs: 00408E55

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 0241cd1d580dd2d4247cf4ba24b6696fbfe922f1848a1a351279c460ddb2f512
Instruction ID: 92133ba9edd9d7073f5fad82e117e2c2b104edbfbf0ba279e8ee2431c6840e0e
Opcode Fuzzy Hash: 0241cd1d580dd2d4247cf4ba24b6696fbfe922f1848a1a351279c460ddb2f512
Instruction Fuzzy Hash: 4EE18D70900208ABDF219F60CD84AEF7B79EF05710F10817AFA55BA2D1DB789985CF69

Function 0040488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004049CA
GetDesktopWindow.USER32 ref: 004049DF
GetWindowRect.USER32(00000000), ref: 004049E6
GetWindowLongW.USER32(?,000000F0), ref: 00404A48
DestroyWindow.USER32(?), ref: 00404A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00404A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00404ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00404AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00404AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00404B09
IsWindowVisible.USER32(?), ref: 00404B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00404B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00404B58
GetWindowRect.USER32(?,?), ref: 00404B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00404B96
GetMonitorInfoW.USER32(00000000,?), ref: 00404BB0
CopyRect.USER32(?,?), ref: 00404BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00404C32

Strings

(, xrefs: 00404BA3
tooltips_class32, xrefs: 00404A96
0, xrefs: 00404975

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 17b92973d76400cafe719a5d30484505302acdea10355cdce90df6646f8fe16f
Instruction ID: 7f7c9ab4d29bb3617acc2eedd3eb8124a8f034de70b66db3d8fcae4c3afab7b8
Opcode Fuzzy Hash: 17b92973d76400cafe719a5d30484505302acdea10355cdce90df6646f8fe16f
Instruction Fuzzy Hash: A8B18EB1604340AFD704DF64C944B6BBBE4BF88314F04892EFA99AB2A1D775EC05CB59

Function 003E449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 003E4500
_wcscmp.LIBCMT ref: 003E450B
_wcscat.LIBCMT ref: 003E4521
_wcsstr.LIBCMT ref: 003E452C
751C1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003E4548
_wcscat.LIBCMT ref: 003E4591
_wcscat.LIBCMT ref: 003E4598
_wcsncpy.LIBCMT ref: 003E45C3

Strings

%u.%u.%u.%u, xrefs: 003E4626
DefaultLangCodepage, xrefs: 003E45AB
04090000, xrefs: 003E457E
StringFileInfo\, xrefs: 003E451B
\VarFileInfo\Translation, xrefs: 003E4540

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _wcscat$C1560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2258151342-1459072770
Opcode ID: c449ea61fe0f39530989f6f2b80704d08b09988c90e97b6bb9fc89e9150150c5
Instruction ID: 1668467df3350b4bd09ff160600ec2bc0ad46753bda93375f60c5d492b576820
Opcode Fuzzy Hash: c449ea61fe0f39530989f6f2b80704d08b09988c90e97b6bb9fc89e9150150c5
Instruction Fuzzy Hash: B4411632A002107BDB16EB758C03FBF77ACDF4B710F10057AF905EA1C2EA749A0196A9

Function 003DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003DA47A
__swprintf.LIBCMT ref: 003DA51B
_wcscmp.LIBCMT ref: 003DA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003DA583
_wcscmp.LIBCMT ref: 003DA5BF
GetClassNameW.USER32(?,?,00000400), ref: 003DA5F6
GetDlgCtrlID.USER32(?), ref: 003DA648
GetWindowRect.USER32(?,?), ref: 003DA67E
GetParent.USER32(?), ref: 003DA69C
ScreenToClient.USER32(00000000), ref: 003DA6A3
GetClassNameW.USER32(?,?,00000100), ref: 003DA71D
_wcscmp.LIBCMT ref: 003DA731
GetWindowTextW.USER32(?,?,00000400), ref: 003DA757
_wcscmp.LIBCMT ref: 003DA76B

Part of subcall function 003A362C: _iswctype.LIBCMT ref: 003A3634

Strings

%s%u, xrefs: 003DA515

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 49f6683291168c13535b7c9f8d1238cb987d4326dc451052cbfc21828972d562
Instruction ID: 4052b833e10d6e04174bfdfd8505d45e66375a58eb813ebd47dfcbeb1b2132b1
Opcode Fuzzy Hash: 49f6683291168c13535b7c9f8d1238cb987d4326dc451052cbfc21828972d562
Instruction Fuzzy Hash: 72A1E572204B06EFD716DF64D984FAAB7E8FF44310F00452AF999D6290DB30E955CB92

Function 003DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 003DAF18
_wcscmp.LIBCMT ref: 003DAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 003DAF51
CharUpperBuffW.USER32(?,00000000), ref: 003DAF6E
_wcscmp.LIBCMT ref: 003DAF8C
_wcsstr.LIBCMT ref: 003DAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003DAFD5
_wcscmp.LIBCMT ref: 003DAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 003DB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 003DB055
_wcscmp.LIBCMT ref: 003DB065
GetClassNameW.USER32(00000010,?,00000400), ref: 003DB08D
GetWindowRect.USER32(00000004,?), ref: 003DB0F6

Strings

ThumbnailClass, xrefs: 003DAFE0, 003DB060
@, xrefs: 003DAEF9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: fb954e866b27b26020ff704439e7905a777448315112bd29d27d31365e0ec0b0
Instruction ID: 6986f49ced994fe37b6b8cd167218fccca2a144bbe68d497dd78210e5c3d91b8
Opcode Fuzzy Hash: fb954e866b27b26020ff704439e7905a777448315112bd29d27d31365e0ec0b0
Instruction Fuzzy Hash: CB81BE72108305DBDB16DF14D981BAAB7ECEF44314F0584AAFD859A291DB30DD49CB62

Function 003DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003DAC33

Strings

ACTIVE, xrefs: 003DAC0E
[CLASS:, xrefs: 003DAC83
[ACTIVE, xrefs: 003DAC20
[ALL, xrefs: 003DACD9
ALL, xrefs: 003DACC7
[HANDLE:, xrefs: 003DAC3F
HANDLE=, xrefs: 003DAC2C
LAST, xrefs: 003DABF8
CLASSNAME=, xrefs: 003DAC70
REGEXP=, xrefs: 003DAC48
[LAST, xrefs: 003DACE0
[REGEXPTITLE:, xrefs: 003DAC5B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: ad14997ef661f0f6c9d8a2b3ffea1312a14c6ad78a2d4bba92135d5ced3d928b
Instruction ID: 1b63680606cef183095bbf523979bc65deda0c730238f10f0b0c8fcf4b75b654
Opcode Fuzzy Hash: ad14997ef661f0f6c9d8a2b3ffea1312a14c6ad78a2d4bba92135d5ced3d928b
Instruction Fuzzy Hash: A531E4B2648709A7DA23FB60EE03FAE77659F14720F300066F481BA1D1EF55AF04D656

Function 003F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 003F5013
LoadCursorW.USER32(00000000,00007F00), ref: 003F501E
LoadCursorW.USER32(00000000,00007F03), ref: 003F5029
LoadCursorW.USER32(00000000,00007F8B), ref: 003F5034
LoadCursorW.USER32(00000000,00007F01), ref: 003F503F
LoadCursorW.USER32(00000000,00007F81), ref: 003F504A
LoadCursorW.USER32(00000000,00007F88), ref: 003F5055
LoadCursorW.USER32(00000000,00007F80), ref: 003F5060
LoadCursorW.USER32(00000000,00007F86), ref: 003F506B
LoadCursorW.USER32(00000000,00007F83), ref: 003F5076
LoadCursorW.USER32(00000000,00007F85), ref: 003F5081
LoadCursorW.USER32(00000000,00007F82), ref: 003F508C
LoadCursorW.USER32(00000000,00007F84), ref: 003F5097
LoadCursorW.USER32(00000000,00007F04), ref: 003F50A2
LoadCursorW.USER32(00000000,00007F02), ref: 003F50AD
LoadCursorW.USER32(00000000,00007F89), ref: 003F50B8
GetCursorInfo.USER32(?), ref: 003F50C8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: db88197f550d24b94697d6cdafaa7dde25b15e262e132add404ac7e7f1b80231
Instruction ID: 4bf5e3366134ee6b5d9ec5091adfe7ee9b0557a18688fb28d7f110dbe1bc70ed
Opcode Fuzzy Hash: db88197f550d24b94697d6cdafaa7dde25b15e262e132add404ac7e7f1b80231
Instruction Fuzzy Hash: 1831F2B1D4831E6ADF119FB68C8996EBFE8FF04750F50453AA60DE7280DA78A5008F91

Function 0040A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040A259
DestroyWindow.USER32(?,?), ref: 0040A2D3

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0040A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0040A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0040A382
DestroyWindow.USER32(00000000), ref: 0040A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00380000,00000000), ref: 0040A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0040A3F4
GetDesktopWindow.USER32 ref: 0040A40D
GetWindowRect.USER32(00000000), ref: 0040A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0040A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0040A444

Part of subcall function 003825DB: GetWindowLongW.USER32(?,000000EB), ref: 003825EC

Strings

0, xrefs: 0040A26F
tooltips_class32, xrefs: 0040A346, 0040A3D4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 656e7996e69fcb77df05d95310ede79c44f6f55a46d6ce07df12515fd9f32a61
Instruction ID: 5ad9ecdea264339cd2f9f9fb400c49544ec8e0efc62a195699db5a61bd496d7b
Opcode Fuzzy Hash: 656e7996e69fcb77df05d95310ede79c44f6f55a46d6ce07df12515fd9f32a61
Instruction Fuzzy Hash: 51717974140304AFDB21DF28C848F6677E6FB89304F44453EF985AB2A1CB75E916CB5A

Function 00404392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00404424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0040446F

Strings

GETTOTALCOUNT, xrefs: 00404456
CHECK, xrefs: 0040448F
COLLAPSE, xrefs: 004044B5
GETITEMCOUNT, xrefs: 00404551
EXPAND, xrefs: 00404521
ISCHECKED, xrefs: 004045F2
UNCHECK, xrefs: 0040464B
GETSELECTED, xrefs: 0040457F
SELECT, xrefs: 00404620
EXISTS, xrefs: 004044D8
GETTEXT, xrefs: 004045C2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: b1b223b54a563d17cdcd2d5891424364633c5bb6654d1b0f6a1321d98b88c613
Instruction ID: 2f0e438d85cbcff67f60b60efe03927d089b21d3078bcd546bdcf275e568398a
Opcode Fuzzy Hash: b1b223b54a563d17cdcd2d5891424364633c5bb6654d1b0f6a1321d98b88c613
Instruction Fuzzy Hash: 3E9181712043019FCB05EF10C451A6EB7E1AF99354F0488AEF9966B3E2DB39ED0ACB45

Function 0040B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0040B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004091C2), ref: 0040B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0040B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0040B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0040B9C3
FreeLibrary.KERNEL32(?), ref: 0040B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0040B9DF
DestroyCursor.USER32(?), ref: 0040B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0040BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0040BA17

Part of subcall function 003A2EFD: __wcsicmp_l.LIBCMT ref: 003A2F86

Strings

.dll, xrefs: 0040B86D
.exe, xrefs: 0040B84A
.icl, xrefs: 0040B82A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: e401aed8f8da70942fc26ef265d15793ca1b101d40a1b823b2e6bc56157aac42
Instruction ID: 745322a8d1187938405154c6959af68d1ce3f8dfb335ebba7de071d1f6d29bab
Opcode Fuzzy Hash: e401aed8f8da70942fc26ef265d15793ca1b101d40a1b823b2e6bc56157aac42
Instruction Fuzzy Hash: 9B61D1B1500215BAEB15DF64CC41FBF77ACFB08710F104526F915EA1D1DB78A984DBA8

Function 003EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

CharLowerBuffW.USER32(?,?), ref: 003EA3CB
GetDriveTypeW.KERNEL32 ref: 003EA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003EA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003EA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003EA4C5

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

Strings

open, xrefs: 003EA3F2
close, xrefs: 003EA3D1
closed, xrefs: 003EA3DF, 003EA3E8
type cdaudio alias cd wait, xrefs: 003EA443
wait, xrefs: 003EA482
close cd wait, xrefs: 003EA4B0
set cd door , xrefs: 003EA466
open , xrefs: 003EA427

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 605ffac5df53e84d7738e42810cc52499c9eb6fa0e556ee1d4a92c186042e32c
Instruction ID: 46fe6096abf0464420978ff5ef331d0149caca0ca865bf9704520dfd1437cfbf
Opcode Fuzzy Hash: 605ffac5df53e84d7738e42810cc52499c9eb6fa0e556ee1d4a92c186042e32c
Instruction Fuzzy Hash: 57517F751047059FC702EF11C88196AB7F5EF98718F1489ADF89A9B2A1DB31EE09CF42

Function 003DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,003BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 003DF8DF
LoadStringW.USER32(00000000,?,003BE029,00000001), ref: 003DF8E8

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,003BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 003DF90A
LoadStringW.USER32(00000000,?,003BE029,00000001), ref: 003DF90D
__swprintf.LIBCMT ref: 003DF95D
__swprintf.LIBCMT ref: 003DF96E
_wprintf.LIBCMT ref: 003DFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003DFA2E

Strings

Line %d (File "%s"):, xrefs: 003DF957
Line %d:, xrefs: 003DF968
Error: , xrefs: 003DF9E5
^ ERROR, xrefs: 003DF9C3
%s (%d) : ==> %s: %s %s, xrefs: 003DFA12

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 1204c24456e2b6168cc08e9ddc368c760fe4183f6d7f38116ee44f27c8e4344a
Instruction ID: d507a09d4743e506efa2648bffd494d33ce9c177c628dafec764c980bb558a17
Opcode Fuzzy Hash: 1204c24456e2b6168cc08e9ddc368c760fe4183f6d7f38116ee44f27c8e4344a
Instruction Fuzzy Hash: F2415572804209AACF16FBE0DD86DEEB779AF14300F6000A5F505BA191DB359F49CB65

Function 0040BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00409207,?,?), ref: 0040BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00409207,?,?,00000000,?), ref: 0040BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00409207,?,?,00000000,?), ref: 0040BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00409207,?,?,00000000,?), ref: 0040BA85
GlobalLock.KERNEL32(00000000), ref: 0040BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00409207,?,?,00000000,?), ref: 0040BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0040BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00409207,?,?,00000000,?), ref: 0040BAAD
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0040BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00412CAC,?), ref: 0040BAD7
GlobalFree.KERNEL32(00000000), ref: 0040BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0040BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0040BB36
DeleteObject.GDI32(00000000), ref: 0040BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0040BB74

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c5ac02c18f8e4179b77f96ecc233772dce1c99d1266cfef4cead4988aa7a93a4
Instruction ID: b722ae09848384849e74c42f03f14b626d1925e5abb9a94d3ab6c74288d1782f
Opcode Fuzzy Hash: c5ac02c18f8e4179b77f96ecc233772dce1c99d1266cfef4cead4988aa7a93a4
Instruction Fuzzy Hash: 8E415775600208EFCB219F65DD88EABBBB8EB89711F104079F905E76A0D735AD05CB68

Function 00386A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 003A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00386B0C,?,00008000), ref: 003A0973

Part of subcall function 00384750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00384743,?,?,003837AE,?), ref: 00384770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00386BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00386CFA

Part of subcall function 0038586D: _wcscpy.LIBCMT ref: 003858A5

Part of subcall function 003A363D: _iswctype.LIBCMT ref: 003A3645

Strings

AU3!, xrefs: 00386B61
/v8, xrefs: 003BE4ED, 003BE511
EA06, xrefs: 003BE452
Error opening the file, xrefs: 003BE43D, 003BE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 003BE496
Unterminated string, xrefs: 003BE7E4
Bad directive syntax error, xrefs: 003BE79D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 003BE421

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$/v8$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1631817277
Opcode ID: d89b4160021f14393ac1a7abc57858a234d35a42966ce2451a4f99703f816f65
Instruction ID: bc40734006c3ba5cde6be37c232ad414eec79876cb4d3138542379c674e4d084
Opcode Fuzzy Hash: d89b4160021f14393ac1a7abc57858a234d35a42966ce2451a4f99703f816f65
Instruction Fuzzy Hash: 3002C2311083409FC726EF24C881AAFBBE5FF99314F10496DF59A9B6A1DB30D949CB52

Function 003ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 003EDA10
_wcscat.LIBCMT ref: 003EDA28
_wcscat.LIBCMT ref: 003EDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003EDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 003EDA63
GetFileAttributesW.KERNEL32(?), ref: 003EDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 003EDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 003EDAA7

Strings

*.*, xrefs: 003EDAE6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3fe52690a49a521a42f6060a9c7f8d9d2d21ba96e65b03e6627fbf1ea45c1aab
Instruction ID: 9e2704bfd7f2a6b5f8b298a2811e70f09a24772c991e573a16bca9c08e0467d6
Opcode Fuzzy Hash: 3fe52690a49a521a42f6060a9c7f8d9d2d21ba96e65b03e6627fbf1ea45c1aab
Instruction Fuzzy Hash: 1681B7715043919FCB25EF65C840AAEB7E8BF89314F194A2EF889DB292E730DD44CB51

Function 003F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003F738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003F739B
CreateCompatibleDC.GDI32(?), ref: 003F73A7
SelectObject.GDI32(00000000,?), ref: 003F73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003F7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003F7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003F7468
SelectObject.GDI32(00000006,?), ref: 003F7470
DeleteObject.GDI32(?), ref: 003F7479
DeleteDC.GDI32(00000006), ref: 003F7480
ReleaseDC.USER32(00000000,?), ref: 003F748B

Strings

(, xrefs: 003F7410

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c745fc984be4d17017167054e52a307d93df4b1b80a2e77ebe73ceeb2becfcf4
Instruction ID: 4cd17ef8593c3b32dac4743b00a7db8fa25f4d29d2c673e9363ab62be855657c
Opcode Fuzzy Hash: c745fc984be4d17017167054e52a307d93df4b1b80a2e77ebe73ceeb2becfcf4
Instruction Fuzzy Hash: D0515F75904309EFCB25CFA8CC85EAEBBB9EF48310F14842EF959A7611C771A945CB90

Function 00400E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FFDAD,?,?), ref: 00400E31

Strings

HKCR, xrefs: 00400ED9
HKLM, xrefs: 00400EAF
HKEY_USERS, xrefs: 00400F32
HKEY_CLASSES_ROOT, xrefs: 00400EC4
HKEY_CURRENT_USER, xrefs: 00400F10
@Z, xrefs: 00400E89
HKCC, xrefs: 00400EFF
HKCU, xrefs: 00400F21
HKEY_CURRENT_CONFIG, xrefs: 00400EEE
HKU, xrefs: 00400F43
HKEY_LOCAL_MACHINE, xrefs: 00400E9A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharUpper
String ID: @Z$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3306249502
Opcode ID: e0397b6bf830b7621f0d6b84578342201d9666a8fe51906c397e8f9bb1104627
Instruction ID: 2502118425c990c6ffa99f03c15c0c28e11c61dc61fd4c1a86ae2f10d9a82f58
Opcode Fuzzy Hash: e0397b6bf830b7621f0d6b84578342201d9666a8fe51906c397e8f9bb1104627
Instruction Fuzzy Hash: 2D418B3250435A8BCF25EF10D851AEF3360EF26300F184466FC552B2D2DBB89D1ADBA5

Function 003E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003E2DDD
GetMenuItemCount.USER32(00445890), ref: 003E2E66
DeleteMenu.USER32(00445890,00000005,00000000,000000F5,?,?), ref: 003E2EF6
DeleteMenu.USER32(00445890,00000004,00000000), ref: 003E2EFE
DeleteMenu.USER32(00445890,00000006,00000000), ref: 003E2F06
DeleteMenu.USER32(00445890,00000003,00000000), ref: 003E2F0E
GetMenuItemCount.USER32(00445890), ref: 003E2F16
SetMenuItemInfoW.USER32(00445890,00000004,00000000,00000030), ref: 003E2F4C
GetCursorPos.USER32(?), ref: 003E2F56
SetForegroundWindow.USER32(00000000), ref: 003E2F5F
TrackPopupMenuEx.USER32(00445890,00000000,?,00000000,00000000,00000000), ref: 003E2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003E2F7E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 2bafeb474832fe0a900bf520ac256c595e363953418f65755c744124eb66b014
Instruction ID: 43429fba3c0f176d46a4edefc6d72b56d986062bd8260b8f5d9282ed83ad6546
Opcode Fuzzy Hash: 2bafeb474832fe0a900bf520ac256c595e363953418f65755c744124eb66b014
Instruction Fuzzy Hash: 2E71C2716402A5BEEB228F56DC45FABBF6CFB44324F140326F625AA1E1C7B15C20DB94

Function 003D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

_memset.LIBCMT ref: 003D786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003D78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003D78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003D78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003D7902
CLSIDFromString.COMBASE(?,?), ref: 003D792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003D7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003D793A

Strings

\IPC$, xrefs: 003D7882
SOFTWARE\Classes\, xrefs: 003D780C
\CLSID, xrefs: 003D7822

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 5242fa6ad5b325af5f7a88998d222e1c8f14872466f4fdf9cc666258d7869aad
Instruction ID: 154a6d9c5a75510264038e2c596212f34d32770c9a6d7ea838a8665b50ecf754
Opcode Fuzzy Hash: 5242fa6ad5b325af5f7a88998d222e1c8f14872466f4fdf9cc666258d7869aad
Instruction Fuzzy Hash: 6D41FA72C14229ABCF22EFA4DC95DEDB779FF04350F54406AE915A7261EB309D09CB90

Function 003DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003BE2A0,00000010,?,Bad directive syntax error,0040F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003DF7C2
LoadStringW.USER32(00000000,?,003BE2A0,00000010), ref: 003DF7C9

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

_wprintf.LIBCMT ref: 003DF7FC
__swprintf.LIBCMT ref: 003DF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003DF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 003DF7F7
Line %d (File "%s"):, xrefs: 003DF833
Error: , xrefs: 003DF85B
Line %d:, xrefs: 003DF818
., xrefs: 003DF873

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 214edb96ee1bbcfdfc66cca9a99ee109ed1fe881e597ac895af442ffc8f6873c
Instruction ID: ffff6c770a70edd112d0e27bc914697924fcf6890a3ab5ec840e1872a4e42cb1
Opcode Fuzzy Hash: 214edb96ee1bbcfdfc66cca9a99ee109ed1fe881e597ac895af442ffc8f6873c
Instruction Fuzzy Hash: 80217172900319EFCF12EF90CC4AEEEB739BF18304F1404AAF5056A1A1DA719618DB55

Function 003E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

Part of subcall function 00387924: _memmove.LIBCMT ref: 003879AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003E5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003E5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003E5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003E5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003E537A

Strings

alias PlayMe, xrefs: 003E5309
play PlayMe wait, xrefs: 003E5364
play PlayMe, xrefs: 003E5375
status PlayMe mode, xrefs: 003E532B
close PlayMe, xrefs: 003E5341, 003E536E
open , xrefs: 003E52DF

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 9006426b899c8ffb664abee09c3e3cce108cfdcfaf24d16e57e90daa97c16045
Instruction ID: 5dfa4c401846e149c5ae98a194d7fbe6027f30ac4b64b10f03e33a557aa403a3
Opcode Fuzzy Hash: 9006426b899c8ffb664abee09c3e3cce108cfdcfaf24d16e57e90daa97c16045
Instruction Fuzzy Hash: 2511B221A5036979D721B672CC4AEFFBB7DEB95B44F20046AB411A60D1EEA04D04CAA4

Function 003E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 003E46D2
gethostname.WS2_32(?,00000100), ref: 003E46EC
gethostbyname.WS2_32(?), ref: 003E46F9
_wcscpy.LIBCMT ref: 003E4721
_memmove.LIBCMT ref: 003E4734
inet_ntoa.WS2_32(?), ref: 003E473F
_strcat.LIBCMT ref: 003E474D
_wcscpy.LIBCMT ref: 003E4764
WSACleanup.WS2_32 ref: 003E4772
_wcscpy.LIBCMT ref: 003E4780

Strings

0.0.0.0, xrefs: 003E471B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: ed489858cb10b585c20214e30683f2bd77c515422ca0b228f4b580d96dc60bcb
Instruction ID: a3ed1aff36913a2eb890a34fdb6f71629c57418293d36c274bb685417371c9b4
Opcode Fuzzy Hash: ed489858cb10b585c20214e30683f2bd77c515422ca0b228f4b580d96dc60bcb
Instruction Fuzzy Hash: 83113A325001246FCB26AB359C4AEDA77BCEF4A311F0042BAF455A60D1FF71CE858A95

Function 003E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003E4F7A

Part of subcall function 003A049F: timeGetTime.WINMM(?,7694B400,00390E7B), ref: 003A04A3

Sleep.KERNEL32(0000000A), ref: 003E4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 003E4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003E4FEC
SetActiveWindow.USER32 ref: 003E500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003E5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 003E5038
Sleep.KERNEL32(000000FA), ref: 003E5043
IsWindow.USER32 ref: 003E504F
EndDialog.USER32(00000000), ref: 003E5060

Strings

BUTTON, xrefs: 003E4FDE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8cedd51d743533a888744aa460fbc5520bac33ebe73eb315ac56e8e8bac376a4
Instruction ID: cb86ea14a662ba54c0f4148174439b29f3373ea0a9927c60453f520c2bf6e4a6
Opcode Fuzzy Hash: 8cedd51d743533a888744aa460fbc5520bac33ebe73eb315ac56e8e8bac376a4
Instruction Fuzzy Hash: C221D178601744BFE7225F31FD88B663B69FB0A74AF051134F101929F1CBB18D058A6A

Function 003ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

CoInitialize.OLE32(00000000), ref: 003ED5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003ED67D
SHGetDesktopFolder.SHELL32(?), ref: 003ED691
CoCreateInstance.COMBASE(00412D7C,00000000,00000001,00438C1C,?), ref: 003ED6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003ED74C
CoTaskMemFree.COMBASE(?), ref: 003ED7A4
_memset.LIBCMT ref: 003ED7E1
SHBrowseForFolderW.SHELL32(?), ref: 003ED81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003ED840
CoTaskMemFree.COMBASE(00000000), ref: 003ED847
CoTaskMemFree.COMBASE(00000000), ref: 003ED87E
CoUninitialize.COMBASE ref: 003ED880

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: e32ade85df9ab285f15840c1ea251cf685aad8d04f15a25b34413bcc11378f65
Instruction ID: 2a40dbfdb5049f0e27c980fb75a503d4e9b2d13c3047b7093f4ec0da3d70be34
Opcode Fuzzy Hash: e32ade85df9ab285f15840c1ea251cf685aad8d04f15a25b34413bcc11378f65
Instruction Fuzzy Hash: DEB11D75A00219AFDB15DFA5C884EAEBBB9FF48304F1485A9F809EB251DB30ED45CB50

Function 003DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003DC283
GetWindowRect.USER32(00000000,?), ref: 003DC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003DC2F3
GetDlgItem.USER32(?,00000002), ref: 003DC2FE
GetWindowRect.USER32(00000000,?), ref: 003DC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003DC364
GetDlgItem.USER32(?,000003E9), ref: 003DC372
GetWindowRect.USER32(00000000,?), ref: 003DC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003DC3C6
GetDlgItem.USER32(?,000003EA), ref: 003DC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003DC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 003DC3FE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a88e10099255978bd4f74f1c3ecf356712c91dcabb5067dc08492eb87376c543
Instruction ID: 6707b1f511419a6433dfe881503bd97b8a4ba2ad119c43ca9c6aa10e77f18739
Opcode Fuzzy Hash: a88e10099255978bd4f74f1c3ecf356712c91dcabb5067dc08492eb87376c543
Instruction Fuzzy Hash: A6515E71B10205ABDB18CFA9DD89AAEBBBAFB88310F14853DF515E7290DB709D05CB14

Function 003821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003825DB: GetWindowLongW.USER32(?,000000EB), ref: 003825EC

GetSysColor.USER32(0000000F), ref: 003821D3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fa592f1c8b34f72d9a8f2347a7d86f2f5508e91199be377a119fa8c38311f2f6
Instruction ID: d54a3061adf195e65c9c697ce4109baab7121732301a24618edd3b7fa3d3308c
Opcode Fuzzy Hash: fa592f1c8b34f72d9a8f2347a7d86f2f5508e91199be377a119fa8c38311f2f6
Instruction Fuzzy Hash: 9A41B331000244EFDB626F28EC88BBA7B65EB06331F1542B5FE659E5E2C7718C42DB55

Function 003EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0040F910), ref: 003EA90B
GetDriveTypeW.KERNEL32(00000061,004389A0,00000061), ref: 003EA9D5
_wcscpy.LIBCMT ref: 003EA9FF

Strings

all, xrefs: 003EA911
ramdisk, xrefs: 003EA97F
cdrom, xrefs: 003EA927
network, xrefs: 003EA969
unknown, xrefs: 003EA996
removable, xrefs: 003EA93D
fixed, xrefs: 003EA953

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 57f07297d1f40933f6d0fc0736a42613a1a2eafbbfb0ac67e1e640bece795505
Instruction ID: a054c724b5f92af44796825fc101b14b1af2689eddc312b5b7f9e77548340b75
Opcode Fuzzy Hash: 57f07297d1f40933f6d0fc0736a42613a1a2eafbbfb0ac67e1e640bece795505
Instruction Fuzzy Hash: 8751EC311083519BC306EF15C892AAFB7E9EF85304F15496EF4965B2E2DB31E908CB43

Function 00389837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00389862
__swprintf.LIBCMT ref: 003898AC
__i64tow.LIBCMT ref: 003BF5E6

Strings

0x%p, xrefs: 003BF5C8
True, xrefs: 003BF5A7
False, xrefs: 003BF5AE
%.15g, xrefs: 003898A6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 2ea231e31e6e8f5e606fd75a50d7bd194d53ce547b3420270e6446cb79e26edc
Instruction ID: bd367aee1ef2ffad8fcc0ba171317d8178dfa6ee6b6c063d11e1ca42b15665fa
Opcode Fuzzy Hash: 2ea231e31e6e8f5e606fd75a50d7bd194d53ce547b3420270e6446cb79e26edc
Instruction Fuzzy Hash: 2641C671500309AEDB26EF34DC46FB6B3E8EF46304F2444AFE549DB691EA3199418710

Function 00396192 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00396248
_memmove.LIBCMT ref: 003962E4
_memset.LIBCMT ref: 00396308

Strings

failed to get memory, xrefs: 00396326
argument not compiled in 16 bit mode, xrefs: 003D0D77
3c9, xrefs: 003962AF
argument is not a compiled regular expression, xrefs: 003D0D87
ERCP, xrefs: 003961B3
internal error: missing capturing bracket, xrefs: 003D0D7F
internal error: opcode not recognized, xrefs: 0039631B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c9$ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-668343290
Opcode ID: 672a718f374b180451a8fd425e35d7209b06ffc5d300e8561a428bcc15662c6d
Instruction ID: 9e3a9f85fed268a057e01ed1f20fdea604415e08635533a4453dde93f24c7851
Opcode Fuzzy Hash: 672a718f374b180451a8fd425e35d7209b06ffc5d300e8561a428bcc15662c6d
Instruction Fuzzy Hash: E551A371901705DBDB26CF55C9827AAB7F8EF48704F21896FE48ACB251E770EA44CB40

Function 00407152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040716A
CreateMenu.USER32 ref: 00407185
SetMenu.USER32(?,00000000), ref: 00407194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00407221
IsMenu.USER32(?), ref: 00407237
CreatePopupMenu.USER32 ref: 00407241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0040726E
DrawMenuBar.USER32 ref: 00407276

Strings

F, xrefs: 00407262
0, xrefs: 00407160

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 1280de72293e8b4d11a70d3348aa3530030d960c6c8c2ac7239d60d3f23993b2
Instruction ID: 13f6e04c82c0f85e11254720e98fec8037918c7b96453b9376a4b127c1cb2ffb
Opcode Fuzzy Hash: 1280de72293e8b4d11a70d3348aa3530030d960c6c8c2ac7239d60d3f23993b2
Instruction Fuzzy Hash: 36416778A01209EFDB20DF64D984E9ABBB5FF49310F14007AFD05A73A2D735A914CB99

Function 004074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0040755E
CreateCompatibleDC.GDI32(00000000), ref: 00407565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00407578
SelectObject.GDI32(00000000,00000000), ref: 00407580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0040758B
DeleteDC.GDI32(00000000), ref: 00407594
GetWindowLongW.USER32(?,000000EC), ref: 0040759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004075B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004075BE

Strings

static, xrefs: 004074F6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2b7086f92031452c684201b4ee0848d89ccd490d36c9a7f5bcca42aff74b6d63
Instruction ID: 56817b09cc0fc720bb75694f1da553440475fb6669c7c76dab89088547b018b1
Opcode Fuzzy Hash: 2b7086f92031452c684201b4ee0848d89ccd490d36c9a7f5bcca42aff74b6d63
Instruction Fuzzy Hash: 85317A72504214BBDF219F64DC08FDB3B69EF09324F100235FA15A61E0C735E815DBA9

Function 003A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A6E3E

Part of subcall function 003A8B28: __getptd_noexit.LIBCMT ref: 003A8B28

__gmtime64_s.LIBCMT ref: 003A6ED7
__gmtime64_s.LIBCMT ref: 003A6F0D
__gmtime64_s.LIBCMT ref: 003A6F2A
__allrem.LIBCMT ref: 003A6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A6F9C
__allrem.LIBCMT ref: 003A6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A6FD1
__allrem.LIBCMT ref: 003A6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A7006
__invoke_watson.LIBCMT ref: 003A7077

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: bec6673bc977f28868ad353e986e0d497e8a0c0b3f7e168ee694cafb91c74155
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 6D710A76A00716ABD716DF78DC82B9AB7A8EF06724F144229F514DB6C1E770DD0087D0

Function 003E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E2542
GetMenuItemInfoW.USER32(00445890,000000FF,00000000,00000030), ref: 003E25A3
SetMenuItemInfoW.USER32(00445890,00000004,00000000,00000030), ref: 003E25D9
Sleep.KERNEL32(000001F4), ref: 003E25EB
GetMenuItemCount.USER32(?), ref: 003E262F
GetMenuItemID.USER32(?,00000000), ref: 003E264B
GetMenuItemID.USER32(?,-00000001), ref: 003E2675
GetMenuItemID.USER32(?,?), ref: 003E26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003E2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E2735

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1fda9bc5b45167e20b9316e36c36402c25eebbac7c4a950fd7bb87fca48fca4f
Instruction ID: bfc725bc0ecd109639aff4c9ccad6553ebd0f54293773e4403831d919d931fd9
Opcode Fuzzy Hash: 1fda9bc5b45167e20b9316e36c36402c25eebbac7c4a950fd7bb87fca48fca4f
Instruction Fuzzy Hash: 5A617E70900299AFDF22CF65CD84DAFBBBCFB01304F150669E841A7292D771AD05DB21

Function 00406F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00406FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00406FA8
GetWindowLongW.USER32(?,000000F0), ref: 00406FCC
_memset.LIBCMT ref: 00406FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00406FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00407067

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: a11b2fe1dbc6fb31ca4dc907f578097541189207992b2a2cbaa15d35c2598024
Instruction ID: 050a35981f0b2058b627e32636508c5954701a0a915bd09f54211fdd2dd76c69
Opcode Fuzzy Hash: a11b2fe1dbc6fb31ca4dc907f578097541189207992b2a2cbaa15d35c2598024
Instruction Fuzzy Hash: 0B617B75900208AFDB11DFA4CC81EEE77B8EB09710F10016AFA15AB3E2C775AD51DB95

Function 003D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003D6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 003D6C18
VariantInit.OLEAUT32(?), ref: 003D6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003D6C4A
VariantCopy.OLEAUT32(?,?), ref: 003D6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003D6CB1
VariantClear.OLEAUT32(?), ref: 003D6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 003D6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003D6CDC
VariantClear.OLEAUT32(?), ref: 003D6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003D6CF9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0f09ed5aebb920de8ce97753a93cae8c0003af6fd268103f6691dd18c8d67689
Instruction ID: 3bb1ddf61bf356ad32174d742b135213a68fa1b5732e2f06874bc44b54ec7073
Opcode Fuzzy Hash: 0f09ed5aebb920de8ce97753a93cae8c0003af6fd268103f6691dd18c8d67689
Instruction Fuzzy Hash: 6F417371A002199FCF11DFA4D9859AEBBB9FF58354F00807AE955EB361CB30A949CF90

Function 003F9113 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F9167
VariantInit.OLEAUT32(?), ref: 003F9238
VariantInit.OLEAUT32(?), ref: 003F9339
VariantClear.OLEAUT32(?), ref: 003F9343
VariantClear.OLEAUT32(?), ref: 003F93A0

Strings

get__NewEnum, xrefs: 003F913F
Null Object assignment in FOR..IN loop, xrefs: 003F91C8, 003F92F6, 003F93AE
_NewEnum, xrefs: 003F9121
Incorrect Object type in FOR..IN loop, xrefs: 003F931C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: 60de84283a1ec58a5fcf51be03ad6e38d34af01e72494d92eef59734bea03d04
Instruction ID: ca8d8178c750296211502a8fa9d5fb07290427127b39d66ebaf4e9b9d5185cfb
Opcode Fuzzy Hash: 60de84283a1ec58a5fcf51be03ad6e38d34af01e72494d92eef59734bea03d04
Instruction Fuzzy Hash: 55918D71A0021DABDF26DFA5C848FAEB7B8EF45710F10856BF615AB280D7709945CFA0

Function 003F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 003F5793
inet_addr.WS2_32(?), ref: 003F57D8
gethostbyname.WS2_32(?), ref: 003F57E4
IcmpCreateFile.IPHLPAPI ref: 003F57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003F5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003F5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 003F58ED
WSACleanup.WS2_32 ref: 003F58F3

Strings

Ping, xrefs: 003F5816

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 363500ea81804e8528adf4407d1e7db0eba9e12b1c10ce6224f54092490d2e9a
Instruction ID: ddbad5b312891f889b7487900c8518924c3cc67ac7cab7650e0c4ae17ecb5dc7
Opcode Fuzzy Hash: 363500ea81804e8528adf4407d1e7db0eba9e12b1c10ce6224f54092490d2e9a
Instruction Fuzzy Hash: 57518C31604704AFD722AF24DC45B2AB7E4AF49750F04496AFA56EB2A1DB70ED04DB42

Function 003EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003EB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003EB546
GetLastError.KERNEL32 ref: 003EB550
SetErrorMode.KERNEL32(00000000,READY), ref: 003EB5BD

Strings

UNKNOWN, xrefs: 003EB575
READY, xrefs: 003EB596
INVALID, xrefs: 003EB58F
NOTREADY, xrefs: 003EB57C
READONLY, xrefs: 003EB588

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: fc449506d076ceb7b0878ccd14391a4e2de51c8725368461da1f12637aeede53
Instruction ID: b0f401aa95d5c12e01720ea927a6c5ea86000a6d64e6b9b0170d132b330d3695
Opcode Fuzzy Hash: fc449506d076ceb7b0878ccd14391a4e2de51c8725368461da1f12637aeede53
Instruction Fuzzy Hash: E031A435A00259DFCB13EB69C845ABEF7B4EF4A310F144266F505AB2D1DB709A41CB40

Function 003D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 003DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003DAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003D9014
GetDlgCtrlID.USER32 ref: 003D901F
GetParent.USER32 ref: 003D903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 003D903E
GetDlgCtrlID.USER32(?), ref: 003D9047
GetParent.USER32(?), ref: 003D9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 003D9066

Strings

ComboBox, xrefs: 003D8F9C
ListBox, xrefs: 003D8FD1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 59662c051e94aee40aac1ae126f893b10240dabc1b8788d7381ac7e09aa21982
Instruction ID: e2521c4956f1a9e68452f407e71716be65ad50894f9060bc20df9ab22b328fbf
Opcode Fuzzy Hash: 59662c051e94aee40aac1ae126f893b10240dabc1b8788d7381ac7e09aa21982
Instruction Fuzzy Hash: 10212B75A00204BBDF16EBA0DC85EFEB775EF49310F500267F951972A1DB35981ADB20

Function 003D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 003DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003DAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003D90FD
GetDlgCtrlID.USER32 ref: 003D9108
GetParent.USER32 ref: 003D9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 003D9127
GetDlgCtrlID.USER32(?), ref: 003D9130
GetParent.USER32(?), ref: 003D914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 003D914F

Strings

ComboBox, xrefs: 003D9087
ListBox, xrefs: 003D90BC

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 7e7ccc8852c26432bbbd7dc251722a56b4e1513bc945c9380f007226a0e6198d
Instruction ID: eb1c074c7daaae430ec3261685563d2e44bed2492faa7eae1d67c42c4c4e9ad9
Opcode Fuzzy Hash: 7e7ccc8852c26432bbbd7dc251722a56b4e1513bc945c9380f007226a0e6198d
Instruction Fuzzy Hash: 3A21C475A00204BBDF12ABA0DC85FFEBB78EF48300F500167B951A73A1DB75841ADB20

Function 003D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003D916F
GetClassNameW.USER32(00000000,?,00000100), ref: 003D9184
_wcscmp.LIBCMT ref: 003D9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003D9211

Strings

largeicons, xrefs: 003D91A5
details, xrefs: 003D91BF
smallicons, xrefs: 003D91D9
SHELLDLL_DefView, xrefs: 003D9190
list, xrefs: 003D91F3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 1c9de4b29a6e76fc0c2be70447c71586b04f4f022195805fe340f14747a9fa96
Instruction ID: f3e2bb239844522766c7e8a0c9abe3809797ea8a02b7ecb4a0a650cda8983400
Opcode Fuzzy Hash: 1c9de4b29a6e76fc0c2be70447c71586b04f4f022195805fe340f14747a9fa96
Instruction Fuzzy Hash: 88110AB724830BB9FA232628FC06FA7379CDF16760F310527F900F55D1EE61A8555A58

Function 003F88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F88D7
CoInitialize.OLE32(00000000), ref: 003F8904
CoUninitialize.COMBASE ref: 003F890E
GetRunningObjectTable.OLE32(00000000,?), ref: 003F8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 003F8B3B
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00412C0C), ref: 003F8B6F
CoGetObject.OLE32(?,00000000,00412C0C,?), ref: 003F8B92
SetErrorMode.KERNEL32(00000000), ref: 003F8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003F8C25
VariantClear.OLEAUT32(?), ref: 003F8C35

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 5846a88e895dd764c63f03ed33c4a46aa1be5a60b81c0e774cf3b1fe4a9f781a
Instruction ID: 784aaf4d79fed64ffcbd39168489a3e5e8ae445739313d2f7241c40ee18a6d97
Opcode Fuzzy Hash: 5846a88e895dd764c63f03ed33c4a46aa1be5a60b81c0e774cf3b1fe4a9f781a
Instruction Fuzzy Hash: 34C127B16083099FC705EF64C88496BB7E9FF89348F00496DF98A9B261DB71ED05CB52

Function 003E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003E7A6C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: d581067c8974573b0c1c6ae13ef3d9eee21dd593941a912a36d42fe842dee616
Instruction ID: b0ceed100faa1d8cb91bb4be04b6a65b52a7abcdae68dc714e86bb2650aa55d9
Opcode Fuzzy Hash: d581067c8974573b0c1c6ae13ef3d9eee21dd593941a912a36d42fe842dee616
Instruction Fuzzy Hash: 9BB1A37190426A9FDB12DFA5C884BBEB7F8FF09321F254565EA01EB281D734E941CB90

Function 0038FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0038FAA6
OleUninitialize.OLE32(?,00000000), ref: 0038FB45
UnregisterHotKey.USER32(?), ref: 0038FC9C
DestroyWindow.USER32(?), ref: 003C45D6
FreeLibrary.KERNEL32(?), ref: 003C463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003C4668

Strings

close all, xrefs: 0038FAA1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 52586221d08445643d0d59c21b2523307db7fa790a2956401a59bdeabfe9760c
Instruction ID: a9b60ce58938cd930812c5cdb329e8ad88dd3c62e63aef0d0b51b18e99b59eef
Opcode Fuzzy Hash: 52586221d08445643d0d59c21b2523307db7fa790a2956401a59bdeabfe9760c
Instruction Fuzzy Hash: DBA15A35701212CFCB2AEF14C9A5F69F7A4AF05710F5542ADE80AAB261DB30ED26CF50

Function 003DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,003DA439), ref: 003DA377

Strings

INSTANCE, xrefs: 003DA285
CLASS, xrefs: 003DA0F6
TEXT, xrefs: 003DA2AE
CLASSNN, xrefs: 003DA119
REGEXPCLASS, xrefs: 003DA13C
NAME, xrefs: 003DA1A9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: ed856a5dfce261995269adc6142e7db95e72b077d0760c221bb978b381b42b28
Instruction ID: bc92167a5f3412f0b7cf52e491d0b7f0b45a5dda2865e3df06bcb0d4d34db3dd
Opcode Fuzzy Hash: ed856a5dfce261995269adc6142e7db95e72b077d0760c221bb978b381b42b28
Instruction Fuzzy Hash: D4910972A00A05ABCB0ADFA0D541BEDFBB5FF05300F55851BE449A7341DF31AA99CB91

Function 00382E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00382EAE

Part of subcall function 00381DB3: GetClientRect.USER32(?,?), ref: 00381DDC
Part of subcall function 00381DB3: GetWindowRect.USER32(?,?), ref: 00381E1D
Part of subcall function 00381DB3: ScreenToClient.USER32(?,?), ref: 00381E45

GetDC.USER32 ref: 003BCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003BCD45
SelectObject.GDI32(00000000,00000000), ref: 003BCD53
SelectObject.GDI32(00000000,00000000), ref: 003BCD68
ReleaseDC.USER32(?,00000000), ref: 003BCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003BCDFB

Strings

U, xrefs: 003BCCD0

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4d62a5b0723103345533a2131067bc391b7e88c236218966f1369bb7fc747cb3
Instruction ID: 7da62b46fac0970e57796a13481b39cf0bd7f493a394caaa8a5cc35c8ef99047
Opcode Fuzzy Hash: 4d62a5b0723103345533a2131067bc391b7e88c236218966f1369bb7fc747cb3
Instruction Fuzzy Hash: C471F335500209DFCF329F64C880AEA7FB5FF48328F1552BAEE555A6A6C7319C41DB60

Function 00406D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00406E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00406E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00406E52
_wcscat.LIBCMT ref: 00406EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00406EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00406EF2

Strings

-----, xrefs: 00406EA5
SysListView32, xrefs: 00406DF6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: -----$SysListView32
API String ID: 307300125-3975388722
Opcode ID: 864fd7674caa6a6fefdf9b16a7dc5b8b887369a9e1cb9ab02ac1d3e268616c19
Instruction ID: 9523904b21700701aba00c83507f4ca392b685229fb742508248bf4931bc75b2
Opcode Fuzzy Hash: 864fd7674caa6a6fefdf9b16a7dc5b8b887369a9e1cb9ab02ac1d3e268616c19
Instruction Fuzzy Hash: 2B41C070A00309ABEB219F64CC85BEB77E8EF08354F11043AF985A72D1D6769D958B68

Function 003F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003F1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003F1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003F1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003F1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003F1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003F1B10
InternetCloseHandle.WININET(00000000), ref: 003F1B57

Part of subcall function 003F2483: GetLastError.KERNEL32(?,?,003F1817,00000000,00000000,00000001), ref: 003F2498
Part of subcall function 003F2483: SetEvent.KERNEL32(?,?,003F1817,00000000,00000000,00000001), ref: 003F24AD

Strings

, xrefs: 003F1B01

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 037584d92f77263ecab322e46412f859a5c69cb9a2535c2f959966d255b14033
Instruction ID: 35e3c7a23542f130fcd3495a639ee34bb0aeb55bffa9fcd711b9eddd41e18569
Opcode Fuzzy Hash: 037584d92f77263ecab322e46412f859a5c69cb9a2535c2f959966d255b14033
Instruction Fuzzy Hash: 21417DB1501218FFEB128F50DC89FFB7BACEF08354F00412AFA05AA141E7B59E449BA5

Function 003F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0040F910), ref: 003F8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0040F910), ref: 003F8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003F8ED6
SysFreeString.OLEAUT32(?), ref: 003F8F00

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 4038c89817c00c16e945287ca7550d77a3277846f51f365f0b5376fa097b6897
Instruction ID: 569a6c92652f2a42e7dad286bdb7d5673e8372ef69f8bbe88cc76adc99bf62ce
Opcode Fuzzy Hash: 4038c89817c00c16e945287ca7550d77a3277846f51f365f0b5376fa097b6897
Instruction Fuzzy Hash: 8BF13871A00209EFCB19DF94C884EBEB7B9FF49314F1184A9FA15AB251DB31AE45CB50

Function 003FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003FF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003FF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003FF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003FF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003FF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003FFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003FFA7C
CloseHandle.KERNEL32(?), ref: 003FFAAB
CloseHandle.KERNEL32(?), ref: 003FFB22

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: ebe98e73087d15eaee487cf57b493f932e2c9f7445ca5294388fc3d482fba827
Instruction ID: 67059bf7b80cac26bff9a50a794dc4ab041bfc4f70aa93037e2e5ec932132092
Opcode Fuzzy Hash: ebe98e73087d15eaee487cf57b493f932e2c9f7445ca5294388fc3d482fba827
Instruction Fuzzy Hash: C4E1A0312043059FCB16EF24C881B6ABBE1EF89354F18856DF9999F2A1CB70EC45CB52

Function 0038201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00381B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00382036,?,00000000,?,?,?,?,003816CB,00000000,?), ref: 00381B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003820D3
KillTimer.USER32(-00000001,?,?,?,?,003816CB,00000000,?,?,00381AE2,?,?), ref: 0038216E
DestroyAcceleratorTable.USER32(00000000), ref: 003BBCA6
DeleteObject.GDI32(00000000), ref: 003BBD1C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 56f36aed73f2006634e24cb8a5bcc4b53dd48153ebc942675dc75b6e1726d175
Instruction ID: d6edfdae4b61abfd6c26bc897bd504e7cc0de298bdfa183cccbaf68c8870b33e
Opcode Fuzzy Hash: 56f36aed73f2006634e24cb8a5bcc4b53dd48153ebc942675dc75b6e1726d175
Instruction Fuzzy Hash: 2C61B934100B00DFDB36BF14D948B2AB7F1FB41306F61847DE5829A961CBB4A895DB94

Function 003E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003E3697,?), ref: 003E468B

Part of subcall function 003E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003E3697,?), ref: 003E46A4

Part of subcall function 003E4A31: GetFileAttributesW.KERNEL32(?,003E370B), ref: 003E4A32

lstrcmpiW.KERNEL32(?,?), ref: 003E4D40
_wcscmp.LIBCMT ref: 003E4D5A
MoveFileW.KERNEL32(?,?), ref: 003E4D75

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7adc976a19decf5172edb38034186ffb72bd1fe2e31c0218a65cc0f89e2110a5
Instruction ID: 85e4e68c3136d280ade740d53a1fbd4b9234503e9ec7c90f265b7b51d1c9e134
Opcode Fuzzy Hash: 7adc976a19decf5172edb38034186ffb72bd1fe2e31c0218a65cc0f89e2110a5
Instruction Fuzzy Hash: E45164B20083959BC726EB65DC819DF73ECAF89310F100A2EF585D7192EF30A588C766

Function 00408645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004086FF

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: f36e2b18174ddff988d22c0fa3ab2df56585a50cdb1b5cec96f03fb41f4b9334
Instruction ID: ea4fdc8658c4d5ce81617a6b00991d1cb67b5b85be61a5fb46834030ed136d0f
Opcode Fuzzy Hash: f36e2b18174ddff988d22c0fa3ab2df56585a50cdb1b5cec96f03fb41f4b9334
Instruction Fuzzy Hash: A6518431500244BFDB20AB24CE85F5A7B64BB05724F60453BF990F72E1CF7AA950CB59

Function 00382B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 003BC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003BC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003BC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003BC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003BC370
DestroyCursor.USER32(00000000), ref: 003BC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003BC39C
DestroyCursor.USER32(?), ref: 003BC3AB

Part of subcall function 0040A4AF: DeleteObject.GDI32(00000000), ref: 0040A4E8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: b226745f395366e2360dc8505411b9c1af18c5f40318d3603f15528fcd13f370
Instruction ID: ebcbf79ca31442ae7358c8e4f5523b07078f98bfd43d07ac83ffcc4f016ab528
Opcode Fuzzy Hash: b226745f395366e2360dc8505411b9c1af18c5f40318d3603f15528fcd13f370
Instruction Fuzzy Hash: 3D517A74A10309AFDB22EF64CC45BAB3BF9EB18310F104568F906ABA90DB70EC50DB50

Function 003D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003DA84C
Part of subcall function 003DA82C: GetCurrentThreadId.KERNEL32 ref: 003DA853
Part of subcall function 003DA82C: AttachThreadInput.USER32(00000000,?,003D9683,?,00000001), ref: 003DA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 003D968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003D96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003D96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003D96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003D96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003D96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003D96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003D96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003D96FB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d0d7494178d25a706f156e66bc273e1499f13137a0ce2418368a18de09da7ac7
Instruction ID: 3177b4e11ba8f04a7b2eb4bc0a347b00bdc4a4ad54a3c8bc3590856fbc6b192e
Opcode Fuzzy Hash: d0d7494178d25a706f156e66bc273e1499f13137a0ce2418368a18de09da7ac7
Instruction Fuzzy Hash: AB11C271910618BEF6206B60DC49F6A3E2DDB4C760F100436F644AB5A0C9F35C119AA8

Function 003D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,003D853C,00000B00,?,?), ref: 003D892A
RtlAllocateHeap.NTDLL(00000000,?,003D853C), ref: 003D8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003D853C,00000B00,?,?), ref: 003D8946
GetCurrentProcess.KERNEL32(?,00000000,?,003D853C,00000B00,?,?), ref: 003D894E
DuplicateHandle.KERNEL32(00000000,?,003D853C,00000B00,?,?), ref: 003D8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,003D853C,00000B00,?,?), ref: 003D8961
GetCurrentProcess.KERNEL32(003D853C,00000000,?,003D853C,00000B00,?,?), ref: 003D8969
DuplicateHandle.KERNEL32(00000000,?,003D853C,00000B00,?,?), ref: 003D896C
CreateThread.KERNEL32(00000000,00000000,003D8992,00000000,00000000,00000000), ref: 003D8986

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 0991859657c77eda664057708c7175782fb0e5747b01a2774c4f8aa1cd77a35c
Instruction ID: ed723bed1af201319b20a66a0e16dd909d1b857fd4762ede210c98fd6e71b43b
Opcode Fuzzy Hash: 0991859657c77eda664057708c7175782fb0e5747b01a2774c4f8aa1cd77a35c
Instruction Fuzzy Hash: 8B01ACB5240304FFE620ABB5DD49F673B6CEB89711F404431FA05DB591CA719C048A24

Function 003F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 003F9B7B
NULL Pointer assignment, xrefs: 003F9BA4, 003F9EC8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 502c0e7d90a42801815d00c7f2f659fe5e621e09c741c26747fb6595d13198db
Instruction ID: af044dc99d0e084e4db8d2fcfcaa6cc64355318ce896aac67c8b19aa807d6195
Opcode Fuzzy Hash: 502c0e7d90a42801815d00c7f2f659fe5e621e09c741c26747fb6595d13198db
Instruction Fuzzy Hash: EAC1B271A0021D9FDF11DF98D984BBEB7F9FB58314F15846AEA05AB280E770AD44CB90

Function 003F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 003D710A: CLSIDFromProgID.COMBASE ref: 003D7127
Part of subcall function 003D710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 003D7142
Part of subcall function 003D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003D7044,80070057,?,?), ref: 003D7150
Part of subcall function 003D710A: CoTaskMemFree.COMBASE(00000000), ref: 003D7160

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 003F9806
_memset.LIBCMT ref: 003F9813
_memset.LIBCMT ref: 003F9956
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 003F9982
CoTaskMemFree.COMBASE(?), ref: 003F998D

Strings

NULL Pointer assignment, xrefs: 003F99DB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: f3ebb4106aa6a340c46d4bc8b418b2716e79a890dff02eb490f420eeee9da964
Instruction ID: b009f33978f1b155d13ca93c6e9ac04ba4bcb299d338e80ed59dafb74fb97bb8
Opcode Fuzzy Hash: f3ebb4106aa6a340c46d4bc8b418b2716e79a890dff02eb490f420eeee9da964
Instruction Fuzzy Hash: 99910971D0021DEBDB11EF95DC45FEEBBB9AF04310F20416AE519AB291DB719A44CFA0

Function 003E2A96 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0039FC86: _wcscpy.LIBCMT ref: 0039FCA9

_memset.LIBCMT ref: 003E2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003E2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003E2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003E2C97

Strings

0, xrefs: 003E2B73
0&, xrefs: 003E2B16
0&, xrefs: 003E2B0F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0$0&$0&
API String ID: 4152858687-513684079
Opcode ID: b6e73583f3191cd9029ab54236092e66f9f203417aafd3eafaab9ef31a9bbe98
Instruction ID: 5e53f103612bcf939c62a1e7468a97f656c1340dbe9d271159fc1cb1c9187f97
Opcode Fuzzy Hash: b6e73583f3191cd9029ab54236092e66f9f203417aafd3eafaab9ef31a9bbe98
Instruction Fuzzy Hash: 6E51CC711083A19BDB26AF2AC845A6FB7ECEF49310F250B29F895D61D1DB70CC04C752

Function 003FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 003E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 003E3C7A
Part of subcall function 003E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 003E3C88
Part of subcall function 003E3C55: CloseHandle.KERNEL32(00000000), ref: 003E3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003FE9A4
GetLastError.KERNEL32 ref: 003FE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003FE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 003FEA63
GetLastError.KERNEL32(00000000), ref: 003FEA6E
CloseHandle.KERNEL32(00000000), ref: 003FEAA3

Strings

SeDebugPrivilege, xrefs: 003FE9C2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2f92b4ccd3eb3e699baa320788d5612624ee03479c61cc2215841d729b66a43c
Instruction ID: bd5d953f56b2b782027500a94932b7758fd097ea5d8ea4b20be4507381b64db2
Opcode Fuzzy Hash: 2f92b4ccd3eb3e699baa320788d5612624ee03479c61cc2215841d729b66a43c
Instruction Fuzzy Hash: 7441AA312002059FDB26EF14DC96F7EB7A5AF44314F188469FA029F3D2CBB4A908CB95

Function 003E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003E3033

Strings

warning, xrefs: 003E301C
info, xrefs: 003E2FD4
question, xrefs: 003E2FEC
stop, xrefs: 003E3004
blank, xrefs: 003E2FB5

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e504fc6deda719e4574d67fa6da230802ef0697fb5303e2d8243888320613bf9
Instruction ID: 2db68f959178bdd106b6abd07de83b0a90f7450d6297cb8ae4615f9a1566f810
Opcode Fuzzy Hash: e504fc6deda719e4574d67fa6da230802ef0697fb5303e2d8243888320613bf9
Instruction Fuzzy Hash: 54115B313483D6BEEB279A19DC46D6B779CDF19360F20012AF901A75C1DB74AF4046A5

Function 003E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003E4312
LoadStringW.USER32(00000000), ref: 003E4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003E432F
LoadStringW.USER32(00000000), ref: 003E4336
_wprintf.LIBCMT ref: 003E435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003E437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003E4357

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: fd19bbdf5c47c8662261ba3b464ea353f003ee0468074594082b8dd3b55dc4ca
Instruction ID: aec5ff914390e9430cca0cc2f9ca1f01e056848e45f91beaf687ca86b188360b
Opcode Fuzzy Hash: fd19bbdf5c47c8662261ba3b464ea353f003ee0468074594082b8dd3b55dc4ca
Instruction Fuzzy Hash: F30162F6900218BFE761D7A0DE89EE7776CEB08300F0005B6BB45F6451EA755E894B78

Function 00382A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,003BC1C7,00000004,00000000,00000000,00000000), ref: 00382ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,003BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00382B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,003BC1C7,00000004,00000000,00000000,00000000), ref: 003BC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,003BC1C7,00000004,00000000,00000000,00000000), ref: 003BC286

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9dc7f92e90de7ae6d0492c136839d278ebea5d635109f368407ee941dafab69e
Instruction ID: aec4b8b028d909d973afbd68d0ec9f522f1776eff6a4726c44749d8ce3cfd69a
Opcode Fuzzy Hash: 9dc7f92e90de7ae6d0492c136839d278ebea5d635109f368407ee941dafab69e
Instruction Fuzzy Hash: F6412934614780ABCF3FBB28CC88B6B7B95AF85304F1588BDE14796D61CE399845D711

Function 003E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003E70DD

Part of subcall function 003A0DB6: std::exception::exception.LIBCMT ref: 003A0DEC
Part of subcall function 003A0DB6: __CxxThrowException@8.LIBCMT ref: 003A0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003E7114
RtlEnterCriticalSection.NTDLL(?), ref: 003E7130
_memmove.LIBCMT ref: 003E717E
_memmove.LIBCMT ref: 003E719B
RtlLeaveCriticalSection.NTDLL(?), ref: 003E71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003E71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 003E71DE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0d56a19fd4c511b747fad98b4ba4d0ccd653dbabab9844c0cb5b34c5ee7506eb
Instruction ID: febce4183435c01eab5daf4bdbc859511dd3173349d22b952712459bd2a7e45a
Opcode Fuzzy Hash: 0d56a19fd4c511b747fad98b4ba4d0ccd653dbabab9844c0cb5b34c5ee7506eb
Instruction Fuzzy Hash: 35319E32900205EBCF15EFA5DD85EAEB7B8EF45310F1441B9E904AF246DB709E14DBA4

Function 004061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004061EB
GetDC.USER32(00000000), ref: 004061F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004061FE
ReleaseDC.USER32(00000000,00000000), ref: 0040620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00406246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00406257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0040902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00406291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004062B1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: a4505ac602edde5fc76b3a990f4561b40ff1eb33c334a7a73392ca156f38a7ed
Instruction ID: 54ac94904f1238562e86d18474321298d5b8873a6aa48a7540762be067143e30
Opcode Fuzzy Hash: a4505ac602edde5fc76b3a990f4561b40ff1eb33c334a7a73392ca156f38a7ed
Instruction Fuzzy Hash: D0318F72101210BFEB218F50CC4AFEB3BA9EF49755F044075FE08AA291C6759C52CB78

Function 00381424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 928742acbd60a022f0347f64102e0c97353bbd4bae86397b463dba034b6c50ba
Instruction ID: f76853093799d1081e4ae6980334cd6cd493d63e945da3401037480812e7aa56
Opcode Fuzzy Hash: 928742acbd60a022f0347f64102e0c97353bbd4bae86397b463dba034b6c50ba
Instruction Fuzzy Hash: 33718F30900209EFCB16DF99CC49ABEBB79FF85314F218199F915AB251C770AA52CB64

Function 0040B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E026F8), ref: 0040B3EB
IsWindowEnabled.USER32(00E026F8), ref: 0040B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0040B4DB
SendMessageW.USER32(00E026F8,000000B0,?,?), ref: 0040B512
IsDlgButtonChecked.USER32(?,?), ref: 0040B54F
GetWindowLongW.USER32(00E026F8,000000EC), ref: 0040B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0040B589

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 68e461ecf7f555d4ace1a6fd6939247605a40d8b520b9fcb05f6b1dd02810e10
Instruction ID: 062a64746d5ab56cac9a5e636ae479c4f1e012ce16b0b73a64af613ff8d9a568
Opcode Fuzzy Hash: 68e461ecf7f555d4ace1a6fd6939247605a40d8b520b9fcb05f6b1dd02810e10
Instruction Fuzzy Hash: 67718F34600204AFDB219F54CC94FABB7A9EF09300F14447AEA45B73E2C739AA51CB9C

Function 003FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003FF448
_memset.LIBCMT ref: 003FF511
ShellExecuteExW.SHELL32(?), ref: 003FF556

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

Part of subcall function 0039FC86: _wcscpy.LIBCMT ref: 0039FCA9

GetProcessId.KERNEL32(00000000), ref: 003FF5CD
CloseHandle.KERNEL32(00000000), ref: 003FF5FC

Strings

@, xrefs: 003FF525

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 5fd0710a74d7040c5182f4634f9c04f332b01bf92db10069fcf9e42b39f10508
Instruction ID: a70715e87ecc6483ab006bb5ca29c2139249ca74e7c7ffdf884f3616398ad48a
Opcode Fuzzy Hash: 5fd0710a74d7040c5182f4634f9c04f332b01bf92db10069fcf9e42b39f10508
Instruction Fuzzy Hash: 5E61AE75A006199FCF16EF64C481AAEBBF5FF49314F1480A9E81AAB751CB30AD41CB90

Function 003E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003E0F8C
GetKeyboardState.USER32(?), ref: 003E0FA1
SetKeyboardState.USER32(?), ref: 003E1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 003E1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 003E104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 003E1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003E10B8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d7077a780c984454d896071c6442635e6052e33f22121a49435da62379c1238a
Instruction ID: 1d2c4aaea2859cd78bae76c61ac3ae019dafbf2979e5c39f490f7bace9dc1aec
Opcode Fuzzy Hash: d7077a780c984454d896071c6442635e6052e33f22121a49435da62379c1238a
Instruction Fuzzy Hash: 5951F0B06046E53DFB3742358C15BBABEA95B06304F098A89E1D49A8C2C2F9ACD9D751

Function 003E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003E0DA5
GetKeyboardState.USER32(?), ref: 003E0DBA
SetKeyboardState.USER32(?), ref: 003E0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003E0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003E0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003E0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003E0EC9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 49a6aa2f20c6c1d1e82215679ea1ad61c99a82dcbea5570b50db7bd2436d648e
Instruction ID: 3db6349eafa762f278bea5b1d6eea2dc0c2d5e79b6911e56fd8635aeecf0d397
Opcode Fuzzy Hash: 49a6aa2f20c6c1d1e82215679ea1ad61c99a82dcbea5570b50db7bd2436d648e
Instruction Fuzzy Hash: A85108A05047E53DFB3B83758C45B7A7FA95B46300F088A99E1D45A8C2C3E5ACD9D750

Function 003E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003E560A
_wcsncpy.LIBCMT ref: 003E563F
_wcsncpy.LIBCMT ref: 003E5671
_wcsncpy.LIBCMT ref: 003E56A4
_wcsncpy.LIBCMT ref: 003E56E6
_wcsncpy.LIBCMT ref: 003E5720
_wcsncpy.LIBCMT ref: 003E574F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 4daec4ad0e381b865e2bf77af37dd1fe5e86ee6f6f6a9dc8839d9623d6b263c5
Instruction ID: 7c1b62b9dc0b3b5ddb7cd77d08a8fd3c11b62745a831efa0655798bf35119e20
Opcode Fuzzy Hash: 4daec4ad0e381b865e2bf77af37dd1fe5e86ee6f6f6a9dc8839d9623d6b263c5
Instruction Fuzzy Hash: C141A465C1065876CB13EBF88C46ACFB3B8DF06310F508966F508E7261EB34E255C7AA

Function 00382344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00382357
ScreenToClient.USER32(004457B0,?), ref: 00382374
GetAsyncKeyState.USER32(00000001), ref: 00382399
GetAsyncKeyState.USER32(00000002), ref: 003823A7

Strings

SER_APP_PROFILE_STRING=Internet Explorer, xrefs: 003BBFF9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: SER_APP_PROFILE_STRING=Internet Explorer
API String ID: 4210589936-3236170427
Opcode ID: 6de61e0ed36097e3b026c7ea8dfc9310a44abacefecafec3161a1d1eb7812dc3
Instruction ID: ecd62e04a631d9ebb783f2c80ebab6f8ed9ecc0e8ca9d05eb0772441b5254cc7
Opcode Fuzzy Hash: 6de61e0ed36097e3b026c7ea8dfc9310a44abacefecafec3161a1d1eb7812dc3
Instruction Fuzzy Hash: 7541A539604209FBCF26AF68CC44AEABB74FB05364F21436AF825A6590C7749D54DF90

Function 003E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003E3697,?), ref: 003E468B

Part of subcall function 003E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003E3697,?), ref: 003E46A4

lstrcmpiW.KERNEL32(?,?), ref: 003E36B7
_wcscmp.LIBCMT ref: 003E36D3
MoveFileW.KERNEL32(?,?), ref: 003E36EB
_wcscat.LIBCMT ref: 003E3733
SHFileOperationW.SHELL32(?), ref: 003E379F

Strings

\*.*, xrefs: 003E372D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: e80e1e7efe1a63d469680c44f1f519010a39e911558392496860354b8a49e821
Instruction ID: 6bbf018366e9923107995649455e091f8e6d53f66430552685d883d8304d1151
Opcode Fuzzy Hash: e80e1e7efe1a63d469680c44f1f519010a39e911558392496860354b8a49e821
Instruction Fuzzy Hash: DD41AF71108394AAC752EF65C4859DFB7E8EF89380F000A7EB489D7291EA34D289C756

Function 00407291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004072AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00407351
IsMenu.USER32(?), ref: 00407369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004073B1
DrawMenuBar.USER32 ref: 004073C4

Strings

0, xrefs: 0040729E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 8c5a1b6a9248855a80ec220f0d5765bbc70aa56fa72fcab9bfa4ca1af4e434ea
Instruction ID: 2ada207dfe77b559830bd50eb7442e0294db5e609f39f0f58c63ab47f5156a30
Opcode Fuzzy Hash: 8c5a1b6a9248855a80ec220f0d5765bbc70aa56fa72fcab9bfa4ca1af4e434ea
Instruction Fuzzy Hash: D5412575A04208EFEB20DF50D884A9ABBB8FB09310F14843AFD15AB391D734AD54DB65

Function 00400FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00400FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00400FFE
FreeLibrary.KERNEL32(00000000), ref: 004010B5

Part of subcall function 00400FA5: RegCloseKey.ADVAPI32(?), ref: 0040101B
Part of subcall function 00400FA5: FreeLibrary.KERNEL32(?), ref: 0040106D
Part of subcall function 00400FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00401090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00401058

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 18ccb781b375cf2a2d63026d361370fab24752a2fedac1f335423c19ad386430
Instruction ID: 1d7c9ad85d876bb18eef4ca3abc1ccd1ab521591948c31b9fc28938a13faa14c
Opcode Fuzzy Hash: 18ccb781b375cf2a2d63026d361370fab24752a2fedac1f335423c19ad386430
Instruction Fuzzy Hash: 24310F71901109BFEB259F90DC89EFFB7BCEF08300F00017AE541B2691D6785E899AA4

Function 004062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004062EC
GetWindowLongW.USER32(00E026F8,000000F0), ref: 0040631F
GetWindowLongW.USER32(00E026F8,000000F0), ref: 00406354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00406386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004063B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004063C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004063DB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4dfdc62f64c035eda3a53f7aba250738c0cb2cc9e752efbdfdfc16df04ed7f56
Instruction ID: d92131c0e7985d99021bcad0cf646e42b18d23d40de5e67b3950303b99013f9e
Opcode Fuzzy Hash: 4dfdc62f64c035eda3a53f7aba250738c0cb2cc9e752efbdfdfc16df04ed7f56
Instruction Fuzzy Hash: 453136346002509FDB20DF18DC84F5637E1FB4A714F1A01B9F902AF2F2CB76A8659B99

Function 003DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003DDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003DDB54
SysAllocString.OLEAUT32(00000000), ref: 003DDB57
SysAllocString.OLEAUT32(?), ref: 003DDB75
SysFreeString.OLEAUT32(?), ref: 003DDB7E
StringFromGUID2.COMBASE(?,?,00000028), ref: 003DDBA3
SysAllocString.OLEAUT32(?), ref: 003DDBB1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f67e94de17e764d01af185d429308e37e65767aa864dea3d0bb4607cc805f121
Instruction ID: 272e55dc15bec4ec2d9ff149a2b399cb11d14602553239c0e8268c6a2b918027
Opcode Fuzzy Hash: f67e94de17e764d01af185d429308e37e65767aa864dea3d0bb4607cc805f121
Instruction Fuzzy Hash: 3A218E36600219AFDF11EFA8EC88CBB73ACEB09364B028537FD14DB2A0D6709C458764

Function 003F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003F7D8B: inet_addr.WS2_32(00000000), ref: 003F7DB6

socket.WS2_32(00000002,00000001,00000006), ref: 003F61C6
WSAGetLastError.WS2_32(00000000), ref: 003F61D5
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 003F620E
connect.WSOCK32(00000000,?,00000010), ref: 003F6217
WSAGetLastError.WS2_32 ref: 003F6221
closesocket.WS2_32(00000000), ref: 003F624A
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 003F6263

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2455e00bc6e57460117faaa32f4a7fe0d31d2a9ef6131d59aa68e96a4d930298
Instruction ID: 36fbe2e6f2631bc63c497bfcb178fefc6a565078ba656cf961c3eb723b634c89
Opcode Fuzzy Hash: 2455e00bc6e57460117faaa32f4a7fe0d31d2a9ef6131d59aa68e96a4d930298
Instruction Fuzzy Hash: 6F31A131600208AFDF11AF64CC86BBE77ADEB45714F048479FE05AB291DB70AD089BA1

Function 003DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003DF671
__wcsnicmp.LIBCMT ref: 003DF692
__wcsnicmp.LIBCMT ref: 003DF6AC

Strings

#requireadmin, xrefs: 003DF68C
#notrayicon, xrefs: 003DF669
#OnAutoItStartRegister, xrefs: 003DF6A6

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: e4ce80cd623b1462b46b821abb7b94a02ed560a9ea1a432c9bf60239f92a7748
Instruction ID: c73d9205d87f004b168f3640bbbf14cf3306ce63253240054fc8138eaadf8671
Opcode Fuzzy Hash: e4ce80cd623b1462b46b821abb7b94a02ed560a9ea1a432c9bf60239f92a7748
Instruction Fuzzy Hash: FC2145732046116FC223AA34BC83FE77398EF56380B11403BF8438A691EB91DD91C394

Function 004075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00381D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00381D73
Part of subcall function 00381D35: GetStockObject.GDI32(00000011), ref: 00381D87
Part of subcall function 00381D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00381D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00407632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0040763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0040764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00407659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00407665

Strings

Msctls_Progress32, xrefs: 00407603

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ba23eb44d34440e6578e958aa72bc41ea32900f303bb2e6bae4fded05333d8cc
Instruction ID: 45e35c70a965b92add96c2f319547e77314889261a3d1bd009dc4a5e68fe82e7
Opcode Fuzzy Hash: ba23eb44d34440e6578e958aa72bc41ea32900f303bb2e6bae4fded05333d8cc
Instruction Fuzzy Hash: 1B11B6B1510219BFEF119F64CC85EE77F5DEF087A8F114125BA05A6090C676AC22DBA8

Function 003A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 003A9AE6

Part of subcall function 003A3187: RtlEncodePointer.NTDLL(00000000), ref: 003A318A
Part of subcall function 003A3187: __initp_misc_winsig.LIBCMT ref: 003A31A5
Part of subcall function 003A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 003A9EA0
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 003A9EB4
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 003A9EC7
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 003A9EDA
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 003A9EED
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 003A9F00
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 003A9F13
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 003A9F26
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 003A9F39
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 003A9F4C
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 003A9F5F
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 003A9F72
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 003A9F85
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 003A9F98
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 003A9FAB
Part of subcall function 003A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 003A9FBE

__mtinitlocks.LIBCMT ref: 003A9AEB
__mtterm.LIBCMT ref: 003A9AF4

Part of subcall function 003A9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 003A9C56
Part of subcall function 003A9B5C: _free.LIBCMT ref: 003A9C5D
Part of subcall function 003A9B5C: RtlDeleteCriticalSection.NTDLL(02D), ref: 003A9C7F

__calloc_crt.LIBCMT ref: 003A9B19
__initptd.LIBCMT ref: 003A9B3B
GetCurrentThreadId.KERNEL32 ref: 003A9B42

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: f0ad05e7f3c84365872e329bb981dd30ec6d0e391a12d90d3b1d7b7fe5a9aee8
Instruction ID: d702693dffa8b0879de24937487465448a6099954e03339270d40c95b05010bc
Opcode Fuzzy Hash: f0ad05e7f3c84365872e329bb981dd30ec6d0e391a12d90d3b1d7b7fe5a9aee8
Instruction Fuzzy Hash: 74F090325097115AE7367775BC0378A3794DF03734F214A2BF461FD0D2EF20884146A4

Function 003A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,003A3F85), ref: 003A4085
GetProcAddress.KERNEL32(00000000), ref: 003A408C
RtlEncodePointer.NTDLL(00000000), ref: 003A4097
RtlDecodePointer.NTDLL(003A3F85), ref: 003A40B2

Strings

combase.dll, xrefs: 003A4080
RoUninitialize, xrefs: 003A4074

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 0904fb70757eaf9857c91e2bef45a3ac5609841055663e9623a7ac6f1aaa721b
Instruction ID: 56e1e6b61b1b76c45df32dc06bc1c990cf1bcbba44a912f8fb12ad130a6b3493
Opcode Fuzzy Hash: 0904fb70757eaf9857c91e2bef45a3ac5609841055663e9623a7ac6f1aaa721b
Instruction Fuzzy Hash: B6E09274681300EBEB20AF61EE0AB457AA5B706B43F214039F501E54A0CFBA46489A1C

Function 003F6B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 003F6C00
WSAGetLastError.WS2_32(00000000), ref: 003F6C34
htons.WS2_32(?), ref: 003F6CEA
inet_ntoa.WS2_32(?), ref: 003F6CA7

Part of subcall function 003DA7E9: _strlen.LIBCMT ref: 003DA7F3
Part of subcall function 003DA7E9: _memmove.LIBCMT ref: 003DA815

_strlen.LIBCMT ref: 003F6D44
_memmove.LIBCMT ref: 003F6DAD

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 3667fe3dffdb29e0be002808ccf21433eb95b15544b65ec6797582d40e1c1d1e
Instruction ID: 586f6a36a5ed70fd4c8099a7f7ccc0900513e49c567cda35732a467cafdbc100
Opcode Fuzzy Hash: 3667fe3dffdb29e0be002808ccf21433eb95b15544b65ec6797582d40e1c1d1e
Instruction Fuzzy Hash: FD81CE72204304ABC712FF24CC82F7BB7A8AF84714F144969FA569B292DB70ED05CB52

Function 003E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003E660B
_memmove.LIBCMT ref: 003E6546

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

_memmove.LIBCMT ref: 003E65B9
_memmove.LIBCMT ref: 003E66A0
_memmove.LIBCMT ref: 003E66B9
_memmove.LIBCMT ref: 003E66D5

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 7a9d2276f8bc6090ad2ff2e4bc0facee7f220cdfea25bb18be49390af5a0a179
Instruction ID: 00c2701470a138b47b1b3c339da47e397d42e20efb768633cd5a8ebc5a89ce43
Opcode Fuzzy Hash: 7a9d2276f8bc6090ad2ff2e4bc0facee7f220cdfea25bb18be49390af5a0a179
Instruction Fuzzy Hash: 85618B305006AA9BCF07FF61CC82EBE37A9AF59308F084659F8596B2D2DB35D905DB50

Function 004001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 00400E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FFDAD,?,?), ref: 00400E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004002BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004002FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00400320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00400349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0040038C
RegCloseKey.ADVAPI32(00000000), ref: 00400399

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 95c3f6d456f8d803f3a1758d02be7dbc05fe72ff55f2f90aea9b7afa0db9c852
Instruction ID: 97a9aa3f5023803ad64de8b9350c63a6066e70543ca06bd09768ff1de8d78a30
Opcode Fuzzy Hash: 95c3f6d456f8d803f3a1758d02be7dbc05fe72ff55f2f90aea9b7afa0db9c852
Instruction Fuzzy Hash: 2A5179311083009FC716EF64C885E6BBBE9FF89314F04496EF8559B2A2DB35E909CB52

Function 00405799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004057FB
GetMenuItemCount.USER32(00000000), ref: 00405832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0040585A
GetMenuItemID.USER32(?,?), ref: 004058C9
GetSubMenu.USER32(?,?), ref: 004058D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00405928

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9092cde697c1cf3cc1118a9c3e56def007a1079e6c0091bc9abd4ce728b67447
Instruction ID: 374941d06447009daf64a02d03fc02c68e823c60cc2f323fda08907d4744d74e
Opcode Fuzzy Hash: 9092cde697c1cf3cc1118a9c3e56def007a1079e6c0091bc9abd4ce728b67447
Instruction Fuzzy Hash: B4514C76A00615AFCF15EF64C845AAFB7B5EF48310F1440A6EC06BB391CB34AE419F94

Function 003DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003DEF06
VariantClear.OLEAUT32(00000013), ref: 003DEF78
VariantClear.OLEAUT32(00000000), ref: 003DEFD3
_memmove.LIBCMT ref: 003DEFFD
VariantClear.OLEAUT32(?), ref: 003DF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003DF078

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 41168f3b5e577196d431432556c7c81b81fa4a19156a0856003cb780fa848d1b
Instruction ID: 8dfa0a39930416a6440cbf3dc80d9aa1bd471b7842e9bda2ebb1cfb564c1b448
Opcode Fuzzy Hash: 41168f3b5e577196d431432556c7c81b81fa4a19156a0856003cb780fa848d1b
Instruction Fuzzy Hash: 5C515BB5A00209EFDB14DF58D884AAAB7B8FF4C314B15856AED59DB301E335E911CFA0

Function 003E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E22A3
IsMenu.USER32(00000000), ref: 003E22C3
CreatePopupMenu.USER32 ref: 003E22F7
GetMenuItemCount.USER32(000000FF), ref: 003E2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003E2386

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf39afec6d9840d51691fbad710195643a2cfb0a10fb106eb66e9b5e80d8afc6
Instruction ID: a64998bf1c652a02bc47dc5a04a35dd320f75ed955c3487e5556d48c885d4a1a
Opcode Fuzzy Hash: cf39afec6d9840d51691fbad710195643a2cfb0a10fb106eb66e9b5e80d8afc6
Instruction Fuzzy Hash: 8151C074600299EFCF22CF6AC988BAFBBF9AF05314F154229E815AB2D1D3749904CF51

Function 00381765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0038179A
GetWindowRect.USER32(?,?), ref: 003817FE
ScreenToClient.USER32(?,?), ref: 0038181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0038182C
EndPaint.USER32(?,?), ref: 00381876

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0b5cefde0ee3014d22a2530f0188d566d90b1bd22623e520308c7116ae4606ec
Instruction ID: 7d3bbeaa3e3809f2693999667d63673fdbb8e741cb533814ed2731fa313d6368
Opcode Fuzzy Hash: 0b5cefde0ee3014d22a2530f0188d566d90b1bd22623e520308c7116ae4606ec
Instruction Fuzzy Hash: 2741A1301047009FDB12EF25CC85FBA7BECEB46724F144679FA948B5A2CB719846DB61

Function 0040B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004457B0,00000000,00E026F8,?,?,004457B0,?,0040B5A8,?,?), ref: 0040B712
EnableWindow.USER32(00000000,00000000), ref: 0040B736
ShowWindow.USER32(004457B0,00000000,00E026F8,?,?,004457B0,?,0040B5A8,?,?), ref: 0040B796
ShowWindow.USER32(00000000,00000004,?,0040B5A8,?,?), ref: 0040B7A8
EnableWindow.USER32(00000000,00000001), ref: 0040B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0040B7EF

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e6aad57967ede0fff233924f18c9012d2478aec24f962ca4a59df861fbb333be
Instruction ID: 1a4d8da980b280ddf256afe44e862815562fbafafc0ecc2320f29f6287f8dd82
Opcode Fuzzy Hash: e6aad57967ede0fff233924f18c9012d2478aec24f962ca4a59df861fbb333be
Instruction Fuzzy Hash: F3418134600240AFDB22CF24C599B967BE0FF45710F1841BAE948AF7E2C735A856CB99

Function 003F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,003F4E41,?,?,00000000,00000001), ref: 003F70AC

Part of subcall function 003F39A0: GetWindowRect.USER32(?,?), ref: 003F39B3

GetDesktopWindow.USER32 ref: 003F70D6
GetWindowRect.USER32(00000000), ref: 003F70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003F710F

Part of subcall function 003E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003E52BC

GetCursorPos.USER32(?), ref: 003F713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003F7199

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 68b723635a14980dd9c041a4a39d0f2524c1bd9d8bf36747e82a310475ec59a9
Instruction ID: dcad8cc89b62b15f1289e4d31c96dbd4ec7e5a11fb9b275d1380dae40d974dcd
Opcode Fuzzy Hash: 68b723635a14980dd9c041a4a39d0f2524c1bd9d8bf36747e82a310475ec59a9
Instruction Fuzzy Hash: 3431C472509319ABD721DF14CC49FABB7EAFF88314F000929F585A7191CB71EA09CB96

Function 003EEB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

Part of subcall function 0039FC86: _wcscpy.LIBCMT ref: 0039FCA9

_wcstok.LIBCMT ref: 003EEC94
_wcscpy.LIBCMT ref: 003EED23
_memset.LIBCMT ref: 003EED56

Strings

X, xrefs: 003EED93

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ed1e1b0464c1adce515584f0dbd4a9e0fd0fb9819b281c02d28f033d035db52c
Instruction ID: b1b3b1ae9cdecb78288f5f14e286988997f2ea38445f4a8819b045ef182e37da
Opcode Fuzzy Hash: ed1e1b0464c1adce515584f0dbd4a9e0fd0fb9819b281c02d28f033d035db52c
Instruction Fuzzy Hash: 16C190715083509FC726EF24C841A6AB7E5FF89310F144A6DF8999B2A2DB30EC45CB82

Function 003D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003D80C0
Part of subcall function 003D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003D80CA
Part of subcall function 003D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003D80D9
Part of subcall function 003D80A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 003D80E0
Part of subcall function 003D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003D80F6

GetLengthSid.ADVAPI32(?,00000000,003D842F), ref: 003D88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003D88D6
RtlAllocateHeap.NTDLL(00000000), ref: 003D88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003D88F6
GetProcessHeap.KERNEL32(00000000,00000000,003D842F), ref: 003D890A
HeapFree.KERNEL32(00000000), ref: 003D8911

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 37b5ed3c93dbc96d884eebdb46d92cc799e9a324d7c1e6384fd1831ab388f8a2
Instruction ID: e021262d924c5e7ef0639e929c6aa086776d3ee8b0c7efde3fe9b4459baece0c
Opcode Fuzzy Hash: 37b5ed3c93dbc96d884eebdb46d92cc799e9a324d7c1e6384fd1831ab388f8a2
Instruction Fuzzy Hash: DD119072501605FBDB229B94ED19FBE7768EB45311F10403AE885E7210CB32AD14DB60

Function 003DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003DB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 003DB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003DB7CD
ReleaseDC.USER32(00000000,00000000), ref: 003DB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003DB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 003DB7FE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d96f73deef4d865ff910972e65a0d74806a5a346d08fb38c5810f79d1f6c45cc
Instruction ID: b402185ac0c193a1e187666ca3f07a4b961af5cb4edf216a4d9443d0f4d5a126
Opcode Fuzzy Hash: d96f73deef4d865ff910972e65a0d74806a5a346d08fb38c5810f79d1f6c45cc
Instruction Fuzzy Hash: CE018475E00209FBEB109BE69D45A5EBFB8EF48311F004076FA08AB391D6319C01CF90

Function 003A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 003A0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 003A019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003A01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003A01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 003A01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 003A01C1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: a90584bf1a0e61351862862e275be76d0fe7611b46b1fb33a3546d13760c91f4
Instruction ID: c29ce0e58957601539293e919ae8b06e8fdd692057ea718baee91050d0d6a203
Opcode Fuzzy Hash: a90584bf1a0e61351862862e275be76d0fe7611b46b1fb33a3546d13760c91f4
Instruction Fuzzy Hash: F2016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 003E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003E53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003E540F
GetWindowThreadProcessId.USER32(?,?), ref: 003E541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003E542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003E5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003E543E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: f6d0e79e373e90749d0fafdc91cda299c60ebdf1c8f47e76cf1d991a05459ea7
Instruction ID: 7a2d89bde1c05aeb1ba22947fb212c127f188cc64337b97a01887789e005f669
Opcode Fuzzy Hash: f6d0e79e373e90749d0fafdc91cda299c60ebdf1c8f47e76cf1d991a05459ea7
Instruction Fuzzy Hash: C4F01D32241558BBE7315BA29D0DEAB7A7CEBC6B11F000179FA04E54919AB11A0686B9

Function 003E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003E7243
RtlEnterCriticalSection.NTDLL(?), ref: 003E7254
TerminateThread.KERNEL32(00000000,000001F6,?,00390EE4,?,?), ref: 003E7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00390EE4,?,?), ref: 003E726E

Part of subcall function 003E6C35: CloseHandle.KERNEL32(00000000,?,003E727B,?,00390EE4,?,?), ref: 003E6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 003E7281
RtlLeaveCriticalSection.NTDLL(?), ref: 003E7288

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 593a2a3eb0330e9760675bd62cffe7983cfcf4dfd868eb2ad07fe1f465ef3f4b
Instruction ID: aeb55919d870954e60ba0f205cf16e2fa3f05f204d73092b4598ac08e4fb523c
Opcode Fuzzy Hash: 593a2a3eb0330e9760675bd62cffe7983cfcf4dfd868eb2ad07fe1f465ef3f4b
Instruction Fuzzy Hash: C7F05E36540712EBE7222B64EE8CDDA7729EF45702B110675F603A54A0CB765805CB54

Function 003F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F8613
CharUpperBuffW.USER32(?,?), ref: 003F8722
VariantClear.OLEAUT32(?), ref: 003F889A

Part of subcall function 003E7562: VariantInit.OLEAUT32(00000000), ref: 003E75A2
Part of subcall function 003E7562: VariantCopy.OLEAUT32(00000000,?), ref: 003E75AB
Part of subcall function 003E7562: VariantClear.OLEAUT32(00000000), ref: 003E75B7

Strings

AUTOIT.ERROR, xrefs: 003F8728
Incorrect Parameter format, xrefs: 003F864B, 003F880D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e8e255740e87d851619cf67a3aa23eb023e687287c1beca9c5bc7a1eb1c05124
Instruction ID: 24e2b26423ddc724dfd10d6a5c62b4eeb163fbc21ccbb8e6eb78bcf7d3374f58
Opcode Fuzzy Hash: e8e255740e87d851619cf67a3aa23eb023e687287c1beca9c5bc7a1eb1c05124
Instruction Fuzzy Hash: E491AD756043059FC715EF24C480A6ABBE8EF89754F14896EF98ACB361DB30E905CB92

Function 00393137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00393277
_memmove.LIBCMT ref: 00393310
_free.LIBCMT ref: 00393336
_memmove.LIBCMT ref: 003933E9

Strings

3c9, xrefs: 00393225
_9, xrefs: 00393322

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c9$_9
API String ID: 2620147621-1310868050
Opcode ID: e9a14269c89b9107b5f018dd5749f66c3af86eae842f3c2c64edc18548ada622
Instruction ID: 37a1c330d2dcac1475e4d8cde0f18a5e7f01036abf6563583c6a7f4b29b557b7
Opcode Fuzzy Hash: e9a14269c89b9107b5f018dd5749f66c3af86eae842f3c2c64edc18548ada622
Instruction Fuzzy Hash: 27514AB56083418FDB26CF29C581B6BBBE5EF85314F46482DE989C7361DB31E901CB82

Function 003DD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 003DD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003DD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003DD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003DD69D

Strings

DllGetClassObject, xrefs: 003DD610

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8b65559190a6996afbdc7945f12ecf89037b8de89ad08c8e031317166a29c398
Instruction ID: f23b4ee5a2a78f819cff4068fae9a6e3451b7bcdaf1187e70a9446a1f3794625
Opcode Fuzzy Hash: 8b65559190a6996afbdc7945f12ecf89037b8de89ad08c8e031317166a29c398
Instruction Fuzzy Hash: 7B418EB2600204EFDB16CF64D884A9ABBA9EF48310F1581AAAD099F305D7B5DD44CBE4

Function 003E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003E27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 003E2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00445890,00000000), ref: 003E286B

Strings

0, xrefs: 003E27B5

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 5422b25e04853cfb55b97986742e7988813a386791ec9b8856a9dafeaebbcc50
Instruction ID: fb59ad9d09f580e40fb23fc6ef6c46a50ec08f53f2756f4c928929b463f1b80e
Opcode Fuzzy Hash: 5422b25e04853cfb55b97986742e7988813a386791ec9b8856a9dafeaebbcc50
Instruction Fuzzy Hash: 6A418E702043919FDB26DF26C844B1BBBE8EF85314F154A6DF8A59B2D2D730A805CB52

Function 003E0AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003E0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 003E0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003E0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003E0BFB

Strings

SER_APP_PROFILE_STRING=Internet Explorer, xrefs: 003E0B5D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: SER_APP_PROFILE_STRING=Internet Explorer
API String ID: 432972143-3236170427
Opcode ID: 6f7e19137b6a1aab74691343dbc552ec03444de60632cbdc83300f8fe9404daf
Instruction ID: 4e6bee1328eea94485aab3de7c70a51724e44062f89186917ff18f30781fd494
Opcode Fuzzy Hash: 6f7e19137b6a1aab74691343dbc552ec03444de60632cbdc83300f8fe9404daf
Instruction Fuzzy Hash: D6317C30D402A9AEFF3A8B278C05BFABBA9BB44314F08436AE481562D1C3F5C9C49755

Function 003E0C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 003E0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 003E0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 003E0CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 003E0D33

Strings

SER_APP_PROFILE_STRING=Internet Explorer, xrefs: 003E0C9F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: SER_APP_PROFILE_STRING=Internet Explorer
API String ID: 432972143-3236170427
Opcode ID: 83f71a9ce91c1e782ef682b032f2af05e7ce0ad2f2ae6560b44bae8b9d1cb53b
Instruction ID: ef056faa50f075a89d595856017bf7a618b904508326f6d9e984046a644eae35
Opcode Fuzzy Hash: 83f71a9ce91c1e782ef682b032f2af05e7ce0ad2f2ae6560b44bae8b9d1cb53b
Instruction Fuzzy Hash: 07318E309402A8AEFF3A8B668C047FEBB6AEB45310F14472BE481665D1C3B55DC58752

Function 003FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003FD7C5

Part of subcall function 0038784B: _memmove.LIBCMT ref: 00387899

Strings

stdcall, xrefs: 003FD847
winapi, xrefs: 003FD836
none, xrefs: 003FD8A0
cdecl, xrefs: 003FD81C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 473e28b679e99a2d7008eefee7a4f291c79783ac0b030242aba3dd2050c73b6b
Instruction ID: 321f33cc064aa465ef1b1a435fc0ab22f78b3d86f51faa02588fe2ca753bfaf8
Opcode Fuzzy Hash: 473e28b679e99a2d7008eefee7a4f291c79783ac0b030242aba3dd2050c73b6b
Instruction Fuzzy Hash: 7231CD7190421DABCF02EF54C8559FEB3B6FF05320F10866AE865AB6D1DB71AD05CB80

Function 003D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 003DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003DAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003D8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003D8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 003D8F57

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

Strings

ComboBox, xrefs: 003D8E9E
ListBox, xrefs: 003D8ED3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 9fadc001bbcac88037d01916e853a3f1e9583c3145d50322bad02bf50680af98
Instruction ID: 54e731e9d062fd7c8af29fbfdfb8df87e4be6cfbccc875bdcf6dc8ae39dc317e
Opcode Fuzzy Hash: 9fadc001bbcac88037d01916e853a3f1e9583c3145d50322bad02bf50680af98
Instruction Fuzzy Hash: FF21E6B29042047ADB16ABB0EC45DFF777DDF45320F54462AF811AB2E1DF39580AD610

Function 003F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003F184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003F1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003F18A2
InternetCloseHandle.WININET(00000000), ref: 003F18E9

Part of subcall function 003F2483: GetLastError.KERNEL32(?,?,003F1817,00000000,00000000,00000001), ref: 003F2498
Part of subcall function 003F2483: SetEvent.KERNEL32(?,?,003F1817,00000000,00000000,00000001), ref: 003F24AD

Strings

, xrefs: 003F1893

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: b1ebbf23e51ba2c99c3328219f57f510c87030f09332f75cb012370c28ad28e5
Instruction ID: 1fc8c6f1c8254e8cf12fd5fdf0c9bd97e0f120bc8db2ff7e96fbe34f9c226062
Opcode Fuzzy Hash: b1ebbf23e51ba2c99c3328219f57f510c87030f09332f75cb012370c28ad28e5
Instruction Fuzzy Hash: 4A21B0B150020CBFEB229B65ED85EBB77EDEB48784F10413AFA05A7640DB748D0557A1

Function 004063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00381D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00381D73
Part of subcall function 00381D35: GetStockObject.GDI32(00000011), ref: 00381D87
Part of subcall function 00381D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00381D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00406461
LoadLibraryW.KERNEL32(?), ref: 00406468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0040647D
DestroyWindow.USER32(?), ref: 00406485

Strings

SysAnimate32, xrefs: 0040643C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ea0d4020539f479b01281f8716961041050d9fa18ffba9f0e210dd246e058711
Instruction ID: 52e14f4fee3ce397c354e875378b60084d734e9e6a65177e236b2811173d018f
Opcode Fuzzy Hash: ea0d4020539f479b01281f8716961041050d9fa18ffba9f0e210dd246e058711
Instruction Fuzzy Hash: 5A218E71100205AFEF108FA4DC40EBB77ADEF59328F11463AF916A62D0D7799C62A768

Function 003E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003E6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003E6DEF
GetStdHandle.KERNEL32(0000000C), ref: 003E6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003E6E3B

Strings

nul, xrefs: 003E6E36

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d72dfaeef208046fa6001030024ad05107e91524895a68bf46cf7f83b2a039c3
Instruction ID: 1c1c1844d06fe5e73ff4bbe137a8fcd32a6dabfb0219dd3201c0aa3a43b443fb
Opcode Fuzzy Hash: d72dfaeef208046fa6001030024ad05107e91524895a68bf46cf7f83b2a039c3
Instruction Fuzzy Hash: EB21C474600369EBDB219F2ADD06A9A77F8EFA4760F204B29FCA1D72D0D7709814CB54

Function 003E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003E6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003E6EBB
GetStdHandle.KERNEL32(000000F6), ref: 003E6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003E6F06

Strings

nul, xrefs: 003E6F01

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 0fddf8f147b872b56037575cb2fed9f68bb48a9eb523bb07082529cf715549ef
Instruction ID: 5f5d237fd7b18dfc989da8b41ddedad6efdfab2f784e8495564fc9a6f2f570c9
Opcode Fuzzy Hash: 0fddf8f147b872b56037575cb2fed9f68bb48a9eb523bb07082529cf715549ef
Instruction Fuzzy Hash: A421D6755003659BDB219F6ACD06A9A77E8EFA4760F200B69FCE0E73D0D770A850C710

Function 003EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003EAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003EACA8
__swprintf.LIBCMT ref: 003EACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0040F910), ref: 003EACFF

Strings

%lu, xrefs: 003EACBB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 641177b83723288f78c479683cf4ba11fb0cf3d195ae487b2ad1f0c364a7c7cf
Instruction ID: 7b4f16ade79d066d4b45426a4d29f80dcfbf19a718a9d5f8ec395c55da93ccfa
Opcode Fuzzy Hash: 641177b83723288f78c479683cf4ba11fb0cf3d195ae487b2ad1f0c364a7c7cf
Instruction Fuzzy Hash: F821A434600209AFCB11EF55C945EAEB7B8EF89314B1040B9F509EB251DB31EA45CB61

Function 003E1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003DFCED,?,003E0D40,?,00008000), ref: 003E115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003DFCED,?,003E0D40,?,00008000), ref: 003E1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003DFCED,?,003E0D40,?,00008000), ref: 003E118E
Sleep.KERNEL32(?,?,?,?,?,?,?,003DFCED,?,003E0D40,?,00008000), ref: 003E11C1

Strings

@>, xrefs: 003E119D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @>
API String ID: 2875609808-4212406068
Opcode ID: e3585267f147230e01474a780898b00a9da8d2e2f200abd3583abfb6a1e87bb8
Instruction ID: cb8fc4de27f173c244822db6ce5572ad6db92118ecd0cba26f17efbe172ca95a
Opcode Fuzzy Hash: e3585267f147230e01474a780898b00a9da8d2e2f200abd3583abfb6a1e87bb8
Instruction Fuzzy Hash: 7A118E31C0066CD7CF05DFA6D949AEEBB78FF09711F014165EA41B6280CB709950CBD5

Function 003E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003E1B19

Strings

APPEND, xrefs: 003E1B52
KEYS, xrefs: 003E1B30
EXISTS, xrefs: 003E1B41
REMOVE, xrefs: 003E1B1F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 1ce6dfff3d30f4c67cceb33dbd143d2b256f8b8348d4aa45a8e889febbb10071
Instruction ID: deb2e918c3e3b5d14b5609469c0dfbb70e195e26005e0c8ee28840642dee79a0
Opcode Fuzzy Hash: 1ce6dfff3d30f4c67cceb33dbd143d2b256f8b8348d4aa45a8e889febbb10071
Instruction Fuzzy Hash: 7511A1319102699FCF05EF54D8518FEB3B4FF26304F1485A9E815AB691EB325D06CB44

Function 003FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003FEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 003FEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003FED6A
CloseHandle.KERNEL32(?), ref: 003FEDEB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: b0fc7fd0acd6e1f370f956311fcda6fef6d4cae58b922e26a18c7d0410697829
Instruction ID: 0d5d9be1302296dc0379f9431ab8c4d59a37033452e8f6ebfd37890837592399
Opcode Fuzzy Hash: b0fc7fd0acd6e1f370f956311fcda6fef6d4cae58b922e26a18c7d0410697829
Instruction Fuzzy Hash: 838182716043019FD762EF28C846F2AB7E5AF88710F14886DF99ADB2D2D770AD44CB51

Function 00400037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 00400E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FFDAD,?,?), ref: 00400E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004000FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0040013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00400183
RegCloseKey.ADVAPI32(?,?), ref: 004001AF
RegCloseKey.ADVAPI32(00000000), ref: 004001BC

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: e367f47f78536b093454a613df70caa26d02fb3cd07fd7917a00f1bfadfa2677
Instruction ID: a9f6d057e77c5c25c6072872421bfe2cf57963241dc3793ea218dfeae2bf1c32
Opcode Fuzzy Hash: e367f47f78536b093454a613df70caa26d02fb3cd07fd7917a00f1bfadfa2677
Instruction Fuzzy Hash: 00517A71208304AFC715EF58C881F6AB7E9FF84314F04492EF5959B2A2DB35E909CB56

Function 003FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003FD927
GetProcAddress.KERNEL32(00000000,?), ref: 003FD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 003FD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 003FDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003FDA21

Part of subcall function 00385A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003E7896,?,?,00000000), ref: 00385A2C
Part of subcall function 00385A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003E7896,?,?,00000000,?,?), ref: 00385A50

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0a1958467f2556070f09d855e2fa9b46ee4d22e4b1511ccede750b5a370c395c
Instruction ID: b2a261552f0afbccf4f065b734d70255a340b81eee54211ca5c5522d4fc39a93
Opcode Fuzzy Hash: 0a1958467f2556070f09d855e2fa9b46ee4d22e4b1511ccede750b5a370c395c
Instruction Fuzzy Hash: 72514A35A00209DFCB02EFA8C4889AEB7F5FF49320B1581A5E955AB312D771ED45CF91

Function 003EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003EE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003EE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003EE687

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003EE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003EE6B4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 675ca59aae2e3632d78db42bc646b1a8e60227a967471c4999e46d5e922ea71e
Instruction ID: 9447605cad12fe26ce606886155bb6c36a8c68a186adc0aed0d844da333e61d4
Opcode Fuzzy Hash: 675ca59aae2e3632d78db42bc646b1a8e60227a967471c4999e46d5e922ea71e
Instruction Fuzzy Hash: 30510A35A00215DFCB06EF65C981AAEBBF5EF49314B1480A9E819AF361CB31ED15DB50

Function 0040A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae7d39a1e75fe319e8e05f55d86f5e67b995a45c41069177900d96c78137e63
Instruction ID: 29f4ecf1f57062c00979e8260e8114a1c8f0964500e1f5318c3bedad4ebd8c3c
Opcode Fuzzy Hash: 0ae7d39a1e75fe319e8e05f55d86f5e67b995a45c41069177900d96c78137e63
Instruction Fuzzy Hash: 8F41C535904314AFD720DF28CC48FAABBA4EB09310F144276F815BB3E1C778AD65DA5A

Function 003D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003D63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 003D6433
TranslateMessage.USER32(?), ref: 003D645C
DispatchMessageW.USER32(?), ref: 003D6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003D6475

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 113b4964829d3f0ca29eca5c5bdc74bdd1af88e5070baa4259ff3e2702c80acd
Instruction ID: 164f778ea461e7efca2b0eb52ea231f0ab6991aef79b00b05642b99615059829
Opcode Fuzzy Hash: 113b4964829d3f0ca29eca5c5bdc74bdd1af88e5070baa4259ff3e2702c80acd
Instruction Fuzzy Hash: 61310832940602AFDB26DFB5EC46BB67BBCAB01310F11017BE431C36A2E7759449DB64

Function 003D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003D8A30
PostMessageW.USER32(?,00000201,00000001), ref: 003D8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003D8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 003D8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003D8AF8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 9f01be8444f753aec886c564a12182c7bcaeef18cbfda02272073aae5f73149b
Instruction ID: a3348ceda89e01b541a9404a5c4261695badb1f9186929e72db68e11e375d28f
Opcode Fuzzy Hash: 9f01be8444f753aec886c564a12182c7bcaeef18cbfda02272073aae5f73149b
Instruction Fuzzy Hash: 9E31C072500219EBDF14CFA8E94CA9E3BB5FB04315F11862AF925EA6D0C7B0AD14DB90

Function 003DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003DB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003DB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003DB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003DB27F
_wcsstr.LIBCMT ref: 003DB289

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 7bea557d844ddcf1e827da3d8c149d6674223d9e68715c9151955d99bad950a5
Instruction ID: 537b1684b10fc7c2fab825774fd3da8400eabac1cfa8d0dca98fc5f4eb699891
Opcode Fuzzy Hash: 7bea557d844ddcf1e827da3d8c149d6674223d9e68715c9151955d99bad950a5
Instruction Fuzzy Hash: 8221C573604200BBEB265B79AC49E7FBBACDF4A750F02453AF805DE261EB71DC419660

Function 0040B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00382612: GetWindowLongW.USER32(?,000000EB), ref: 00382623

GetWindowLongW.USER32(?,000000F0), ref: 0040B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0040B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0040B1CF
GetSystemMetrics.USER32(00000004), ref: 0040B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003F0E90,00000000), ref: 0040B216

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 3f78c4f3c0cb3948872e887250a1abfdde20e8b75e7f35dc911b908b3e918459
Instruction ID: 643d6f1a4e360c849ebe54a65f10dde9546747a6f7547d76c6edc60fee6c1f3a
Opcode Fuzzy Hash: 3f78c4f3c0cb3948872e887250a1abfdde20e8b75e7f35dc911b908b3e918459
Instruction Fuzzy Hash: D9219171910651AFCB209F389C18A6A37A4FB15761F104B3AFD32E72E1E73498218BDC

Function 003D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003D9320

Part of subcall function 00387BCC: _memmove.LIBCMT ref: 00387C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003D9352
__itow.LIBCMT ref: 003D936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003D9392
__itow.LIBCMT ref: 003D93A3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 2cd406b17709e4d0e307dd2c7d1d8b2b22956ed83756a2b83d63ff3350e31c4b
Instruction ID: 25c2f32dd2fbf35da4b084fe2f629f424d1f1dab0f580ae2d1d63ee6e44d1180
Opcode Fuzzy Hash: 2cd406b17709e4d0e307dd2c7d1d8b2b22956ed83756a2b83d63ff3350e31c4b
Instruction Fuzzy Hash: CC210736700308ABDB22AA619C89FAE7BADEB89710F144037FD04EB2C0D6B0CD458791

Function 003F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003F5A6E
GetForegroundWindow.USER32 ref: 003F5A85
GetDC.USER32(00000000), ref: 003F5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 003F5ACD
ReleaseDC.USER32(00000000,00000003), ref: 003F5B08

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 94880d11c565cd94b041b52743326b8e8acffa6c742309a93b1957b881cad650
Instruction ID: c1473e53c1e59cf430ccb0f4e819360a68a1fec6ed2493648bd4ea06a9e5291c
Opcode Fuzzy Hash: 94880d11c565cd94b041b52743326b8e8acffa6c742309a93b1957b881cad650
Instruction Fuzzy Hash: 9E21C335A00204AFDB11EFA5DD84AAABBE5EF48310F148579F909DB762CB70AC05CB90

Function 003812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0038134D
SelectObject.GDI32(?,00000000), ref: 0038135C
BeginPath.GDI32(?), ref: 00381373
SelectObject.GDI32(?,00000000), ref: 0038139C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e212886297645648a4fd7dcdc486c84e82c13364bf71bace187405bf879975ac
Instruction ID: a2ce9e7562724f6ab00bdf2c0f9e14948bea9b3471e6491f27df245f64b26f7b
Opcode Fuzzy Hash: e212886297645648a4fd7dcdc486c84e82c13364bf71bace187405bf879975ac
Instruction Fuzzy Hash: 10216D38800708EFDF12AF25DD047A97BACFB11321F144276F814A65B1DBB099A6DF98

Function 003E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003E4ABA
__beginthreadex.LIBCMT ref: 003E4AD8
MessageBoxW.USER32(?,?,?,?), ref: 003E4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003E4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003E4B0A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 7ac599c9ff3affc6ef0a8e02950bdbe960cf287b41fdff5fa7351485c4f6100c
Instruction ID: a510f2c8df2b818f4c9bc030f38a24f6025660298db49e4328efea014e07d740
Opcode Fuzzy Hash: 7ac599c9ff3affc6ef0a8e02950bdbe960cf287b41fdff5fa7351485c4f6100c
Instruction Fuzzy Hash: 05110876904254BBCB119FA99C08A9B7FACEB49320F1443B6F814D3291D6B1CD048BE4

Function 003D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003D821E
GetLastError.KERNEL32(?,003D7CE2,?,?,?), ref: 003D8228
GetProcessHeap.KERNEL32(00000008,?,?,003D7CE2,?,?,?), ref: 003D8237
RtlAllocateHeap.NTDLL(00000000,?,003D7CE2), ref: 003D823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003D8255

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: ff95ed71d8e9a17075de23c669b8c69cca457d3a09c893f63d77b32404bdbf47
Instruction ID: 6ff85e6fa96126d74c491eebcdf21cb13a198420bccdc2afc8e0f8c9bba6d32e
Opcode Fuzzy Hash: ff95ed71d8e9a17075de23c669b8c69cca457d3a09c893f63d77b32404bdbf47
Instruction Fuzzy Hash: 39016D71201604BFDB218FA5ED49D6B7BBCEF8A754B50087AF809D2220DA32AC04CA60

Function 003D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 003D7127
ProgIDFromCLSID.COMBASE(?,00000000), ref: 003D7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003D7044,80070057,?,?), ref: 003D7150
CoTaskMemFree.COMBASE(00000000), ref: 003D7160
CLSIDFromString.COMBASE(?,?), ref: 003D716C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 5362a07f5a8ce8862624e44169dd7264298347c510d2c2b7c25801fb59562fa8
Instruction ID: dff5d6065a2b4622242fb74532acde70cf52466a196354c6b492fc7a5238ff26
Opcode Fuzzy Hash: 5362a07f5a8ce8862624e44169dd7264298347c510d2c2b7c25801fb59562fa8
Instruction Fuzzy Hash: 99017C73601214ABDB229F64ED44AAA7BADEB447A1F154275FD04E2320E731DD409BA0

Function 003E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003E5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003E526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003E5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003E5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003E52BC

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 1ad755337c5d8a95374ef7b1fbdb95cd15d20f919f9fb9b0f660b668546c15df
Instruction ID: efd067524615ba7e234967c7ce92a386e3e87742644067278c9171bbba21ae6c
Opcode Fuzzy Hash: 1ad755337c5d8a95374ef7b1fbdb95cd15d20f919f9fb9b0f660b668546c15df
Instruction Fuzzy Hash: ED016931D01A2DDBCF11EFE5E9489EDBB78FB08315F410A66EA41B2580CB3199548BA5

Function 003D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003D8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003D812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D813A
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 003D8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D8157

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 86389a8c7d484f59a95f5e42a9d5928cca931b1a90c75831741003c22fd19ec6
Instruction ID: 13332531618fe4870fb37337ab84ed294efd328e87fb018cc8e867e2310c6eeb
Opcode Fuzzy Hash: 86389a8c7d484f59a95f5e42a9d5928cca931b1a90c75831741003c22fd19ec6
Instruction Fuzzy Hash: 7EF06271200314AFEB220FA5EC89F673BACFF49754B000036F945E6250CB71AD49DA60

Function 003DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003DC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 003DC20E
MessageBeep.USER32(00000000), ref: 003DC226
KillTimer.USER32(?,0000040A), ref: 003DC242
EndDialog.USER32(?,00000001), ref: 003DC25C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5af0bcbb13c0a4eba6da9ed44ca4a3299213cb1be901ed18661858cc4ade0016
Instruction ID: 7728ac64757d03a91ae266432df4933f0e160a7f5b3323b3152147a602d65bb9
Opcode Fuzzy Hash: 5af0bcbb13c0a4eba6da9ed44ca4a3299213cb1be901ed18661858cc4ade0016
Instruction Fuzzy Hash: AC01A73146430597EB325B60ED4EB967778BB00705F040A7AE542A19E0D7F16948CB54

Function 003813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003813BF
StrokeAndFillPath.GDI32(?,?,003BB888,00000000,?), ref: 003813DB
SelectObject.GDI32(?,00000000), ref: 003813EE
DeleteObject.GDI32 ref: 00381401
StrokePath.GDI32(?), ref: 0038141C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d91c75da3ef52576ad575826ece00ef2b838da8bf95ec0d84499ec27f2b7714f
Instruction ID: b262db63770db45cb9cb19b7bafa72713c2e27371c2b72489a3739c9e4c790f2
Opcode Fuzzy Hash: d91c75da3ef52576ad575826ece00ef2b838da8bf95ec0d84499ec27f2b7714f
Instruction Fuzzy Hash: 45F0E134004708DBDF626F17ED4C7583FA8A702326F08C674E429598F2CB7149A6DF58

Function 003D8992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003D899D
CloseHandle.KERNEL32(?), ref: 003D89B2
CloseHandle.KERNEL32(?), ref: 003D89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003D89C3
HeapFree.KERNEL32(00000000), ref: 003D89CA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 53217169132ec668ba977ba88d6e3d86bf1adf679e8c622f921c36289e5f0b63
Instruction ID: e11ed79323786bbacff01c44f1fa0dfc0ae9959e355e2fba3a925c2ab4b050b3
Opcode Fuzzy Hash: 53217169132ec668ba977ba88d6e3d86bf1adf679e8c622f921c36289e5f0b63
Instruction Fuzzy Hash: BFE0C936004501FBD6116FE1EE0CD05BB79FB897227104230F21595870CB326864DB54

Function 003EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003EC432
CoCreateInstance.COMBASE(00412D6C,00000000,00000001,00412BDC,?), ref: 003EC44A

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

CoUninitialize.COMBASE ref: 003EC6B7

Strings

.lnk, xrefs: 003EC3C6, 003EC3EE, 003EC3F8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 470f8cc95d02db36bf78869ec3e107b4649dd9a2d1799ab64b0f7146b4edf9d9
Instruction ID: d193d97cb3bb8e69db96803e903878a344a935ceda12c7d27550d53bb23cba98
Opcode Fuzzy Hash: 470f8cc95d02db36bf78869ec3e107b4649dd9a2d1799ab64b0f7146b4edf9d9
Instruction Fuzzy Hash: 7AA14A71104305AFD701EF54C881EAFB7E8EF89308F0449ADF5569B1A2EB71EA49CB52

Function 00392CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 003A0DB6: std::exception::exception.LIBCMT ref: 003A0DEC
Part of subcall function 003A0DB6: __CxxThrowException@8.LIBCMT ref: 003A0E01

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 00387A51: _memmove.LIBCMT ref: 00387AAB

__swprintf.LIBCMT ref: 00392ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00392D66

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9e2e74fee602955064a9fd835a3e4791439bb62439868b17a359b1c76edfe5bb
Instruction ID: 3dcf2465d29bc62440b10adc021b390daf6d07d9f6b7be674bb605a2ae73e2d8
Opcode Fuzzy Hash: 9e2e74fee602955064a9fd835a3e4791439bb62439868b17a359b1c76edfe5bb
Instruction Fuzzy Hash: 2C916A72508701AFCB1AFF24C886D6FB7A9EF85310F14495DF4969B2A1EB20ED44CB52

Function 003EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00384750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00384743,?,?,003837AE,?), ref: 00384770

CoInitialize.OLE32(00000000), ref: 003EB9BB
CoCreateInstance.COMBASE(00412D6C,00000000,00000001,00412BDC,?), ref: 003EB9D4
CoUninitialize.COMBASE ref: 003EB9F1

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

Strings

.lnk, xrefs: 003EB99D, 003EB9AB

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 7e594f41206c666c83fa9c1ce85809721e4095e129ae4c252218361595f0034c
Instruction ID: 23950cd4fcb96c878bfb2c12cccf2b93a40cd63ebdcef1bacff9ff291f2d5e87
Opcode Fuzzy Hash: 7e594f41206c666c83fa9c1ce85809721e4095e129ae4c252218361595f0034c
Instruction Fuzzy Hash: 22A1BC356043029FCB02EF15C480E6AB7E5FF89314F158999F8999B3A1CB31EC45CB91

Function 003DB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003DB4BE

Strings

Container, xrefs: 003DB43B
%A, xrefs: 003DB561
AutoIt3GUI, xrefs: 003DB436

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%A
API String ID: 3565006973-4089100624
Opcode ID: a341944d30a89ed4e245ea3d100b68026ebe957010877684f9f3b17a3181b758
Instruction ID: facb80efd02d09c7b845d6a30c0ae8fefbfb68e00823d9224912b01ea5fe2847
Opcode Fuzzy Hash: a341944d30a89ed4e245ea3d100b68026ebe957010877684f9f3b17a3181b758
Instruction Fuzzy Hash: 1E914472600601EFDB25DF24D884A6ABBF9EF49700F21846AE94A8B791DB70E841CB50

Function 003A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003A50AD

Part of subcall function 003B00F0: __87except.LIBCMT ref: 003B012B

Strings

pow, xrefs: 003A5085, 003A50A2

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: cee26015e13689f7ddd241d86c5f391127e4125a3cab38409941a92a461d21ad
Instruction ID: 7fac22f9e2b2d24877743f92dad5f64772465abf448fc04dcd48e21399b43ad4
Opcode Fuzzy Hash: cee26015e13689f7ddd241d86c5f391127e4125a3cab38409941a92a461d21ad
Instruction Fuzzy Hash: 7651AF7190C60186DB1BFB18CC453FF2BA4DF42704F208D68E5D68AA99EF348DC896C6

Function 003C8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C862B
_memmove.LIBCMT ref: 003C8685

Strings

3c9, xrefs: 003C860C
_9, xrefs: 003C86FF, 003CDFDC, 003CDFF8

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memmove
String ID: 3c9$_9
API String ID: 4104443479-1310868050
Opcode ID: 009d60e3b5ece85f2d1e8a2e4b08ef3c1404768627938edb14ffd6f80ed6fca0
Instruction ID: 60814cb60068c9b158015a20e41d1f2bf968c490c4c747db37f290b1d7623ff0
Opcode Fuzzy Hash: 009d60e3b5ece85f2d1e8a2e4b08ef3c1404768627938edb14ffd6f80ed6fca0
Instruction Fuzzy Hash: A7516C70E006199FCF26CF68C880AAEB7B1FF45304F14852DE85AD7250EB31AE66CB51

Function 003D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003D9296,?,?,00000034,00000800,?,00000034), ref: 003E14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003D983F

Part of subcall function 003E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003E14B1

Part of subcall function 003E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 003E1409
Part of subcall function 003E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003D925A,00000034,?,?,00001004,00000000,00000000), ref: 003E1419
Part of subcall function 003E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003D925A,00000034,?,?,00001004,00000000,00000000), ref: 003E142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003D98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003D98F9

Strings

@, xrefs: 003D9911

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f81ced4d2f1d2ce242321dc67ca426e9ab78fa7deba2aa77683ff1ede054b43f
Instruction ID: 9a963720ff07aae8ef678c20aea316b750b175343911fac169c277799352c51f
Opcode Fuzzy Hash: f81ced4d2f1d2ce242321dc67ca426e9ab78fa7deba2aa77683ff1ede054b43f
Instruction Fuzzy Hash: F0415076901118AFCB11DFA5CD42EDEBBB8EB09700F00419AF945B7291DA716E45CBA0

Function 00407946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0040F910,00000000,?,?,?,?), ref: 004079DF
GetWindowLongW.USER32 ref: 004079FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00407A0C

Strings

SysTreeView32, xrefs: 004079B1

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d655b069b7777d4407596fba4459bfc4d798f2639138ec1bc0c4925a58c49b92
Instruction ID: 364c10ae2b716b71201a969a9985a707c460efb2d534129ee81a5805c1a9a351
Opcode Fuzzy Hash: d655b069b7777d4407596fba4459bfc4d798f2639138ec1bc0c4925a58c49b92
Instruction Fuzzy Hash: 2D31CE71604206ABEB119E38CC41BEB77A9FB45324F208736F875A22E1D735E9518B54

Function 004073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00407461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00407475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00407499

Strings

SysMonthCal32, xrefs: 0040742C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 72909b99ee044672bd6a20a13f0b01216648f5454c3f8e2fbf89eb2557b128d4
Instruction ID: 1b0d1877da7fe9ac3f9a3ba38df2ae0aabfc4228946fbc63975d978b676853b2
Opcode Fuzzy Hash: 72909b99ee044672bd6a20a13f0b01216648f5454c3f8e2fbf89eb2557b128d4
Instruction Fuzzy Hash: 4D218D32500219BBDF218F64CC46FEB3B69EB48724F110225FE157B1D0DAB9BC559BA4

Function 00406CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00406D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00406D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00406D70

Strings

Listbox, xrefs: 00406D08

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7b6f9c1107564f7db63577abce9ce965b49213dbba6c8dfeb6564e30bc9b4c3b
Instruction ID: 549e71788753fdac84073ebf96fa9912151026efea83065e895aab86f8f74e66
Opcode Fuzzy Hash: 7b6f9c1107564f7db63577abce9ce965b49213dbba6c8dfeb6564e30bc9b4c3b
Instruction Fuzzy Hash: 3121B332600118BFEF118F54DC45FAB37AAEF89754F018139F9466B2D0C6759C6197A4

Function 003F39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 003F3A66

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 003F3A58
, $, xrefs: 003F3AA6
%A, xrefs: 003F39F4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%A
API String ID: 3506404897-3511455150
Opcode ID: ac2d9966ef9038a89a3ce735f407c74926d4f4f6d2bfca22c10ffd24d1b951f1
Instruction ID: 0bd1de6edc87c0f77c74358045a85653a8230eb71ba57bbb42086f217e3b47e4
Opcode Fuzzy Hash: ac2d9966ef9038a89a3ce735f407c74926d4f4f6d2bfca22c10ffd24d1b951f1
Instruction Fuzzy Hash: 8321937160021DABCF12FF65CC82ABEBBB5AF48700F600499F545AB181DB34EA45CB65

Function 0040770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00407772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00407787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00407794

Strings

msctls_trackbar32, xrefs: 00407749

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c5ef6b5e463021e9135d24f84007c08c265e2f165379e2a6f22e70b7abf9b3c5
Instruction ID: ae1e7e05ffdb858c8d5f73792865d281d952022a8280b0abf24fe16385de456c
Opcode Fuzzy Hash: c5ef6b5e463021e9135d24f84007c08c265e2f165379e2a6f22e70b7abf9b3c5
Instruction Fuzzy Hash: 47110132600208BAEF205F65CC01FAB77A8EF88B94F110239FA41A71D0C276B811CB28

Function 003C1935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 003C1775

Part of subcall function 003FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,003C195E,?), ref: 003FBFFE
Part of subcall function 003FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003FC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003C196D

Strings

@Z, xrefs: 003C1935
WIN_XPe, xrefs: 003C1788

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: @Z$WIN_XPe
API String ID: 582185067-886467389
Opcode ID: fc49960b08ba6e476143c5d857369e3572ac789d246d8c6f82a1094bb61335cc
Instruction ID: 822074137ef2a095ad0122da87d6fd051a28df0187627c11a8e4820e0468b210
Opcode Fuzzy Hash: fc49960b08ba6e476143c5d857369e3572ac789d246d8c6f82a1094bb61335cc
Instruction Fuzzy Hash: E6F0C971804109DFDB27DBA1CA94FECBBF8AB09301F5400A9E102B6491D7714F84EF65

Function 00384B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00384AD0), ref: 00384B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00384B57

Strings

GetNativeSystemInfo, xrefs: 00384B51
kernel32.dll, xrefs: 00384B40

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 3514840ddbe51049f9019ce0637e1fa7369326f8ebfb80d7777230b3ceb28a41
Instruction ID: 96be0d42563f0b3d9f9a8cdb6f3dd3534fc90535ec65b155ff98d9a68cb775b0
Opcode Fuzzy Hash: 3514840ddbe51049f9019ce0637e1fa7369326f8ebfb80d7777230b3ceb28a41
Instruction Fuzzy Hash: D7D01234A10713CFDB31EF31D918B0676E4AF45351B21887A94C5E6D90E674E884CB58

Function 00384C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00384B83,?), ref: 00384C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00384C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00384C50
kernel32.dll, xrefs: 00384C3F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d0c5948acc4a59478c12d9c8e92b6afae5ddf43e8e8ff0bb4abf233cfe5b22ce
Instruction ID: e8f8f975a8a30a6bf8513005efa02bc6010aa76c05e9b36f906a29113aa21225
Opcode Fuzzy Hash: d0c5948acc4a59478c12d9c8e92b6afae5ddf43e8e8ff0bb4abf233cfe5b22ce
Instruction Fuzzy Hash: 0CD01271510713DFD7309F31D90860676E8BF05351B22897A9495EA964E674D884CB54

Function 00384C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00384BD0,?,00384DEF,?,004452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00384C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00384C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00384C1D
kernel32.dll, xrefs: 00384C0C

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 65dc20494608caf27f15ebf3e3c50c8c53b60b0d32cf6270bd882391292a1fcb
Instruction ID: 9d519da3eb13e21c8569da10d5ccbea976a007c49ce26b238d8026f0163a88d5
Opcode Fuzzy Hash: 65dc20494608caf27f15ebf3e3c50c8c53b60b0d32cf6270bd882391292a1fcb
Instruction Fuzzy Hash: 3ED01231511723DFD730AF71D908606B6E9EF09351B118C7A9485E6964E6B4D884CB54

Function 00400DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00401039), ref: 00400DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00400E07

Strings

advapi32.dll, xrefs: 00400DF0
RegDeleteKeyExW, xrefs: 00400E01

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 4f6f9e36b915fa941e48b6ee1ba03e301d889165352aa89a2ba795c9a82cd845
Instruction ID: d442cef0fc2e79b40bc67f67dc8feea8ce08bfa33b18d93620aa32b098e0a035
Opcode Fuzzy Hash: 4f6f9e36b915fa941e48b6ee1ba03e301d889165352aa89a2ba795c9a82cd845
Instruction Fuzzy Hash: E5D08231400322DFC3208B70C80838372E4AF08352F208C3E9482E6A90E6B8D8D08A88

Function 003F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,003F8CF4,?,0040F910), ref: 003F90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003F9100

Strings

GetModuleHandleExW, xrefs: 003F90FA
kernel32.dll, xrefs: 003F90E9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 63f037615b9dd0d850dbcc7ae2053e81965c0fccf2a677495c2f43a1400acde7
Instruction ID: f2c6e71b56208e7c73e0b1d4deafda850dd5a6f646e3fa259e872a03c0834650
Opcode Fuzzy Hash: 63f037615b9dd0d850dbcc7ae2053e81965c0fccf2a677495c2f43a1400acde7
Instruction Fuzzy Hash: FBD01234510713CFD7309F31D91871676E4AF05351B13883FD585E69B4E674D884CA94

Function 003C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003C1718
__swprintf.LIBCMT ref: 003C1749

Strings

WIN_XPe, xrefs: 003C1788
%.3d, xrefs: 003C1723

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1e4926e2656652f1cb98c508a099eef2f1bb90f9f79cb86252bc2b93969fb40f
Instruction ID: 3ab87b8bc4bf0bad6147adde92efe8abb26de9fce3cc69a8ea83d0814b26665a
Opcode Fuzzy Hash: 1e4926e2656652f1cb98c508a099eef2f1bb90f9f79cb86252bc2b93969fb40f
Instruction Fuzzy Hash: 3FD01272804118FACB1397909888EB9737CA70A301F141466B402E2441E275DF54FB65

Function 003D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef7489f0fa2e5dae851703bc664a6f3c5d8a332fad276a7639b796ff1772721b
Instruction ID: e0d038456f55e4adba918c94efba236ec1659c1c69b0f60756ef0eaee690d421
Opcode Fuzzy Hash: ef7489f0fa2e5dae851703bc664a6f3c5d8a332fad276a7639b796ff1772721b
Instruction Fuzzy Hash: 37C16E76A04216EFCB16CFA4D884AAEBBB5FF48304B158599F805EB351E730DD41DB90

Function 003FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003FE0BE
CharLowerBuffW.USER32(?,?), ref: 003FE101

Part of subcall function 003FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003FD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003FE301
_memmove.LIBCMT ref: 003FE314

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: fbfa6569ccaea1815a615b98257e0602b82a43e32d942aa4681b750f27209734
Instruction ID: 4bef92181c4051c5f4c2257565d5257dc61d56be9567736b73fe98498103e0b7
Opcode Fuzzy Hash: fbfa6569ccaea1815a615b98257e0602b82a43e32d942aa4681b750f27209734
Instruction Fuzzy Hash: 97C18B756083059FC706EF28C480A2ABBE4FF89714F04896EF9999B361D730E946CB81

Function 003F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003F80C3
CoUninitialize.COMBASE ref: 003F80CE

Part of subcall function 003DD56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 003DD5D4

VariantInit.OLEAUT32(?), ref: 003F80D9
VariantClear.OLEAUT32(?), ref: 003F83AA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6d3d0855695a75464bc7b72f07d3f7f0172b984b9bbe707d567f4fea2bf4fde3
Instruction ID: db6ba6325ea42c345cc8b14b4d26fc834924f315e0bf1e421a7e634b9a53f90c
Opcode Fuzzy Hash: 6d3d0855695a75464bc7b72f07d3f7f0172b984b9bbe707d567f4fea2bf4fde3
Instruction Fuzzy Hash: 60A16C396047059FCB16EF54C881B2AB7E4BF89714F08495AFA9A9B3A1CB30FD05CB41

Function 003D7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 003D76EA
CoTaskMemFree.COMBASE(00000000), ref: 003D7702
CLSIDFromProgID.COMBASE(?,?), ref: 003D7727
_memcmp.LIBCMT ref: 003D7748

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a8f39dfb6a6b1f08dccfcd21c3cad85a7e32ae896622fa3b8368bb4d102e19e1
Instruction ID: 6d12082dc78f72a1dab63486a2a465b8ceb9095911ab0e1cc6e70a1bd8a05490
Opcode Fuzzy Hash: a8f39dfb6a6b1f08dccfcd21c3cad85a7e32ae896622fa3b8368bb4d102e19e1
Instruction Fuzzy Hash: BB813E76A00109EFCB01DFA4D984EEEB7B9FF89315F204559F505AB250EB71AE06CB60

Function 003D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003D688E
SysAllocString.OLEAUT32(00000000), ref: 003D6937
VariantCopy.OLEAUT32 ref: 003D6966
VariantClear.OLEAUT32(?), ref: 003D698D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 63ebf3773496673efc4a813238bcdc92e6c4fb73bff1c6bc4459449716d7ddb7
Instruction ID: 6a27228eebcf530b4f5a890beb240418d0e52ea4617c7585a55fd615217c6371
Opcode Fuzzy Hash: 63ebf3773496673efc4a813238bcdc92e6c4fb73bff1c6bc4459449716d7ddb7
Instruction Fuzzy Hash: 0851B6B67003419ADB26AF65E893A3EB3E9AF45310F20D81FE5E6DB791DB70D8448701

Function 004097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E0EB28,?), ref: 00409863
ScreenToClient.USER32(00000002,00000002), ref: 00409896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00409903

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 01d0bcfb89943546ff1b5a521ddba0611767da7aaaab89969626d9020bfea9d4
Instruction ID: 38d21ce4ef6d32c3dbc451ae18519d26c35c28010b6734e894440d62bbe5c2da
Opcode Fuzzy Hash: 01d0bcfb89943546ff1b5a521ddba0611767da7aaaab89969626d9020bfea9d4
Instruction Fuzzy Hash: 83513B75A00208AFCF14DF64C980AAE7BB5EF45360F10816AF865AB3A1D735AD41CB94

Function 003D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003D9AD2
__itow.LIBCMT ref: 003D9B03

Part of subcall function 003D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003D9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 003D9B6C
__itow.LIBCMT ref: 003D9BC3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b84e354f21b4d0a3da8bb77797575b356927d6129e0bbc5053ac464b13ed9c56
Instruction ID: aa842d03add061c4abf06c95f475bc5b2cf0105a415c2ba2987ce0d9e328397f
Opcode Fuzzy Hash: b84e354f21b4d0a3da8bb77797575b356927d6129e0bbc5053ac464b13ed9c56
Instruction Fuzzy Hash: DC415375A00308ABDF22EF54D845BEE7BBAEF45714F1100ABF905AB391DB709944CB91

Function 003EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003EB89E
GetLastError.KERNEL32(?,00000000), ref: 003EB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003EB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003EB915

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a5bf1301347ad6a2144973e61050380e579fd729b9556a7a6e28ce44fcee7008
Instruction ID: df39687d4e84423f2ce96d994438de943bda45a5e7ebb4c77ce653285b9de6ef
Opcode Fuzzy Hash: a5bf1301347ad6a2144973e61050380e579fd729b9556a7a6e28ce44fcee7008
Instruction Fuzzy Hash: FC411A39600651DFCB12EF15C584A6ABBE1AF89314F098099ED4AAF762CB30FD01DB91

Function 00408851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004088DE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 85e892cc238c44bbff02ef9e9899365bd51a87c7295b92e4b13dbf9474bd868a
Instruction ID: a5aa240e3f23b21d082cd3fc5ae3ce7f94168abe341b1e3d8ab7aa43fc2c3a2b
Opcode Fuzzy Hash: 85e892cc238c44bbff02ef9e9899365bd51a87c7295b92e4b13dbf9474bd868a
Instruction Fuzzy Hash: B531C274600108AFEF20BA24CE45FBA7760EB05310F54453BF991F63E1CA38E9419B5E

Function 0040AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0040AB60
GetWindowRect.USER32(?,?), ref: 0040ABD6
PtInRect.USER32(?,?,0040C014), ref: 0040ABE6
MessageBeep.USER32(00000000), ref: 0040AC57

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1766527f77b71c3995a6077f2c6f1b783bf2d53962bc9a4401f8ffd1e0456910
Instruction ID: ae064b20ce42b2b8e91a6e21fab3c7496991765a796da7a7fd89aa89fd64a953
Opcode Fuzzy Hash: 1766527f77b71c3995a6077f2c6f1b783bf2d53962bc9a4401f8ffd1e0456910
Instruction Fuzzy Hash: 6541A234604218DFDF11DF58D884B997BF5FB49304F1980BAE914AB3A1D734E861CB5A

Function 003B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003B61FB
__isleadbyte_l.LIBCMT ref: 003B6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003B6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 003B628D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3d56cd1dc2d8ff23afc413d3f0f6d2bae58328a866d93d6448db76b291ad269e
Instruction ID: 06b98708a157fe9e3b1e107d644ae71a17ea79d300cbc75dfd88f54baa660beb
Opcode Fuzzy Hash: 3d56cd1dc2d8ff23afc413d3f0f6d2bae58328a866d93d6448db76b291ad269e
Instruction Fuzzy Hash: DC31D431600246AFEF228F64CC46BFA7BB9FF42314F164428E9149B992D734D950DB50

Function 00404EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00404F02

Part of subcall function 003E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003E365B
Part of subcall function 003E3641: GetCurrentThreadId.KERNEL32 ref: 003E3662
Part of subcall function 003E3641: AttachThreadInput.USER32(00000000,?,003E5005), ref: 003E3669

GetCaretPos.USER32(?), ref: 00404F13
ClientToScreen.USER32(00000000,?), ref: 00404F4E
GetForegroundWindow.USER32 ref: 00404F54

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7155d2709f7a3abfab9035ec1c3f534402596ac8c7468c966f0c99d40f5e5e40
Instruction ID: 11e7aa836e069fd14a617dcf39815098f77e36751bc7301cda3c49f9883fa678
Opcode Fuzzy Hash: 7155d2709f7a3abfab9035ec1c3f534402596ac8c7468c966f0c99d40f5e5e40
Instruction Fuzzy Hash: A53130B1D00208AFCB11EFB5C985AEFB7F9EF98304F10406AE415E7241DA759E058BA1

Function 003D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003D8121
Part of subcall function 003D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003D812B
Part of subcall function 003D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D813A
Part of subcall function 003D810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 003D8141
Part of subcall function 003D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003D86A3
_memcmp.LIBCMT ref: 003D86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D86FC
HeapFree.KERNEL32(00000000), ref: 003D8703

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 46773da8bf7ae76b4c1ed3f7c573396a5209ae98d28727b433ce36d3ac924eea
Instruction ID: 30bb500970b85bc865c5d5c1ef46950df8a3df7d6656808cfb406f482e8beb37
Opcode Fuzzy Hash: 46773da8bf7ae76b4c1ed3f7c573396a5209ae98d28727b433ce36d3ac924eea
Instruction Fuzzy Hash: D6217F72D00108EFDB11DFA4D949BEEB7B8EF44314F15406AE544AB240EB30EE05CB50

Function 003A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 003A09AE

Part of subcall function 00385A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003E7896,?,?,00000000), ref: 00385A2C
Part of subcall function 00385A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003E7896,?,?,00000000,?,?), ref: 00385A50

_fprintf.LIBCMT ref: 003A09E5
OutputDebugStringW.KERNEL32(?), ref: 003D5DBB

Part of subcall function 003A4AAA: _flsall.LIBCMT ref: 003A4AC3

__setmode.LIBCMT ref: 003A0A1A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: ab6daa74390d39174dfd54b0828fcd24afe7d14d674381b6c17458a963e98083
Instruction ID: 30f9d4c9bf47ed6d1154fc88a52c7f98290d51b07e4c86fd3506bc7a5a540461
Opcode Fuzzy Hash: ab6daa74390d39174dfd54b0828fcd24afe7d14d674381b6c17458a963e98083
Instruction Fuzzy Hash: B5116A329042046FDB0BB3B4AC479FE776CDF87320F24016AF1056B192EFB5584297A5

Function 003F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003F17A3

Part of subcall function 003F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003F184C
Part of subcall function 003F182D: InternetCloseHandle.WININET(00000000), ref: 003F18E9

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 2b921cff3c01421660e8d9a31603a47e618c820ee14697b0dbb2c966730878f1
Instruction ID: e8b9a501a7f68d00f8306ce548974038094f4349c897c018380ee952f5c7e427
Opcode Fuzzy Hash: 2b921cff3c01421660e8d9a31603a47e618c820ee14697b0dbb2c966730878f1
Instruction Fuzzy Hash: 1F21B035200609FBEB239F60ED00BBBBBA9FF48750F14402AFA05A6950D775981597A0

Function 003E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0040FAC0), ref: 003E3A64
GetLastError.KERNEL32 ref: 003E3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 003E3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0040FAC0), ref: 003E3ADF

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ac96bcaf0fdb42f53730976652e6dddee5383c56a4016d834ee9769937b20393
Instruction ID: 5c41299d5cab2a29c24e25cb1dbf27ec53870ba9f0d554f533a65d9b5746a236
Opcode Fuzzy Hash: ac96bcaf0fdb42f53730976652e6dddee5383c56a4016d834ee9769937b20393
Instruction Fuzzy Hash: 942191345083519FC311EF29C8898AAB7E8AE55364F104A7DF499D72E1D731DA8ACB82

Function 003B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003B5101

Part of subcall function 003A571C: __FF_MSGBANNER.LIBCMT ref: 003A5733
Part of subcall function 003A571C: __NMSG_WRITE.LIBCMT ref: 003A573A
Part of subcall function 003A571C: RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001), ref: 003A575F

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4533634472d1d6330e02f3f76dc666e8e4a0d52507a70f43c2bfdc70e0300c26
Instruction ID: 6720532e899383185840b5efc7f7e04abe17f67c30a04b3878ef79a16e502745
Opcode Fuzzy Hash: 4533634472d1d6330e02f3f76dc666e8e4a0d52507a70f43c2bfdc70e0300c26
Instruction Fuzzy Hash: 7611C672904A11AECF372F78BC4579E3798EF06365B214539FB04AEA51DE71894087A4

Function 003D85B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003D85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003D85E9
CloseHandle.KERNEL32(00000004), ref: 003D8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003D8632

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 14c0275217c1980aeba3fa89973112e2ff1b719af8e4f40f074c0e51d692a131
Instruction ID: 5de382ad3ea7e8a1480ecec3321f7ab6783304ff5b6810d2cc26fd0c10d13611
Opcode Fuzzy Hash: 14c0275217c1980aeba3fa89973112e2ff1b719af8e4f40f074c0e51d692a131
Instruction Fuzzy Hash: 71115C72500209ABDF129FA4ED49BDE7BA9EF09714F054075FE04A2160C772AD64DB61

Function 003F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00385A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003E7896,?,?,00000000), ref: 00385A2C
Part of subcall function 00385A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003E7896,?,?,00000000,?,?), ref: 00385A50

gethostbyname.WS2_32(?), ref: 003F6399
WSAGetLastError.WS2_32(00000000), ref: 003F63A4
_memmove.LIBCMT ref: 003F63D1
inet_ntoa.WS2_32(?), ref: 003F63DC

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: fceafe1b6ae317223140909717dc69988710112a896474672eca3072bc281b8e
Instruction ID: 698220271bf691ba71d0c35ea679751b205a0bce391e7889cc26313aff2f9c1b
Opcode Fuzzy Hash: fceafe1b6ae317223140909717dc69988710112a896474672eca3072bc281b8e
Instruction Fuzzy Hash: 00116036500209AFCB06FBA4DD86DFEB7B8AF48310B144075F506BB261DB31AE04DB61

Function 003D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003D8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D8BA4

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cc74a9975d1ce84f747bc8c15182d66332580b773f34c69c2790f1331fc83e72
Instruction ID: 7446b2781bc72927a5ee98bcf9dcd1792e429686bc75ca2611a443d975970dc4
Opcode Fuzzy Hash: cc74a9975d1ce84f747bc8c15182d66332580b773f34c69c2790f1331fc83e72
Instruction Fuzzy Hash: C5115E7A900218FFDB11DFA5CC84F9DBB78FB48710F2040A6E900B7250DA716E11DB94

Function 003DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003DD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003DD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003DD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003DD897

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: bebe1ad6871d03428d6a96ddb50fe34074a125a2cda0c7631ad493574d322a17
Instruction ID: 885711b1e1875844d829405a7ba1e3c24b7c14c06e0c9d88578a0b80b1383877
Opcode Fuzzy Hash: bebe1ad6871d03428d6a96ddb50fe34074a125a2cda0c7631ad493574d322a17
Instruction Fuzzy Hash: D4115E76605304DBE3228F54ED48F92BBBCEB00B00F10857AA916D6A50D7B0E949ABA1

Function 003B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 003B6FDB

Part of subcall function 003B76C2: __fltout2.LIBCMT ref: 003B76EB

__cftog_l.LIBCMT ref: 003B7001
__cftoe_l.LIBCMT ref: 003B7033

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 03ecf5f172ffa915c45fd282e4de1bfeae6715d7de4baaca2cce3cb932d7e5c9
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BF014E7244814EBBCF176E84CC01CED3F66FB58358F598416FB1858831D236CAB1AB81

Function 0040B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0040B2E4
ScreenToClient.USER32(?,?), ref: 0040B2FC
ScreenToClient.USER32(?,?), ref: 0040B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040B33B

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 71df57698f55998457efe93c057e895ebe2d9c8ec66baf7e460c5b6d5a82704c
Instruction ID: 41ea416d90c039f51346b1dadc1963ad2d61a2eb27017f8786ee4644aaf1a221
Opcode Fuzzy Hash: 71df57698f55998457efe93c057e895ebe2d9c8ec66baf7e460c5b6d5a82704c
Instruction Fuzzy Hash: 2A117775D00209EFDB11CF99C544AEEBBF9FF08310F104166E914E3620D735AA558F94

Function 0040B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040B644
_memset.LIBCMT ref: 0040B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00446F20,00446F64), ref: 0040B682
CloseHandle.KERNEL32 ref: 0040B694

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: c2f8b7d332fe30f5af33aa1817d8cd947097ac7d07fadcadd1c6fc6a38e9048d
Instruction ID: 3aa26559361365a95e74a742d63ec6c314128fdcca27ea6ad70fc14e2f6090e2
Opcode Fuzzy Hash: c2f8b7d332fe30f5af33aa1817d8cd947097ac7d07fadcadd1c6fc6a38e9048d
Instruction Fuzzy Hash: DEF05EB65403007AF2102B65BC06FBB7A9CEB0B795F014031BE48E9592D7765C0487AE

Function 003E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 003E6BE6

Part of subcall function 003E76C4: _memset.LIBCMT ref: 003E76F9

_memmove.LIBCMT ref: 003E6C09
_memset.LIBCMT ref: 003E6C16
RtlLeaveCriticalSection.NTDLL(?), ref: 003E6C26

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 8e8fc66266f3cf49cd2021fe183d5367d547f8eef570e68619b6375041530ae1
Instruction ID: b869ebab894716f3c2a20a332f315db44d29b58b87d5e8b33e1acc4824bb7caf
Opcode Fuzzy Hash: 8e8fc66266f3cf49cd2021fe183d5367d547f8eef570e68619b6375041530ae1
Instruction Fuzzy Hash: 78F0543A100110ABCF026F55DC85E4ABB29EF45320F0480B5FE086E267C732E811DBB4

Function 00382218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00382231
SetTextColor.GDI32(?,000000FF), ref: 0038223B
SetBkMode.GDI32(?,00000001), ref: 00382250
GetStockObject.GDI32(00000005), ref: 00382258
GetWindowDC.USER32(?,00000000), ref: 003BBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 003BBE90
GetPixel.GDI32(00000000,?,00000000), ref: 003BBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 003BBEC2
GetPixel.GDI32(00000000,?,?), ref: 003BBEE2
ReleaseDC.USER32(?,00000000), ref: 003BBEED

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3634b41587a1a858e0a89e02c0ee0865ecb32e064462ff86a9ec3024a1fa20a8
Instruction ID: 2398a265dcc1a02bb1d75d63b3ca7ee651b1f2b90ba22d4e8b5b88168d93e3e0
Opcode Fuzzy Hash: 3634b41587a1a858e0a89e02c0ee0865ecb32e064462ff86a9ec3024a1fa20a8
Instruction Fuzzy Hash: 5FE03932104244AADB625FA4FD0D7D87B10EB45336F008376FA69684E187B14994DB12

Function 003D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003D871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003D82E6), ref: 003D8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003D82E6), ref: 003D872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003D82E6), ref: 003D8736

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: d556f52b1ebd8f937e03f6db746326de0dfa8f936af4c1ad0d0bf445bebceff5
Instruction ID: 2e921d48a8888481badb250d3ff96c2be0083714e3a658478bb542eda5c5a2f7
Opcode Fuzzy Hash: d556f52b1ebd8f937e03f6db746326de0dfa8f936af4c1ad0d0bf445bebceff5
Instruction Fuzzy Hash: CCE086376112119BD7305FF46E0CB563BACEF50791F158838B685E9040DA349449C754

Function 00386240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%A, xrefs: 0038624E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID:
String ID: %A
API String ID: 0-219755901
Opcode ID: 819178f90d1fcbd58dc061ba2c976fb3a2cadd5b7dca884e8f3725e489a39702
Instruction ID: 5628b8daf04fbfe9310895bf722caa89c764dde94ace3e6f0b98e24bf555a00f
Opcode Fuzzy Hash: 819178f90d1fcbd58dc061ba2c976fb3a2cadd5b7dca884e8f3725e489a39702
Instruction Fuzzy Hash: CBB1A0759003099BCF16FF94C8869FEB7B9FF44310F6040A6E912AB191EB749E85CB91

Function 003EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0039FC86: _wcscpy.LIBCMT ref: 0039FCA9

Part of subcall function 00389837: __itow.LIBCMT ref: 00389862
Part of subcall function 00389837: __swprintf.LIBCMT ref: 003898AC

__wcsnicmp.LIBCMT ref: 003EB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003EB0F6

Strings

LPT, xrefs: 003EB027

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: da03d0b3ab7fc80fdd7083477a9bad434a98cd7b90bd6264eb7d661bc2d8effd
Instruction ID: d40f49c048fa883a0e10d0f8c667e2cee112e4f5406c2da99c878b3c829202e4
Opcode Fuzzy Hash: da03d0b3ab7fc80fdd7083477a9bad434a98cd7b90bd6264eb7d661bc2d8effd
Instruction Fuzzy Hash: A1619271A00229AFCB16DF95C891EAFF7B4EF08310F15416AF916AB391D730AE44CB50

Function 00392957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00392968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00392981

Strings

@, xrefs: 00392975

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 90c59390e37f193c1d24dc958bfe33507cb2eb64adfcf3f69c9e6f8f1e6dc967
Instruction ID: dba573bac99c6c34fe4e413edc3e7812fbe419b9b7c70112c7149f0e6b026c8e
Opcode Fuzzy Hash: 90c59390e37f193c1d24dc958bfe33507cb2eb64adfcf3f69c9e6f8f1e6dc967
Instruction Fuzzy Hash: 695188724087449BD720EF20DC86BAFBBE8FF85344F81889DF2D9450A1DB309569CB66

Function 003E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00384F0B: __fread_nolock.LIBCMT ref: 00384F29

_wcscmp.LIBCMT ref: 003E9824
_wcscmp.LIBCMT ref: 003E9837

Strings

FILE, xrefs: 003E9770

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 97d20fb8a55bc0442b5e2bdd7df50c2be452e502cdd872e1af14cfb658f03649
Instruction ID: 61f77b453cb0153f3b09c0647b48b8b6095e2daa2d2679af203f64a15c5207e6
Opcode Fuzzy Hash: 97d20fb8a55bc0442b5e2bdd7df50c2be452e502cdd872e1af14cfb658f03649
Instruction Fuzzy Hash: 0D41D971A0035ABADF22AAA5CC45FEFB7BDDF86710F01016AF904AB1D0D77199048B61

Function 003C0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003C057F

Strings

0-, xrefs: 0038A151, 0038A159
DdD, xrefs: 0038A317

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClearVariant
String ID: 0-$DdD
API String ID: 1473721057-1955278431
Opcode ID: 00c10cb7b3af6e4aaa7164cf531e5dd28734e121c605a20d2bf4a12a515b9020
Instruction ID: 1797a557d1aca6fc5b940151d182833d3bd544bda609ba47d591ffebca1c2b00
Opcode Fuzzy Hash: 00c10cb7b3af6e4aaa7164cf531e5dd28734e121c605a20d2bf4a12a515b9020
Instruction Fuzzy Hash: F5511478604741CFEB65EF18C484A1ABBF1BB9A354F55889EE9858B321D331EC81CF42

Function 003F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003F259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003F25D4

Strings

|, xrefs: 003F25A5

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: aaf9928d6025179906eb40b358256268a8fc00e0a36416d9f505e217a6faa2b3
Instruction ID: 8e00f818b9b9f369f554aa448ff17202d3f45d65a8a9f6bead2a4b03ddd0bc05
Opcode Fuzzy Hash: aaf9928d6025179906eb40b358256268a8fc00e0a36416d9f505e217a6faa2b3
Instruction Fuzzy Hash: D8310C71804219EBCF12EFA5CC85DEEBFB9FF08310F1000A9F955AA162DB319A55DB60

Function 00407A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00407B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00407B76

Strings

', xrefs: 00407ACA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e262542a87e5cd342038415eb25f19feb49afd0500ee67be687515f595ea9eb8
Instruction ID: 7c865caf7a68d53fe5e42abbe9ba0aa7dab26450883cfaec29918132b9de235f
Opcode Fuzzy Hash: e262542a87e5cd342038415eb25f19feb49afd0500ee67be687515f595ea9eb8
Instruction Fuzzy Hash: 3A412774E0520A9FDB14CF64C880BEABBB5FB09304F10417AE904AB381D774B952CFA5

Function 00406A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00406B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00406B53

Strings

static, xrefs: 00406AB3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 9fde2f7b1ea5b94dd2616840f5640a89ec9405563a19f6776b9646a98f128285
Instruction ID: 53df837f90cca8f9726e9dd265b27e09a553ff970e96e6cc22d9ca8dc915cd5b
Opcode Fuzzy Hash: 9fde2f7b1ea5b94dd2616840f5640a89ec9405563a19f6776b9646a98f128285
Instruction Fuzzy Hash: DA31A171200604AEDB119F64CC40BFB73B9FF48764F11852AF9A6E7190DB35AC51DB68

Function 003E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E294C

Strings

0, xrefs: 003E290A

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: dff697ba7970f592eb4af7073fc3ab73197af6b3fea2789892a84fde15d320f4
Instruction ID: c46bc288d52a0b8c510f747dbfaa0cfa031c2d4e16fdca04a30c6ef90bd3db4c
Opcode Fuzzy Hash: dff697ba7970f592eb4af7073fc3ab73197af6b3fea2789892a84fde15d320f4
Instruction Fuzzy Hash: 2331E3716003999BEF2ACF5ACC45BAFBBBCEF05350F151229F885A61E2DB709950CB11

Function 004066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00406761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040676C

Strings

Combobox, xrefs: 0040672E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 4ad867fe587234e448830a386ae612d590179006497ea1b5bc3cde9ceccfbdb7
Instruction ID: 3d4646402fcc77a7b334f94272dd359fab6388b7d9ac002a04c635c16828fe1e
Opcode Fuzzy Hash: 4ad867fe587234e448830a386ae612d590179006497ea1b5bc3cde9ceccfbdb7
Instruction Fuzzy Hash: 2811B675200209AFEF119F54CC80EBB376AEB88368F11013AF919AB2D0D679DC6187A4

Function 00406C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00381D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00381D73
Part of subcall function 00381D35: GetStockObject.GDI32(00000011), ref: 00381D87
Part of subcall function 00381D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00381D91

GetWindowRect.USER32(00000000,?), ref: 00406C71
GetSysColor.USER32(00000012), ref: 00406C8B

Strings

static, xrefs: 00406C4E

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 710dc327d3fae4fc8aeee2ebcde35d57456ee9b89f6948ec31d0f61700eec543
Instruction ID: be3ee2465f9a362985b5accedc7e9afcd3dd6385a721ce66ad9f76e6845dfe19
Opcode Fuzzy Hash: 710dc327d3fae4fc8aeee2ebcde35d57456ee9b89f6948ec31d0f61700eec543
Instruction Fuzzy Hash: 16215C72514209AFDF14DFB8CC45AFA7BA8FB08304F014529FD56E2290D639E861DB64

Function 00406920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004069A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004069B1

Strings

edit, xrefs: 00406986

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 872c748a7405e68a9be8d070729ab4c4b5e640a63dbb6cb3712b059a963c4a8e
Instruction ID: 3b12df41d12f69f48f8ce4b77bd92908f88a4c8e2f2e5bcac52365291a124a35
Opcode Fuzzy Hash: 872c748a7405e68a9be8d070729ab4c4b5e640a63dbb6cb3712b059a963c4a8e
Instruction Fuzzy Hash: 6F119DB1100204ABEF108F649C40EAB3669EB05378F514735F9A2A76E0C639DC659B68

Function 003E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003E2A41

Strings

0, xrefs: 003E2A18

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 2d8f0dc8525d5b528d3044a77b16b9e0dc9746781c1e7ceeb727ad6fbf7eeae6
Instruction ID: 5afbfdb3e5f6b0986730fcc41dfdf0dacac7f832253f53dafd4c46e5bece8166
Opcode Fuzzy Hash: 2d8f0dc8525d5b528d3044a77b16b9e0dc9746781c1e7ceeb727ad6fbf7eeae6
Instruction Fuzzy Hash: B311D0329011A4AFDF32EB99DC44BAB73BDAB46304F064231E855E72D1DB70AD0AC795

Function 003F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003F222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003F2255

Strings

<local>, xrefs: 003F221D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ecdfd913bda1fde2c69a4d92564a46d3c36dab9a790fc4b3feb39bc865bc006e
Instruction ID: dada83efbec5541f5c81a8fde2fe79e48ff31d83c8fe46aaf64e30b1c8b4a601
Opcode Fuzzy Hash: ecdfd913bda1fde2c69a4d92564a46d3c36dab9a790fc4b3feb39bc865bc006e
Instruction Fuzzy Hash: 01110E70541229FEEB268F518C99EBBFBACFF0A351F108A2AFA0496440D3705885D6F1

Function 003D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 003DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003DAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003D8E73

Strings

ComboBox, xrefs: 003D8E12
ListBox, xrefs: 003D8E3D

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 28aec8ad65d78232fb8c004354deaa76219e939b64adb76fe2997ff09b940de2
Instruction ID: a922e4a320937c3323521afa71d95977e7b0802c423b464fcbc34a6602f92ce5
Opcode Fuzzy Hash: 28aec8ad65d78232fb8c004354deaa76219e939b64adb76fe2997ff09b940de2
Instruction Fuzzy Hash: 1601F5B2605218ABCF16FBA0DC419FE7369AF05320B500A5AF8615B3D1DE31980CC750

Function 003D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 003DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003DAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 003D8D6B

Strings

ComboBox, xrefs: 003D8D0A
ListBox, xrefs: 003D8D35

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5c6128ebd62ec900be96fca5198120464c53f25817f8f8a8c1d6ea87132c8407
Instruction ID: f6d797e68e7fb6eec8686312f5f8483bf24294bd5b0adcb595b65f4c52af084c
Opcode Fuzzy Hash: 5c6128ebd62ec900be96fca5198120464c53f25817f8f8a8c1d6ea87132c8407
Instruction Fuzzy Hash: F101D8B2A41108ABCF16FBA0D952AFE73A99F15300F600056B802672D1DE259E0CD371

Function 003D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00387DE1: _memmove.LIBCMT ref: 00387E22

Part of subcall function 003DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003DAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 003D8DEE

Strings

ComboBox, xrefs: 003D8D8F
ListBox, xrefs: 003D8DBA

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 56d8c7867e30533fb7e518313a116f194b4b798cf4d9f81ea587ef22c91abc40
Instruction ID: 0e02299c39c3329bfa3cacaaebfcfd21a6e7ea5e9813ad970cb292bee545356b
Opcode Fuzzy Hash: 56d8c7867e30533fb7e518313a116f194b4b798cf4d9f81ea587ef22c91abc40
Instruction Fuzzy Hash: 3901F7B3A45208A7CF27F7A4D952AFE73AD8F15300F600016B841A73D1DE259E0CD271

Function 003A6B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 003A6B93
__calloc_crt.LIBCMT ref: 003A6BAC

Strings

@BD, xrefs: 003A6BC3

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: __calloc_crt
String ID: @BD
API String ID: 3494438863-1009122524
Opcode ID: 3828d36674ac0ffe6f05a610ff5f7c8dcb4edd49a540aa0324cc97e78a49dd86
Instruction ID: f02918efc2f16935b779aae2a59a1bcfc64215fb08bcc95cf090465cc54afdc9
Opcode Fuzzy Hash: 3828d36674ac0ffe6f05a610ff5f7c8dcb4edd49a540aa0324cc97e78a49dd86
Instruction Fuzzy Hash: E8F09C75205A118BFB65CF56BC53B5627D4F707734F540477E500CF592EBB488414AE8

Function 003E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003E4F46
_wcscmp.LIBCMT ref: 003E4F58

Strings

#32770, xrefs: 003E4F52

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f39c2fe3b9b89fe2f0dff127ec3f47e992152df49a453175247c6e8c4f4b19bb
Instruction ID: cdb3f3263fc055478d01c967a076dfd15032cfa8c91ab91ce3ffdc6ba17449aa
Opcode Fuzzy Hash: f39c2fe3b9b89fe2f0dff127ec3f47e992152df49a453175247c6e8c4f4b19bb
Instruction Fuzzy Hash: 52E09B3290032826D7209B59AC45BA7F7ACDB56B61F010167FD04D7051D5709A4587D5

Function 003BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 003BB314: _memset.LIBCMT ref: 003BB321

Part of subcall function 003A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00444158,00000000,00444144,003BB2F0,?,?,?,0038100A), ref: 003A0945

IsDebuggerPresent.KERNEL32(?,?,?,0038100A), ref: 003BB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0038100A), ref: 003BB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 003BB2FE

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: da03fcbb5640183cfde486ededce96d8a5cf5f702060902d844715928aa15b4d
Instruction ID: 6f831776d0378d61bf1b728559cd744bb01c8a848816b0007ef5e7e870dbbcb1
Opcode Fuzzy Hash: da03fcbb5640183cfde486ededce96d8a5cf5f702060902d844715928aa15b4d
Instruction Fuzzy Hash: F0E06D782007108FD7669F28E604382BAE4AF00318F418A7DE49AC7A51EBF5E408CBA1

Function 00405964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00405981

Part of subcall function 003E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003E52BC

Strings

Shell_TrayWnd, xrefs: 00405967

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0a203f9c6e884d7e76fdeed1199e7700481111e9ea776924f5138be0bbe6e8ec
Instruction ID: 5f1689d1c8796213e80a30a0d690ec2058b6daf2fcbb4def3102e76401f31ddc
Opcode Fuzzy Hash: 0a203f9c6e884d7e76fdeed1199e7700481111e9ea776924f5138be0bbe6e8ec
Instruction Fuzzy Hash: 0ED0C931784311B6E678AB709D0BF966A15AB04B55F100839B359AA5D1C9F49804C658

Function 00405998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004059AE
PostMessageW.USER32(00000000), ref: 004059B5

Part of subcall function 003E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003E52BC

Strings

Shell_TrayWnd, xrefs: 004059A7

Memory Dump Source

Source File: 00000000.00000002.2289322872.0000000000381000.00000040.00000001.01000000.00000003.sdmp, Offset: 00380000, based on PE: true

Associated: 00000000.00000002.2289303174.0000000000380000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000434000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289322872.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289550466.0000000000498000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289580234.0000000000499000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_380000_uEuTtkxAqq.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: df97515b02fdd11afebdeacf354bb49ff79cd8a4bf0ea76f67c30d2678382e40
Instruction ID: d3bec808b25526f2009d185a76ba79417b70bce867a95e88ce756d65a9a553da
Opcode Fuzzy Hash: df97515b02fdd11afebdeacf354bb49ff79cd8a4bf0ea76f67c30d2678382e40
Instruction Fuzzy Hash: 41D0C9317843117AE678AB709D0BF966615AB04B55F100839B355AA5D1C9F4A804C658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uEuTtkxAqq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autFB2C.tmp

C:\Users\user\AppData\Local\Temp\biopsies

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
uEuTtkxAqq.exe

Function 00383B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00383633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 003849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00384E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 003E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0038708B Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 00383A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00383766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 0038301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73
registrywindowclipboardCOMMON

Function 00383041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 00FFEB20 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00387285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Function 003839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 0038686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Function 00FFE8D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre