Edit tour

Windows Analysis Report
ZeAX5i7cGB.exe

Overview

General Information

Sample name:	ZeAX5i7cGB.exe renamed because original name is a hash value
Original sample name:	272138ac60ea58d4b95bb5fad2e9574d73847e063b7a22a7be32b59b2b347445.exe
Analysis ID:	1588720
MD5:	65ed14721b82072f5e937200cdf0778f
SHA1:	d6fff1b262210ef4393f8631d7df528daf78723a
SHA256:	272138ac60ea58d4b95bb5fad2e9574d73847e063b7a22a7be32b59b2b347445
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected PureLog Stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ZeAX5i7cGB.exe (PID: 5308 cmdline: "C:\Users\user\Desktop\ZeAX5i7cGB.exe" MD5: 65ED14721B82072F5E937200CDF0778F)

RegSvcs.exe (PID: 1656 cmdline: "C:\Users\user\Desktop\ZeAX5i7cGB.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

Ycdwx.exe (PID: 3652 cmdline: "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Ycdwx.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3363975882.0000000002D46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2128762297.0000000003120000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 FD 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3362305005.0000000000400000.00000040.80000000.00040000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 FD 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1656	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 1656	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.3d04d90.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d04d90.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.53c0000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.53c0000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 FD 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.5340000.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5340000.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5340000.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5340000.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.29fec46.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.29fec46.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.29fec46.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.29fec46.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3d04d90.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3d04d90.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.29ffb2e.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.29ffb2e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.ZeAX5i7cGB.exe.3120000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 FD 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.3cc5570.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3cc5570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x1300:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 FD 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x2018a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1fdd0:$s5: delete[] 0x1f288:$s6: constructor or from DllMain.
2.2.RegSvcs.exe.53c0000.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.53c0000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5340ee8.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5340ee8.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.5340ee8.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.5340ee8.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3cc6458.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3cc6458.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3cc5570.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3cc5570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.3cc6458.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.3cc6458.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.RegSvcs.exe.29ffb2e.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.29ffb2e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 30 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1656, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdwx

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1656, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49705

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://mail.elec-qatar.com

Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Multi AV Scanner detection for submitted file

Source: ZeAX5i7cGB.exe	Virustotal: Detection: 72%			Perma Link
Source: ZeAX5i7cGB.exe	ReversingLabs: Detection: 87%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: ZeAX5i7cGB.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: /log.tmp
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>[
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ]<br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Time:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>User Name:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>Computer Name:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>OSFullName:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>CPU:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>RAM:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IP Address:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <hr>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: New
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IP Address:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: true
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: https://api.ipify.org
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: true
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: mail.elec-qatar.com
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: mohammed.abrar@elec-qatar.com
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: MHabrar2019@#
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: davidsurly1@gmail.com
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: true
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: false
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Ycdwx
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Ycdwx.exe
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Ycdwx
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Type
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <hr>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <b>[
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ]</b> (
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: )<br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {BACK}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {ALT+TAB}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {ALT+F4}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {TAB}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {ESC}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {Win}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {CAPSLOCK}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {KEYUP}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {KEYDOWN}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {KEYLEFT}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {KEYRIGHT}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {DEL}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {END}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {HOME}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {Insert}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {NumLock}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {PageDown}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {PageUp}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {ENTER}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F1}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F2}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F3}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F4}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F5}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F6}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F7}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F8}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F9}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F10}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F11}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {F12}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: control
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {CTRL}
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: &
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: >
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: "
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <hr>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: logins
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IE/Edge
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Secure Note
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Web Password Credential
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Credential Picker Protector
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Web Credentials
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Credentials
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Domain Certificate Credential
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Domain Password Credential
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Extended Credential
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SchemaId
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pResourceElement
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pIdentityElement
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pPackageSid
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pAuthenticatorElement
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IE/Edge
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UC Browser
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UCBrowser\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Login Data
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: journal
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: wow_logins
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Safari for Windows
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <array>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <dict>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <string>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </string>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <string>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </string>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <data>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </data>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: -convert xml1 -s -o "
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \fixed_keychain.xml"
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Microsoft\Credentials\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Microsoft\Protect\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: credential
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: QQ Browser
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Default\EncryptedStorage
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Profile
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \EncryptedStorage
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: entries
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: category
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: str3
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: str2
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: blob0
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: password_value
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IncrediMail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PopPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SmtpPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Accounts_New
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PopPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SmtpPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SmtpServer
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: EmailAddress
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Eudora
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: current
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Settings
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SavePasswordText
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Settings
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ReturnAddress
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Falkon Browser
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \falkon\profiles\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: profiles.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: profiles.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \browsedata.db
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: autofill
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ClawsMail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Claws-mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \clawsrc
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \clawsrc
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passkey0
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \accountrc
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: smtp_server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: address
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: account
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \passwordstorerc
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: {(.),(.)}(.*)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Flock Browser
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Flock\Browser\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: signons3.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: DynDns
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ALLUSERSPROFILE
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: username=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: password=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: https://account.dyn.com/
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: t6KzXhCh
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ALLUSERSPROFILE
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: global
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: accounts
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: account.
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: username
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: account.
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Psi/Psi+
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: name
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Psi/Psi+
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Psi\profiles
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Psi+\profiles
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \accounts.xml
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \accounts.xml
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: OpenVPN
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: username
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: auth-data
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: entropy
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: USERPROFILE
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \OpenVPN\config\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: remote
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: remote
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: NordVPN
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: NordVPN
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: NordVpn.exe*
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: user.config
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: //setting[@name='Username']/value
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: //setting[@name='Password']/value
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: NordVPN
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Private Internet Access
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: %ProgramW6432%
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Private Internet Access\data
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Private Internet Access\data
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \account.json
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ."username":"(.?)"
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ."password":"(.?)"
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Private Internet Access
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: privateinternetaccess.com
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FileZilla
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Server>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Host>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Host>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </Host>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Port>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </Port>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <User>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <User>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </User>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Pass encoding="base64">
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Pass encoding="base64">
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </Pass>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Pass>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <Pass encoding="base64">
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </Pass>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: CoreFTP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: User
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Host
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Port
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: hdfzpysvpzimorhk
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: WinSCP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HostName
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UserName
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PublicKeyFile
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PortNumber
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: WinSCP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ABCDEF
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Flash FXP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: port
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: user
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pass
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: quick.dat
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Sites.dat
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \FlashFXP\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \FlashFXP\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FTP Navigator
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: No Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: User
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SmartFTP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: APPDATA
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: WS_FTP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HOST
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PWD=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PWD=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FtpCommander
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SystemDrive
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \cftp\Ftplist.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;Password=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;User=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;Server=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;Port=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;Port=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;Password=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;User=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ;Anonymous=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FTPGetter
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \FTPGetter\servers.xml
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_ip>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_ip>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </server_ip>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_port>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </server_port>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_user_name>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_user_name>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </server_user_name>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_user_password>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: <server_user_password>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: </server_user_password>
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FTPGetter
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: The Bat!
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \The Bat!
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Account.CFN
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Account.CFN
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Becky!
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: DataDir
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Folder.lst
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Mailbox.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PassWd
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SMTPServer
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: MailAddress
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Becky!
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Outlook
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IMAP Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: POP3 Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HTTP Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SMTP Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IMAP Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: POP3 Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HTTP Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SMTP Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Windows Mail App
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SchemaId
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pResourceElement
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pIdentityElement
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pPackageSid
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: pAuthenticatorElement
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: syncpassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: mailoutgoing
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FoxMail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Executable
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: FoxmailPath
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Storage\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Storage\
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Accounts\Account.rec0
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Accounts\Account.rec0
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Account.stg
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Account.stg
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: POP3Host
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SMTPHost
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: IncomingServer
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Account
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: MailAddress
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: POP3Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Opera Mail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: opera:
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PocoMail
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: appdata
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Pocomail\accounts.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: POPPass
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SMTPPass
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SMTP
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: eM Client
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: eM Client\accounts.dat
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: eM Client
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Accounts
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: "Username":"
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: "Secret":"
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: "ProviderName":"
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: o6806642kbM7c5
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Mailbird
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SenderIdentities
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Accounts
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Server_Host
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Accounts
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Email
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Username
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: EncryptedPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Mailbird
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: RealVNC 4.x
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: RealVNC 3.x
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: RealVNC 4.x
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: RealVNC 3.x
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\ORL\WinVNC3
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: TightVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\TightVNC\Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: TightVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\TightVNC\Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: PasswordViewOnly
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: TightVNC ControlPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\TightVNC\Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ControlPassword
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: TigerVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Software\TigerVNC\Server
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: Password
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: UltraVNC
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: ProgramFiles(x86)
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: passwd2
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: JDownloader 2.0
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: JDownloader 2.0\cfg
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: JDownloader 2.0\cfg
Source: 2.2.RegSvcs.exe.29ffb2e.2.unpack	String decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs

Source: ZeAX5i7cGB.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: Ycdwx.exe, 00000003.00000000.2246241979.0000000000702000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: ZeAX5i7cGB.exe, 00000000.00000003.2126301769.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2126589458.0000000003630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZeAX5i7cGB.exe, 00000000.00000003.2126301769.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2126589458.0000000003630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, Ycdwx.exe, 00000003.00000000.2246241979.0000000000702000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FC445A
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCC6D1 FindFirstFileW,FindClose,	0_2_00FCC6D1
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FCC75C
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FCEF95
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FCF0F2
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FCF3F3
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FC37EF
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FC3B12
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FCBCBC

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 50.87.139.143:587

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 50.87.139.143 50.87.139.143

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 50.87.139.143:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FD22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00FD22EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.elec-qatar.com

Source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000002.00000002.3366076080.00000000055E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 00000002.00000002.3363975882.0000000002D46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elec-qatar.com
Source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FD4164

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FD4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00FD4164

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FD3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00FD3F66

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FC001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FC001C

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FECABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.ZeAX5i7cGB.exe.3120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.2128762297.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3362305005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F63B3A
Source: ZeAX5i7cGB.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ZeAX5i7cGB.exe, 00000000.00000000.2116277198.0000000001014000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_aa04f8a9-1
Source: ZeAX5i7cGB.exe, 00000000.00000000.2116277198.0000000001014000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_64c61803-6
Source: ZeAX5i7cGB.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_31d72ad3-f
Source: ZeAX5i7cGB.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a8124c4a-9

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FCA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00FCA1EF

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FB8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FB8310

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FC51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FC51BD

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F8D975	0_2_00F8D975
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F6FCE0	0_2_00F6FCE0
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F821C5	0_2_00F821C5
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F962D2	0_2_00F962D2
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FE03DA	0_2_00FE03DA
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F9242E	0_2_00F9242E
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F825FA	0_2_00F825FA
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F766E1	0_2_00F766E1
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F6E6A0	0_2_00F6E6A0
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FBE616	0_2_00FBE616
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F9878F	0_2_00F9878F
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC8889	0_2_00FC8889
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FE0857	0_2_00FE0857
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F96844	0_2_00F96844
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F78808	0_2_00F78808
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F8CB21	0_2_00F8CB21
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F96DB6	0_2_00F96DB6
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F76F9E	0_2_00F76F9E
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F73030	0_2_00F73030
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F8F1D9	0_2_00F8F1D9
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F83187	0_2_00F83187
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F61287	0_2_00F61287
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F81484	0_2_00F81484
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F75520	0_2_00F75520
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F87696	0_2_00F87696
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F75760	0_2_00F75760
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F81978	0_2_00F81978
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F99AB5	0_2_00F99AB5
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FE7DDB	0_2_00FE7DDB
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F8BDA6	0_2_00F8BDA6
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F81D90	0_2_00F81D90
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F73FE0	0_2_00F73FE0
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F6DF00	0_2_00F6DF00
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00A558A8	0_2_00A558A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00408C60	2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040DC11	2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00407C3F	2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418CCC	2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00406CA0	2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041A4BE	2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418244	2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00401650	2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F20	2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004193C4	2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00418788	2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402F89	2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00402B90	2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004073A0	2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02ADD3A0	2_2_02ADD3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02ADDFB8	2_2_02ADDFB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AD1298	2_2_02AD1298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02ADD6E8	2_2_02ADD6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AD0FC0	2_2_02AD0FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AD1030	2_2_02AD1030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_062B6E88	2_2_062B6E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_062BA2A0	2_2_062BA2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_062BC920	2_2_062BC920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_062B001F	2_2_062B001F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_062B0040	2_2_062B0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067B1400	2_2_067B1400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067BC258	2_2_067BC258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067B68B0	2_2_067B68B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_067B9EC8	2_2_067B9EC8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: String function: 00F67DE1 appears 35 times
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: String function: 00F80AE3 appears 70 times
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: String function: 00F88900 appears 42 times

Source: ZeAX5i7cGB.exe, 00000000.00000003.2125291921.0000000003703000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZeAX5i7cGB.exe
Source: ZeAX5i7cGB.exe, 00000000.00000003.2125461365.00000000038AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZeAX5i7cGB.exe
Source: ZeAX5i7cGB.exe, 00000000.00000002.2128762297.0000000003120000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename43d1e201-3b42-4ac8-8e2b-270e79cd58bc.exe4 vs ZeAX5i7cGB.exe

Source: ZeAX5i7cGB.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.ZeAX5i7cGB.exe.3120000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.2128762297.0000000003120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3362305005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FCA06A GetLastError,FormatMessageW,

0_2_00FCA06A

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FB81CB AdjustTokenPrivileges,CloseHandle,		0_2_00FB81CB
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FB87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FB87E1

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FCB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FCB3FB

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FDEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FDEE0D

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FD83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00FD83BB

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F64E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F64E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Ycdwx

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

File created: C:\Users\user\AppData\Local\Temp\aut961A.tmp

Jump to behavior

Source: ZeAX5i7cGB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZeAX5i7cGB.exe	Virustotal: Detection: 72%
Source: ZeAX5i7cGB.exe	ReversingLabs: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\ZeAX5i7cGB.exe "C:\Users\user\Desktop\ZeAX5i7cGB.exe"
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ZeAX5i7cGB.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe "C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ZeAX5i7cGB.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: ZeAX5i7cGB.exe

Static file information: File size 1191424 > 1048576

Source: ZeAX5i7cGB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ZeAX5i7cGB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ZeAX5i7cGB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ZeAX5i7cGB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ZeAX5i7cGB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ZeAX5i7cGB.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ZeAX5i7cGB.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: Ycdwx.exe, 00000003.00000000.2246241979.0000000000702000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr
Source:	Binary string: wntdll.pdbUGP source: ZeAX5i7cGB.exe, 00000000.00000003.2126301769.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2126589458.0000000003630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ZeAX5i7cGB.exe, 00000000.00000003.2126301769.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2126589458.0000000003630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, Ycdwx.exe, 00000003.00000000.2246241979.0000000000702000.00000002.00000001.01000000.00000007.sdmp, Ycdwx.exe.2.dr

Source: ZeAX5i7cGB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ZeAX5i7cGB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ZeAX5i7cGB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ZeAX5i7cGB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ZeAX5i7cGB.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F64B37 LoadLibraryA,GetProcAddress,

0_2_00F64B37

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F88945 push ecx; ret	0_2_00F88958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C40C push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00423149 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C50E push cs; iretd	2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004231C8 push eax; ret	2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E21D push ecx; ret	2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0041C6BE push ebx; ret	2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_02AD434F pushad ; iretd	2_2_02AD4355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_062BEFE0 push eax; iretd	2_2_062BEFE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ycdwx			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Ycdwx			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F648D7
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FE5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FE5376

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F83187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F83187

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

API/Special instruction interceptor: Address: A554CC

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZeAX5i7cGB.exe, 00000000.00000002.2127870763.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2117101029.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2116974758.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: ZeAX5i7cGB.exe, 00000000.00000002.2127870763.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2117101029.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2116974758.0000000000B30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXEF

Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 27E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 29D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 49D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 1AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 3310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

2_2_004019F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2194			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 390			Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-106073

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

API coverage: 5.7 %

Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe TID: 768	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe TID: 1628	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FC445A
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCC6D1 FindFirstFileW,FindClose,	0_2_00FCC6D1
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FCC75C
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FCEF95
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FCF0F2
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FCF3F3
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FC37EF
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FC3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FC3B12
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FCBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FCBCBC

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98721	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3366076080.00000000055E2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllD

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	API call chain: ExitProcess graph end node	graph_0-104428
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	API call chain: ExitProcess graph end node	graph_0-104354
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FD3F09 BlockInput,

0_2_00FD3F09

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F63B3A

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F95A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F95A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

2_2_004019F0

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F64B37 LoadLibraryA,GetProcAddress,

0_2_00F64B37

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00A54138 mov eax, dword ptr fs:[00000030h]	0_2_00A54138
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00A55798 mov eax, dword ptr fs:[00000030h]	0_2_00A55798
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00A55738 mov eax, dword ptr fs:[00000030h]	0_2_00A55738

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FB80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00FB80A9

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F8A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F8A155
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00F8A124 SetUnhandledExceptionFilter,	0_2_00F8A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_004123F1 SetUnhandledExceptionFilter,	2_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A0C008

Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FB87B1 LogonUserW,

0_2_00FB87B1

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F63B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F63B3A

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F648D7

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FC4C7F mouse_event,

0_2_00FC4C7F

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ZeAX5i7cGB.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FB7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FB7CAF

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FB874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FB874B

Source: ZeAX5i7cGB.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ZeAX5i7cGB.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F8862B cpuid

0_2_00F8862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

2_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F94E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F94E87

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00FA1E06 GetUserNameW,

0_2_00FA1E06

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F93F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F93F3A

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe

Code function: 0_2_00F649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F649A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: ZeAX5i7cGB.exe, 00000000.00000002.2127870763.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2117101029.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, ZeAX5i7cGB.exe, 00000000.00000003.2116974758.0000000000B30000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: procmon.exe

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3363975882.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: ZeAX5i7cGB.exe	Binary or memory string: WIN_81
Source: ZeAX5i7cGB.exe	Binary or memory string: WIN_XP
Source: ZeAX5i7cGB.exe	Binary or memory string: WIN_XPe
Source: ZeAX5i7cGB.exe	Binary or memory string: WIN_VISTA
Source: ZeAX5i7cGB.exe	Binary or memory string: WIN_7
Source: ZeAX5i7cGB.exe	Binary or memory string: WIN_8
Source: ZeAX5i7cGB.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000002.00000002.3363975882.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 1656, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29fec46.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3d04d90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.53c0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.5340ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3cc6458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.29ffb2e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FD6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00FD6283
Source: C:\Users\user\Desktop\ZeAX5i7cGB.exe	Code function: 0_2_00FD6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00FD6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	148 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	361 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	212 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZeAX5i7cGB.exe	72%	Virustotal		Browse
ZeAX5i7cGB.exe	88%	ReversingLabs	Win32.Trojan.AutoItinject
ZeAX5i7cGB.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://mail.elec-qatar.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
mail.elec-qatar.com	50.87.139.143	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.elec-qatar.com	RegSvcs.exe, 00000002.00000002.3363975882.0000000002D46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org	RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	RegSvcs.exe, 00000002.00000002.3366076080.0000000005633000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3363975882.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3363975882.0000000002CC1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
50.87.139.143	mail.elec-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588720
Start date and time:	2025-01-11 04:39:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZeAX5i7cGB.exe renamed because original name is a hash value
Original Sample Name:	272138ac60ea58d4b95bb5fad2e9574d73847e063b7a22a7be32b59b2b347445.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/6@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 52 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Ycdwx.exe, PID 3652 because it is empty
Execution Graph export aborted for target Ycdwx.exe, PID 6696 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:41:03	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ycdwx C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
04:41:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ycdwx C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
22:41:02	API Interceptor	13x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	Yoranis Setup.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
50.87.139.143	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	231210-01-AgentTesla-2eba02.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Heur.18737.25106.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe	Get hash	malicious	AgentTesla	Browse
	NEW ORDER 98540-0.exe	Get hash	malicious	AgentTesla	Browse
	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ukBQ4ch2nE.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	jG8N6WDJOx.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
mail.elec-qatar.com	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	231210-01-AgentTesla-2eba02.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Heur.18737.25106.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Win32.PWSX-gen.23449.29887.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	NEW ORDER 98540-0.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Documents of shipment 3-2024.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SHIPPING DOC.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	Order 19A20060.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Proforma Invoice.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.167.146
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
UNIFIEDLAYER-AS-1US	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	108.179.241.236
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	192.185.57.31
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.26.13.205
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.26.13.205

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe	2XnMqJW0u1.exe	Get hash	malicious	XWorm	Browse
	B8FnDUj8hy.exe	Get hash	malicious	AgentTesla	Browse
	yjOJ1YK5M3.exe	Get hash	malicious	AsyncRAT	Browse
	PO.exe	Get hash	malicious	DarkCloud	Browse
	Statement 2024-11-29 (K07234).exe	Get hash	malicious	AgentTesla	Browse
	PO54782322024.exe	Get hash	malicious	AgentTesla	Browse
	m30zZYga23.exe	Get hash	malicious	AgentTesla	Browse
	RFQ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	AWB#150332.exe	Get hash	malicious	AgentTesla	Browse
	SOA_9828392091.exe	Get hash	malicious	AgentTesla	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ycdwx.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	142
Entropy (8bit):	5.090621108356562
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
MD5:	8C0458BB9EA02D50565175E38D577E35
SHA1:	F0B50702CD6470F3C17D637908F83212FDBDB2F2
SHA-256:	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
SHA-512:	804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\aut961A.tmp

Download File

Process:	C:\Users\user\Desktop\ZeAX5i7cGB.exe
File Type:	data
Category:	dropped
Size (bytes):	265028
Entropy (8bit):	7.976521046227301
Encrypted:	false
SSDEEP:	6144:zs0RoBfmpZsdm/EH+15zFzEfirPN7gczyqUrKl2ABheBeqgivKk9:zhR0mPA/H4UirdG3a2AriRv/
MD5:	AC74178DA42F21166D5322C06278A6A8
SHA1:	0DBC59D533C37D5D4A6FAC2AF1F5F3558FB50B63
SHA-256:	3CE4CDCD803C78E801CF7130176CD4F03670B56137D49061C629D5BD00B7706C
SHA-512:	1D02E1B12947A0A865C4151F9C92C12777B2CB050853519ABDD64466F1D3F63602BB972310F64894CB371A0DDDC7656BA4274DC98F7DC1C8EC2E97EB57399FE2
Malicious:	false
Reputation:	low
Preview:	EA06.....Z4...Z.U..t-..e0.U..J-.....fS...nh@..N..4.........h.\|}..Z...i..E4.K.u..zm;.Y...4.o-.....f+u.Je.{l..:..'fUS......$..,.=M.....3}.....bT>..'...3}.....S..]...f..\|...2.{..-`..fW ..;)P.....t...."#V.Fh.\..9..a.WB.N'3..R..Qh.....{...`...3.'".j.T.8..fSP.L...&..h.......V.j7V.F..r.....i..r@.W.4..T.......3...}..MV.Z.l....M...5..e....}....[1..+z.....4wh.......L+.K..c$.J.T<m\|.h.Q.Y@....'\|......O.....4Y..Z5t.4.L..~..R.......i...j.i...K.P.3(.h.s..U..P....7..C.A......S.lq..5C.)..z....U..)Q-.e...3X..'...c....S1...(?hU....N...M..H.R.;Ok....@......._.].h"......i><-..g.Nf[..N=K..;H.3......\..uF..S.......b....L...y.....!T..7...V~.J='........S.?.Cit...r..j.]eRa..(......k...tR.T..4.O;...X.(./.g.RhW.\....\.......{3>.v....T....3?.H.Vn.....X..o...f....P.Kk..>..../w.^~S...4U.]....E)uY}.5....n.:.>..3..%..@..(.....3.s.V.......5j%V........2.G.L.{.....nn.......8W(4...u.uZ%....d....S..F..h...>.W.a...N!p......n.(.?. .U..M..C....>.v...na.........z/..\|._.?

C:\Users\user\AppData\Local\Temp\tilths

Download File

Process:	C:\Users\user\Desktop\ZeAX5i7cGB.exe
File Type:	data
Category:	dropped
Size (bytes):	266752
Entropy (8bit):	7.882874452746509
Encrypted:	false
SSDEEP:	6144:IDtfYcKYZ6z+V6FoZRqk4axjJmCb/ATtOs0jzr2Z88FCW:WJ18z5FoZRKaVJt1jzrc8nW
MD5:	ABB56729299D1690A0D9A2E798A2779F
SHA1:	143ED040B7B7B4DE7964EFF6FA41ECB351239287
SHA-256:	3EFE9E79494E6CDE83562D2C463082504A23CA54BC4EF445B9329093B0D18266
SHA-512:	6584ECB54F141F6E7737E319CCFAA12A155E921392EFB76EF811AD52EE78031EDA9C83C1AB8A457066D9F7EFE5E1894505EBBC37A768E394DB27E0599CD024E3
Malicious:	false
Reputation:	low
Preview:	th.XWVFUAFKB..20.TVFUEFK.C920XTVFUEFKBC920XTVFUEFKBC920XTVFU.FKBM&.>X._.t.G..bmZY+t&4:"4/cZS^6;"f7 f97-.[^x...u()/'m4?:\|TVFUEFKS...).(j$.8g3.G..'i7.;M..=.C.&x'.+.7.<q.\ND%.8gf/5.2.L.{/(k$.8.+ Q.A.VFUEFKBC920XTVFU...&C920..VF.DBK6.9b0XTVFUEF.B`891QTV.TEF=@C920X{.FUEVKBC.30XT.FUUFKBA925XTVFUEFNBC920XTV&QEFOBC..2XVVF.EF[BC)20XTFFUUFKBC92 XTVFUEFKBC9.%ZT.FUEF+@C..1XTVFUEFKBC920XTVFUEFKBC92..UVZUEFKBC920XTVFUEFKBC920XTVFU.KIB.920XTVFUEFKB.82.YTVFUEFKBC920XTVFUEFKBC920Xz"#-1FKB[.30XDVFU.GKBG920XTVFUEFKBC9.0X4x41$2BC._0XT.GUE(KBC.30XTVFUEFKBC92pXT.h1$2BC9..XTVfWEF]BC982XTVFUEFKBC920.TV.{759!C92..UVF5GFK.B92.ZTVFUEFKBC920X.VF.EFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKBC920XTVFUEFKB

C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	45984
Entropy (8bit):	6.16795797263964
Encrypted:	false
SSDEEP:	768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
MD5:	9D352BC46709F0CB5EC974633A0C3C94
SHA1:	1969771B2F022F9A86D77AC4D4D239BECDF08D07
SHA-256:	2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
SHA-512:	13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 2XnMqJW0u1.exe, Detection: malicious, Browse Filename: B8FnDUj8hy.exe, Detection: malicious, Browse Filename: yjOJ1YK5M3.exe, Detection: malicious, Browse Filename: PO.exe, Detection: malicious, Browse Filename: Statement 2024-11-29 (K07234).exe, Detection: malicious, Browse Filename: PO54782322024.exe, Detection: malicious, Browse Filename: m30zZYga23.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: AWB#150332.exe, Detection: malicious, Browse Filename: SOA_9828392091.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........\|...P...........................................r...p(....2.(....(....z..r...p(....(....(......}......{.....s..........0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t........0..(....... ....s$........o%....X..(....-...o&....0...........('......&.........................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1141
Entropy (8bit):	4.442398121585593
Encrypted:	false
SSDEEP:	24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
MD5:	6FB4D27A716A8851BC0505666E7C7A10
SHA1:	AD2A232C6E709223532C4D1AB892303273D8C814
SHA-256:	1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
SHA-512:	3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
Malicious:	false
Preview:	Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.171154248149895
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZeAX5i7cGB.exe
File size:	1'191'424 bytes
MD5:	65ed14721b82072f5e937200cdf0778f
SHA1:	d6fff1b262210ef4393f8631d7df528daf78723a
SHA256:	272138ac60ea58d4b95bb5fad2e9574d73847e063b7a22a7be32b59b2b347445
SHA512:	3ca5f9e3cc8bf355a29d1ff7398c395e96817fd030c02ad6056c169477e80c070868bee0c0f367a676a2ec432eb85fa292a437edf708f0153c006fe0118f0eb7
SSDEEP:	24576:Fu6J33O0c+JY5UZ+XC0kGso6Fa05cIDt0+iuzKQH+C4TuJtiWY:Hu0c++OCvkGs9Fa05cAt0ru+QH+C4TQE
TLSH:	D345CF2273DDC360CB669273BF69B7056EBB3C214630B95B2F980D7DA950172262C763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674E46B9 [Mon Dec 2 23:46:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FD7B93B594Ah
jmp 00007FD7B93A8714h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FD7B93A889Ah
cmp edi, eax
jc 00007FD7B93A8BFEh
bt dword ptr [004C31FCh], 01h
jnc 00007FD7B93A8899h
rep movsb
jmp 00007FD7B93A8BACh
cmp ecx, 00000080h
jc 00007FD7B93A8A64h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FD7B93A88A0h
bt dword ptr [004BE324h], 01h
jc 00007FD7B93A8D70h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FD7B93A8A3Dh
test edi, 00000003h
jne 00007FD7B93A8A4Eh
test esi, 00000003h
jne 00007FD7B93A8A2Dh
bt edi, 02h
jnc 00007FD7B93A889Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FD7B93A88A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FD7B93A88F5h
bt esi, 03h
jnc 00007FD7B93A8948h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5a4ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x122000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5a4ac	0x5a600	29794f1bf5ee6455868e5f5d8c5d9357	False	0.9270644234094052	data	7.892805365588579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x122000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x51771	data			1.0003326530428762
RT_GROUP_ICON	0x120f2c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x120fa4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x120fb8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x120fcc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x120fe0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x1210bc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:41:01.436131001 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:01.436181068 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:01.436259985 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:01.444504023 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:01.444528103 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:01.920619965 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:01.920742035 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:01.994530916 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:01.994558096 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:01.995007038 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:02.040565968 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:02.263829947 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:02.307336092 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:02.377796888 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:02.377897978 CET	443	49704	104.26.13.205	192.168.2.5
Jan 11, 2025 04:41:02.377954006 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:02.383796930 CET	49704	443	192.168.2.5	104.26.13.205
Jan 11, 2025 04:41:03.058828115 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:03.063751936 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:03.063827038 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:03.673557043 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:03.677273989 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:03.682101965 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:03.825246096 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:03.825417995 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:03.830303907 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:03.974929094 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:03.975514889 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:03.980433941 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.131824970 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.131854057 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.131866932 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.131880999 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.132044077 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:04.220688105 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.267016888 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:04.271995068 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.415226936 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.428324938 CET	49705	587	192.168.2.5	50.87.139.143
Jan 11, 2025 04:41:04.433444977 CET	587	49705	50.87.139.143	192.168.2.5
Jan 11, 2025 04:41:04.433522940 CET	49705	587	192.168.2.5	50.87.139.143

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 04:41:01.404560089 CET	55863	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:41:01.411473989 CET	53	55863	1.1.1.1	192.168.2.5
Jan 11, 2025 04:41:03.022514105 CET	63631	53	192.168.2.5	1.1.1.1
Jan 11, 2025 04:41:03.058108091 CET	53	63631	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 04:41:01.404560089 CET	192.168.2.5	1.1.1.1	0x9b7d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:41:03.022514105 CET	192.168.2.5	1.1.1.1	0x7332	Standard query (0)	mail.elec-qatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:41:01.411473989 CET	1.1.1.1	192.168.2.5	0x9b7d	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:41:01.411473989 CET	1.1.1.1	192.168.2.5	0x9b7d	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:41:01.411473989 CET	1.1.1.1	192.168.2.5	0x9b7d	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Jan 11, 2025 04:41:03.058108091 CET	1.1.1.1	192.168.2.5	0x7332	No error (0)	mail.elec-qatar.com	50.87.139.143	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.26.13.205	443	1656	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 03:41:02 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2025-01-11 03:41:02 UTC	424	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 03:41:02 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 9001e3897a1f426b-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1570&rtt_var=609&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1765417&cwnd=232&unsent_bytes=0&cid=410bc464656fb120&ts=473&x=0"
2025-01-11 03:41:02 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 38 39 Data Ascii: 8.46.123.189

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 04:41:03.673557043 CET	587	49705	50.87.139.143	192.168.2.5	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Fri, 10 Jan 2025 20:41:03 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Jan 11, 2025 04:41:03.677273989 CET	49705	587	192.168.2.5	50.87.139.143	EHLO 888683
Jan 11, 2025 04:41:03.825246096 CET	587	49705	50.87.139.143	192.168.2.5	250-box2248.bluehost.com Hello 888683 [8.46.123.189] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Jan 11, 2025 04:41:03.825417995 CET	49705	587	192.168.2.5	50.87.139.143	STARTTLS
Jan 11, 2025 04:41:03.974929094 CET	587	49705	50.87.139.143	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	22:40:59
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ZeAX5i7cGB.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZeAX5i7cGB.exe"
Imagebase:	0xf60000
File size:	1'191'424 bytes
MD5 hash:	65ED14721B82072F5E937200CDF0778F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2128762297.0000000003120000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:40:59
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZeAX5i7cGB.exe"
Imagebase:	0x8f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3365612518.0000000005340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3365885108.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3363975882.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3365170902.0000000003CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3363975882.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3362305005.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3363655727.00000000029BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:41:12
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Imagebase:	0x700000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:41:12
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:41:20
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe"
Imagebase:	0xfb0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:41:20
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 00F63B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F63B68
IsDebuggerPresent.KERNEL32 ref: 00F63B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010252F8,010252E0,?,?), ref: 00F63BEB

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

Part of subcall function 00F7092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F63C14,010252F8,?,?,?), ref: 00F7096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F63C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01017770,00000010), ref: 00F9D281
SetCurrentDirectoryW.KERNEL32(?,010252F8,?,?,?), ref: 00F9D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01014260,010252F8,?,?,?), ref: 00F9D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F9D346

Part of subcall function 00F63A46: GetSysColorBrush.USER32(0000000F), ref: 00F63A50
Part of subcall function 00F63A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F63A5F
Part of subcall function 00F63A46: LoadIconW.USER32(00000063), ref: 00F63A76
Part of subcall function 00F63A46: LoadIconW.USER32(000000A4), ref: 00F63A88
Part of subcall function 00F63A46: LoadIconW.USER32(000000A2), ref: 00F63A9A
Part of subcall function 00F63A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F63AC0
Part of subcall function 00F63A46: RegisterClassExW.USER32(?), ref: 00F63B16

Part of subcall function 00F639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F63A03
Part of subcall function 00F639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F63A24
Part of subcall function 00F639D5: ShowWindow.USER32(00000000,?,?), ref: 00F63A38
Part of subcall function 00F639D5: ShowWindow.USER32(00000000,?,?), ref: 00F63A41

Part of subcall function 00F6434A: _memset.LIBCMT ref: 00F64370
Part of subcall function 00F6434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F64415

Strings

This is a third-party compiled AutoIt script., xrefs: 00F9D279
runas, xrefs: 00F9D33A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 6675fa2c2a7fe20ccb78a88f072f03bacedcd6bfcdc7d63aec1e90183c916c2e
Instruction ID: 540fdd5109b8bf768ab03204365d4e7a39975f864301f2c84a6faa75a6acfcc1
Opcode Fuzzy Hash: 6675fa2c2a7fe20ccb78a88f072f03bacedcd6bfcdc7d63aec1e90183c916c2e
Instruction Fuzzy Hash: 9E511431D08248AEDF21EFB4DC46EFD7B78AF47710F204069F491A6192CA795609FB21

Function 00F649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F649CD

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

GetCurrentProcess.KERNEL32(?,00FEFAEC,00000000,00000000,?), ref: 00F64A9A
IsWow64Process.KERNEL32(00000000), ref: 00F64AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F64AE7
FreeLibrary.KERNEL32(00000000), ref: 00F64AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F64B23
GetSystemInfo.KERNEL32(00000000), ref: 00F64B2F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 58b780f5fce3675906bf00c8136124c2a3bd872e4efef2b0676125b8c0853ad0
Instruction ID: 69372cebb4a2c637207004869adb057323dbd6ce84834307f2736b36e7fbd8d0
Opcode Fuzzy Hash: 58b780f5fce3675906bf00c8136124c2a3bd872e4efef2b0676125b8c0853ad0
Instruction Fuzzy Hash: F791F8319897C4DECB31EBB885502AAFFF5AF29310B54496DD0CB93A42D224F508E75A

Function 00F64E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F64D8E,?,?,00000000,00000000), ref: 00F64E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F64D8E,?,?,00000000,00000000), ref: 00F64EB0
LoadResource.KERNEL32(?,00000000,?,?,00F64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F64E2F), ref: 00F9D937
SizeofResource.KERNEL32(?,00000000,?,?,00F64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F64E2F), ref: 00F9D94C
LockResource.KERNEL32(00F64D8E,?,?,00F64D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F64E2F,00000000), ref: 00F9D95F

Strings

SCRIPT, xrefs: 00F64EA6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 255a3bde5cc42d3e4fe2d3b368ef8baf2a9e608416f03954ba45e6d05414b198
Instruction ID: 6fa84fa75547b9b012e7a5c030510d654d7cb9103e2de0d1f3b13f07645ab4e8
Opcode Fuzzy Hash: 255a3bde5cc42d3e4fe2d3b368ef8baf2a9e608416f03954ba45e6d05414b198
Instruction Fuzzy Hash: 6811A0B1600345BFD7209BA5EC88F277BBAFBC5B11F20426CF515CA250DB72EC04A660

Function 00F6FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 95a8f92115ccc24bd6e7e8b8133b88e3d54698a910ecdff21159accbfd5e64ea
Instruction ID: 9c11ad4b1d79d11a3026d7211772e63cae9bf82b930ae44798df4b21bca5b330
Opcode Fuzzy Hash: 95a8f92115ccc24bd6e7e8b8133b88e3d54698a910ecdff21159accbfd5e64ea
Instruction Fuzzy Hash: E5926C71A08341CFD720DF14C480B2AB7E5BF89314F14896DE89A9B352DBB5EC45EB92

Function 00FC445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F9E398), ref: 00FC446A
FindFirstFileW.KERNELBASE(?,?), ref: 00FC447B
FindClose.KERNEL32(00000000), ref: 00FC448B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4c65dd9d1b6f59c706a7f7add8228fb7d8d65f2a3dd13594d3499af2a697c193
Instruction ID: 52db511b10c17b08b6454d43b1cd29921b214bec790848c666bd74ee44491e26
Opcode Fuzzy Hash: 4c65dd9d1b6f59c706a7f7add8228fb7d8d65f2a3dd13594d3499af2a697c193
Instruction Fuzzy Hash: C7E0D8338105456B4214AB38EC4E9E9775D9E05335F204719FD35C50D0E7746D04B595

Function 00F709D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F70A5B
timeGetTime.WINMM ref: 00F70D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F70E53
Sleep.KERNEL32(0000000A), ref: 00F70E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00F70EFA
DestroyWindow.USER32 ref: 00F70F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F70F20
Sleep.KERNEL32(0000000A,?,?), ref: 00FA4E83
TranslateMessage.USER32(?), ref: 00FA5C60
DispatchMessageW.USER32(?), ref: 00FA5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FA5C82

Strings

@GUI_WINHANDLE, xrefs: 00FA4F8F
@GUI_CTRLHANDLE, xrefs: 00FA4FE4
@TRAY_ID, xrefs: 00FA578F
@GUI_CTRLID, xrefs: 00FA4F3A
@COM_EVENTOBJ, xrefs: 00FA54F0

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: b061dd61e20f284233ef8acfabfda96e4d3d9c02049bc6d36e4c262e5a4322b7
Instruction ID: e6227a2cefe757d73bca9bcdfd5427d63141e91a3a863029b426dd470e29afdd
Opcode Fuzzy Hash: b061dd61e20f284233ef8acfabfda96e4d3d9c02049bc6d36e4c262e5a4322b7
Instruction Fuzzy Hash: 7EB2F3B0A08741DFD724DF24C884BAAB7E5FF85714F14891EF48997291CB79E848EB42

Function 00FC9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FC8F5F: __time64.LIBCMT ref: 00FC8F69

Part of subcall function 00F64EE5: _fseek.LIBCMT ref: 00F64EFD

__wsplitpath.LIBCMT ref: 00FC9234

Part of subcall function 00F840FB: __wsplitpath_helper.LIBCMT ref: 00F8413B

_wcscpy.LIBCMT ref: 00FC9247
_wcscat.LIBCMT ref: 00FC925A
__wsplitpath.LIBCMT ref: 00FC927F
_wcscat.LIBCMT ref: 00FC9295
_wcscat.LIBCMT ref: 00FC92A8

Part of subcall function 00FC8FA5: _memmove.LIBCMT ref: 00FC8FDE
Part of subcall function 00FC8FA5: _memmove.LIBCMT ref: 00FC8FED

_wcscmp.LIBCMT ref: 00FC91EF

Part of subcall function 00FC9734: _wcscmp.LIBCMT ref: 00FC9824
Part of subcall function 00FC9734: _wcscmp.LIBCMT ref: 00FC9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FC9452
_wcsncpy.LIBCMT ref: 00FC94C5
DeleteFileW.KERNEL32(?,?), ref: 00FC94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FC9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FC9534

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 3e95d86492c2f76daa834287b38e0895de41b2c10deb91e0a9e8ec6b3b65f81c
Instruction ID: b8f1a5fc580e4a2822d9a47fdb7211f4e01ffc48b616d28eb5c74cc375d2f1b9
Opcode Fuzzy Hash: 3e95d86492c2f76daa834287b38e0895de41b2c10deb91e0a9e8ec6b3b65f81c
Instruction Fuzzy Hash: 88C15CB1D0421AAADF21EF94CD86EDEB7BCEF45310F0044AAF609E7141DB749A449F61

Function 00F63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F63074
RegisterClassExW.USER32(00000030), ref: 00F6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F630AF
InitCommonControlsEx.COMCTL32(?), ref: 00F630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F630DC
LoadIconW.USER32(000000A9), ref: 00F630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F63101

Strings

+, xrefs: 00F6305D
AutoIt v3 GUI, xrefs: 00F63090
0, xrefs: 00F63056
TaskbarCreated, xrefs: 00F630A4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2ad4e259c5212cf04693cd44128f1bf4032e6ce1a0bc55003875a49a86ef7361
Instruction ID: 99043e7411071ab74c06fef83f1ab876b448db40ce47067d50d68ca5e8dfd706
Opcode Fuzzy Hash: 2ad4e259c5212cf04693cd44128f1bf4032e6ce1a0bc55003875a49a86ef7361
Instruction Fuzzy Hash: BF3129B18413899FDB60CFA4D889ADDBBF0FB09310F24452EE580EA291D3BA0589DF55

Function 00F63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F63074
RegisterClassExW.USER32(00000030), ref: 00F6309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F630AF
InitCommonControlsEx.COMCTL32(?), ref: 00F630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F630DC
LoadIconW.USER32(000000A9), ref: 00F630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F63101

Strings

+, xrefs: 00F6305D
AutoIt v3 GUI, xrefs: 00F63090
0, xrefs: 00F63056
TaskbarCreated, xrefs: 00F630A4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 703e632900f88f526311fe3da9b17047adfbd5360be55fc21b0c5847d602cb24
Instruction ID: 8267f081177f45eff8c5314ab16de1207b5d76d395ffdf29dbf2905e21b4411e
Opcode Fuzzy Hash: 703e632900f88f526311fe3da9b17047adfbd5360be55fc21b0c5847d602cb24
Instruction Fuzzy Hash: A421F7B1D11248AFDB20DFA4EC88BDDBBF4FB08710F10812AF650AA290D7F645489F95

Function 00F6708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F64706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010252F8,?,00F637AE,?), ref: 00F64724

Part of subcall function 00F8050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F67165), ref: 00F8052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F671A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F9E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F9E909
RegCloseKey.ADVAPI32(?), ref: 00F9E947
_wcscat.LIBCMT ref: 00F9E9A0

Strings

Include, xrefs: 00F9E8BF, 00F9E900
\, xrefs: 00F9E9C3
\Include\, xrefs: 00F67165
Software\AutoIt v3\AutoIt, xrefs: 00F6719E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 11732c507b7658b1040ef9af1643907aa3ed41848cefa29366ef2b7975070682
Instruction ID: 1b734f32dad52139934b9e7833139abb0865ec80697170e4f90bffbaa2f8692e
Opcode Fuzzy Hash: 11732c507b7658b1040ef9af1643907aa3ed41848cefa29366ef2b7975070682
Instruction Fuzzy Hash: 7571A1715083419ED720EF25EC819AFBBE8FF85310F50052EF885871A1DB7A994CDB52

Function 00F63A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F63A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F63A5F
LoadIconW.USER32(00000063), ref: 00F63A76
LoadIconW.USER32(000000A4), ref: 00F63A88
LoadIconW.USER32(000000A2), ref: 00F63A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F63AC0
RegisterClassExW.USER32(?), ref: 00F63B16

Part of subcall function 00F63041: GetSysColorBrush.USER32(0000000F), ref: 00F63074
Part of subcall function 00F63041: RegisterClassExW.USER32(00000030), ref: 00F6309E
Part of subcall function 00F63041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F630AF
Part of subcall function 00F63041: InitCommonControlsEx.COMCTL32(?), ref: 00F630CC
Part of subcall function 00F63041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F630DC
Part of subcall function 00F63041: LoadIconW.USER32(000000A9), ref: 00F630F2
Part of subcall function 00F63041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F63101

Strings

#, xrefs: 00F63AFB
AutoIt v3, xrefs: 00F63B05
0, xrefs: 00F63AF4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 48e43e30d9ac769af044bf3a98d577a2b4de92ad23a51077f8e8b7a416e9395d
Instruction ID: a795621e8de0905089ce2b166ff7f25d98272dbdc99e21fdbe498e321d4b0028
Opcode Fuzzy Hash: 48e43e30d9ac769af044bf3a98d577a2b4de92ad23a51077f8e8b7a416e9395d
Instruction Fuzzy Hash: 42215171D00308AFEB30DFA4EC45BAD7BB1FB0A711F20411AF540AA2D5D3BA55589F98

Function 00F63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F636D2
KillTimer.USER32(?,00000001), ref: 00F636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F6371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F6372A
CreatePopupMenu.USER32 ref: 00F6373E
PostQuitMessage.USER32(00000000), ref: 00F6374D

Strings

TaskbarCreated, xrefs: 00F63725

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c087a502e4d3b6de7e4914cf3cbed86259ecd1a1d921ca99f6519ccd146a3ee7
Instruction ID: f5e415cd9662edf214373df343c024122cacf5e52d64dc07f465dccea219ff54
Opcode Fuzzy Hash: c087a502e4d3b6de7e4914cf3cbed86259ecd1a1d921ca99f6519ccd146a3ee7
Instruction Fuzzy Hash: 1A417BB3A04149BBDF306F28DC49FB93765FB01320F240125F542D62E5CABA9E48B765

Function 00F63766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 00F63892
/AutoIt3ExecuteScript, xrefs: 00F638BC
/ErrorStdOut, xrefs: 00F6387D
/AutoIt3ExecuteLine, xrefs: 00F638A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F637AE
CMDLINERAW, xrefs: 00F637FB
CMDLINE, xrefs: 00F63822

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 7fc3b0cc12e34b78bbbdf6b7729cc3d1c1c8e5efee2f83704ecd2d4e50af9e7f
Instruction ID: ae6e14426f810bce00c4e4e116be9712ced42fb11377074dcbabd5cb44c0bde1
Opcode Fuzzy Hash: 7fc3b0cc12e34b78bbbdf6b7729cc3d1c1c8e5efee2f83704ecd2d4e50af9e7f
Instruction Fuzzy Hash: 40A17D72D0022DAADF14EBA0DC95AEEB778FF25310F500529F415B7181DF78AA08EB60

Function 00A54888 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00A54959
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A54B7F

Memory Dump Source

Source File: 00000000.00000002.2127804313.0000000000A52000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A52000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a52000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 89e65e86caebeb56a69bfc7facfa3f43987d30aa60daca4432fea54ff327ee3c
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: D8A12974E00209EBDB14CFA4C899BEEB7B5FF48309F208159EA15BB280D7759A84CF54

Function 00F89AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__init_pointers.LIBCMT ref: 00F89AE6

Part of subcall function 00F83187: EncodePointer.KERNEL32(00000000), ref: 00F8318A
Part of subcall function 00F83187: __initp_misc_winsig.LIBCMT ref: 00F831A5
Part of subcall function 00F83187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F89EA0
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F89EB4
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F89EC7
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F89EDA
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F89EED
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F89F00
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F89F13
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F89F26
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F89F39
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F89F4C
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F89F5F
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F89F72
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F89F85
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F89F98
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F89FAB
Part of subcall function 00F83187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F89FBE

__mtinitlocks.LIBCMT ref: 00F89AEB
__mtterm.LIBCMT ref: 00F89AF4

Part of subcall function 00F89B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F89AF9,00F87CD0,0101A0B8,00000014), ref: 00F89C56
Part of subcall function 00F89B5C: _free.LIBCMT ref: 00F89C5D
Part of subcall function 00F89B5C: DeleteCriticalSection.KERNEL32(0101EC00,?,?,00F89AF9,00F87CD0,0101A0B8,00000014), ref: 00F89C7F

__calloc_crt.LIBCMT ref: 00F89B19
__initptd.LIBCMT ref: 00F89B3B
GetCurrentThreadId.KERNEL32 ref: 00F89B42

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: bfbcb9045137e25bef48846493411608a9750ae4924f70c6db7b8a8c6a192a39
Instruction ID: 4198221d6dea5e839c69b5fbd1736a8a5e44da1f509e6b2459cccad396812985
Opcode Fuzzy Hash: bfbcb9045137e25bef48846493411608a9750ae4924f70c6db7b8a8c6a192a39
Instruction Fuzzy Hash: 6BF0F032A0D7111AE6387674BC036EA36909F42730F280A1DF4A0D60C2FFEC890173A4

Function 00F639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F63A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F63A24
ShowWindow.USER32(00000000,?,?), ref: 00F63A38
ShowWindow.USER32(00000000,?,?), ref: 00F63A41

Strings

edit, xrefs: 00F63A1E
AutoIt v3, xrefs: 00F639FB, 00F63A00, 00F63A01

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c0f5cdc1827c88073f0b03329ed3317d7633e23fe834efd9321b14fadad6eaa9
Instruction ID: 9be44e37f4c45a8037a1c167b9fbb3f98302880c6d72e1d8bf1af2d9afd79d1a
Opcode Fuzzy Hash: c0f5cdc1827c88073f0b03329ed3317d7633e23fe834efd9321b14fadad6eaa9
Instruction Fuzzy Hash: E2F05E705002947EEA305B236C4CEBB3E7DD7CBF60F20002EF940A61A4C27A0848DBB4

Function 00A54678 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A54568: Sleep.KERNELBASE(000001F4), ref: 00A54579

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00A54772

Strings

920XTVFUEFKBC, xrefs: 00A547D5, 00A547D8

Memory Dump Source

Source File: 00000000.00000002.2127804313.0000000000A52000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A52000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a52000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateFileSleep
String ID: 920XTVFUEFKBC
API String ID: 2694422964-1299527702
Opcode ID: 7272ba572cf1e65cc459029f075973c90e64722f9818aeb22f4ea7787fafc81e
Instruction ID: 78de45583d1ae3998546f80231674827aa2f8c9270ce73013dc171049384c7c5
Opcode Fuzzy Hash: 7272ba572cf1e65cc459029f075973c90e64722f9818aeb22f4ea7787fafc81e
Instruction Fuzzy Hash: 47517071D04249EBEF10DBE4D905BEEBBB4AF59305F104199EA08BB2C0D7791B48CB65

Function 00F6407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F9D3D7

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

_memset.LIBCMT ref: 00F640FC
_wcscpy.LIBCMT ref: 00F64150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F64160

Strings

Line: , xrefs: 00F9D400

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 201c7010ef8dd5c38bb38076f66ca816afc3622fc2a252b79aea4df09dbcb65a
Instruction ID: ebc4e6ed3bac6f8ea322f15e46fa6bc94c78b87f7817847a09105884cbea6c1b
Opcode Fuzzy Hash: 201c7010ef8dd5c38bb38076f66ca816afc3622fc2a252b79aea4df09dbcb65a
Instruction Fuzzy Hash: E8319E72408304ABD731FF60DC46FEB77E8AF85314F20491EF58596091EB78A648EB96

Function 00F8541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8547B
_memcpy_s.LIBCMT ref: 00F854ED
__read_nolock.LIBCMT ref: 00F8554B
__filbuf.LIBCMT ref: 00F8556E
_memset.LIBCMT ref: 00F855B2

Part of subcall function 00F88B28: __getptd_noexit.LIBCMT ref: 00F88B28

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 37cfa763e1181f3756c58f4626396fbc813a117a9674f531c6e556fd0f81dc7e
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 3051C971E00B05DBDF24EFA9DC506EE77A2AF40B35F288729F8259A2D0D7749D50AB40

Function 00F6686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00F64DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F64E0F

_free.LIBCMT ref: 00F9E263
_free.LIBCMT ref: 00F9E2AA

Part of subcall function 00F66A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F66BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F9E039
Bad directive syntax error, xrefs: 00F9E292

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 6683efb6ba64e5530fa7f25013dccea6df8bf58135ed7cb0faf9aad05c45d9e9
Instruction ID: 46d5489d3b458b40177c7001903bfd5481074248331c688474160b5f4b0c3918
Opcode Fuzzy Hash: 6683efb6ba64e5530fa7f25013dccea6df8bf58135ed7cb0faf9aad05c45d9e9
Instruction Fuzzy Hash: DC918D71D04219AFDF04EFA4CC819EDB7B8FF18314F14442AF816AB2A1DB79A945EB50

Function 00F635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F635A1,SwapMouseButtons,00000004,?), ref: 00F635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F635A1,SwapMouseButtons,00000004,?,?,?,?,00F62754), ref: 00F635F5
RegCloseKey.KERNELBASE(00000000,?,?,00F635A1,SwapMouseButtons,00000004,?,?,?,?,00F62754), ref: 00F63617

Strings

Control Panel\Mouse, xrefs: 00F635D2

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 20d6fa1d37e4c79284203e80a55ab1c0912927aaa92b4e1ef5582aecda95b440
Instruction ID: 0dbd506240f202d7fbdd1caf4e7cce948743a394de1605321bb7ca42b8acf614
Opcode Fuzzy Hash: 20d6fa1d37e4c79284203e80a55ab1c0912927aaa92b4e1ef5582aecda95b440
Instruction Fuzzy Hash: 70115A71910218BFDB20CF64DC80EAEBBB8EF44750F004469F905DB210D2729F44A760

Function 00A53568 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A53D95
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A53DB9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A53DDB

Memory Dump Source

Source File: 00000000.00000002.2127804313.0000000000A52000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A52000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a52000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: fc310a6135c3389c0587bc6629e9838c2c50d5be0bfc8bfa2df8a04cac11b1e3
Instruction ID: d982588b8f3d177d89c6773ece75875cb3bc3de88a398753549d6b546ea5ab71
Opcode Fuzzy Hash: fc310a6135c3389c0587bc6629e9838c2c50d5be0bfc8bfa2df8a04cac11b1e3
Instruction Fuzzy Hash: 99621C30A14618DBEB24CBA4C841BDEB372FF58301F1091A9D60DEB390E7799E85CB59

Function 00FC955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F64EE5: _fseek.LIBCMT ref: 00F64EFD

Part of subcall function 00FC9734: _wcscmp.LIBCMT ref: 00FC9824
Part of subcall function 00FC9734: _wcscmp.LIBCMT ref: 00FC9837

_free.LIBCMT ref: 00FC96A2
_free.LIBCMT ref: 00FC96A9
_free.LIBCMT ref: 00FC9714

Part of subcall function 00F82D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F89A24), ref: 00F82D69
Part of subcall function 00F82D55: GetLastError.KERNEL32(00000000,?,00F89A24), ref: 00F82D7B

_free.LIBCMT ref: 00FC971C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: b9fd0f5dba69a9da68580abe53b262a02df5b784dae55be7c76092abdc2297cd
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: FF514CB1D04259AFDF24AF64CC85BAEBBB9EF48300F10449EF609A3251DB755A80DF58

Function 00F8470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F847A0
__flush.LIBCMT ref: 00F847C0
__write.LIBCMT ref: 00F847F3
__flsbuf.LIBCMT ref: 00F84821

Part of subcall function 00F88B28: __getptd_noexit.LIBCMT ref: 00F88B28

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 6676847cd519ed5128f3f054c7bda685a615494b94dc27dbcba939994caf640f
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9841B375E007479BDB18AF69CC809EE77A6EF41364B24853DE815C7680EB74FD41AB40

Function 00F67285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9EA39
GetOpenFileNameW.COMDLG32(?), ref: 00F9EA83

Part of subcall function 00F64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F64743,?,?,00F637AE,?), ref: 00F64770

Part of subcall function 00F80791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F807B0

Strings

X, xrefs: 00F9EA51

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 40872e173f8d9b1fafbe2ee3ea778db85655b01bcabc4780aec54a3a9fdf14b9
Instruction ID: 61bd3071ffdf73042dd9eba2d41dac5dccbe5f4f2c49568c4e9f8c40956244b8
Opcode Fuzzy Hash: 40872e173f8d9b1fafbe2ee3ea778db85655b01bcabc4780aec54a3a9fdf14b9
Instruction Fuzzy Hash: A621D831A002589BDF51EF94CC45BEE7BF8AF49314F00801AE548E7241DBBC5949EFA1

Function 00FC8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC8DAC
__fread_nolock.LIBCMT ref: 00FC8DC1

Strings

EA06, xrefs: 00FC8DF3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: fb585f3e2e4651c29f4c1d2b90fe615dd35e6006829e1efa8f1bfd9a6c968370
Instruction ID: fc7bb742e3f4566ed735c73709e2907bb7661b872b9cf44f8105d8bcd64abefb
Opcode Fuzzy Hash: fb585f3e2e4651c29f4c1d2b90fe615dd35e6006829e1efa8f1bfd9a6c968370
Instruction Fuzzy Hash: 9901D672C042186EDB18DAA8CC16EEA7BF89B11711F00419EF552D6181E878A6089760

Function 00FC98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FC98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FC990F

Strings

aut, xrefs: 00FC9909

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0801c12151550e1eae95e4528cdfcdc08db4084aa860ea4b1f2d18f28798da8f
Instruction ID: 0a1b2dbe0e9039549f232e5bc3f2165f232efa4c960526080e547bf4f97c5321
Opcode Fuzzy Hash: 0801c12151550e1eae95e4528cdfcdc08db4084aa860ea4b1f2d18f28798da8f
Instruction Fuzzy Hash: B9D05E7954030DABDB509BA4EC8EF9A773CE704700F0042B1BF94990A1EAB096989B91

Function 00FDCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04626581017b159a95f415b42adaefc7d144c90bd9b538ee4f6006dd963e41b4
Instruction ID: 302ebf08723207bca5cad4a984d4a3f02c474bc8acfe3c53c557d60a690483fe
Opcode Fuzzy Hash: 04626581017b159a95f415b42adaefc7d144c90bd9b538ee4f6006dd963e41b4
Instruction Fuzzy Hash: C1F14E71A083019FC714DF28C880A6ABBE6FF88314F54892EF8999B351D774E945DF92

Function 00F6F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F80162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F80193
Part of subcall function 00F80162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F8019B
Part of subcall function 00F80162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F801A6
Part of subcall function 00F80162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F801B1
Part of subcall function 00F80162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F801B9
Part of subcall function 00F80162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F801C1

Part of subcall function 00F760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F6F930), ref: 00F76154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F6F9CD
OleInitialize.OLE32(00000000), ref: 00F6FA4A
CloseHandle.KERNEL32(00000000), ref: 00FA45C8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4ab28ecd69d108d0f301acb61218f281b65f168bb05778bb74c2852e0e0d837c
Instruction ID: aaac6838919390fecbc3de17067a1c282b2db3b667e905c19a70c4d1ddc688d2
Opcode Fuzzy Hash: 4ab28ecd69d108d0f301acb61218f281b65f168bb05778bb74c2852e0e0d837c
Instruction Fuzzy Hash: C681C0B0A01640CFC3B4DF39FC556E9BBE5FB5831A7B0812AD098CB259EB7A45049F19

Function 00F6434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F64370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F64415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F64432

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: d5d8a96ddabb2df8c723e3fb29125a143d01991b891aceaeba789e29b4a7e48d
Instruction ID: f612bbb1be36096142ae6a0ca7fecfe8df3122ebcbbefd5ab0f15e3c5b47aeb4
Opcode Fuzzy Hash: d5d8a96ddabb2df8c723e3fb29125a143d01991b891aceaeba789e29b4a7e48d
Instruction Fuzzy Hash: 0E31B1709043018FC731EF24D88569BBBF8FB4A319F10092EF5CA86281D775B948DB56

Function 00F8571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F85733

Part of subcall function 00F8A16B: __NMSG_WRITE.LIBCMT ref: 00F8A192
Part of subcall function 00F8A16B: __NMSG_WRITE.LIBCMT ref: 00F8A19C

__NMSG_WRITE.LIBCMT ref: 00F8573A

Part of subcall function 00F8A1C8: GetModuleFileNameW.KERNEL32(00000000,010233BA,00000104,?,00000001,00000000), ref: 00F8A25A
Part of subcall function 00F8A1C8: ___crtMessageBoxW.LIBCMT ref: 00F8A308

Part of subcall function 00F8309F: ___crtCorExitProcess.LIBCMT ref: 00F830A5
Part of subcall function 00F8309F: ExitProcess.KERNEL32 ref: 00F830AE

Part of subcall function 00F88B28: __getptd_noexit.LIBCMT ref: 00F88B28

RtlAllocateHeap.NTDLL(00A10000,00000000,00000001,00000000,?,?,?,00F80DD3,?), ref: 00F8575F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a6d2679e422af7a791473ae6ba8225406777ae983bbaf51396788622647f16d4
Instruction ID: 2ff908f70117c009994688737366e19a14ec196e1a8db5375a2ff340ec1457bd
Opcode Fuzzy Hash: a6d2679e422af7a791473ae6ba8225406777ae983bbaf51396788622647f16d4
Instruction Fuzzy Hash: 4301F532700B0ADBE6253B34EC86BEE77489B82B71F604426F5059A1C1DF7C8C017760

Function 00FC98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FC9548,?,?,?,?,?,00000004), ref: 00FC98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FC9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FC98D1
CloseHandle.KERNEL32(00000000,?,00FC9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FC98D8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 2007830b81814273105d2aee5706d60a6a22e515b078f7416ffcdd024b28a242
Instruction ID: 746d2ee9ab25e03934a92b9050d0dab57c2c644f76a40fe3c7912c693fec87ea
Opcode Fuzzy Hash: 2007830b81814273105d2aee5706d60a6a22e515b078f7416ffcdd024b28a242
Instruction Fuzzy Hash: 21E0863214021CBBD7211B54EC4AFCA7B19AB06771F108120FB146D0E087B11515A798

Function 00FC8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC8D1B

Part of subcall function 00F82D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F89A24), ref: 00F82D69
Part of subcall function 00F82D55: GetLastError.KERNEL32(00000000,?,00F89A24), ref: 00F82D7B

_free.LIBCMT ref: 00FC8D2C
_free.LIBCMT ref: 00FC8D3E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: be8f945e11dd4dd112e498499f27beb35fd1b5d4158a0781c08625bf0f3b60ab
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: DEE012B2A01A0246CB64B578AF41FD367EC4F983A2714091DB80ED7186CE68FC43A324

Function 00F6A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F9FC01

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: d14f30717c50dadeaecba8426d28294c28609ae47b707cfbbdb38d5ef4b00ef3
Instruction ID: b3e345d7ac834286c8e0e9d475309646c8b50ab1dd43556dc4d698ec6b1f245f
Opcode Fuzzy Hash: d14f30717c50dadeaecba8426d28294c28609ae47b707cfbbdb38d5ef4b00ef3
Instruction Fuzzy Hash: BF225871908201DFDB24DF14C890B6AB7E1BF85314F14896DE89A9B362DB35EC45EF82

Function 00F64C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F64CBA

Strings

EA06, xrefs: 00F9D8CC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: d1735b6dddc4e51503a32362550396db12d980d282d0f4ced3cd9af406ea4138
Instruction ID: d9fb62987d52d5bdc19ebe8ee22ca43993676397244de8c0985b01cea8947d63
Opcode Fuzzy Hash: d1735b6dddc4e51503a32362550396db12d980d282d0f4ced3cd9af406ea4138
Instruction Fuzzy Hash: 49414A22E041585BDF22BB64CC617BF7FB29B46310F684475ED82EB282D624BD44B7A1

Function 00F67A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F67AAB
_memmove.LIBCMT ref: 00F67B16

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: 51ec83a8476c30a6869ff50fbba194d7d1cfd4c3adb08251e6837ea439f3f320
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: BF31C8B2604606AFC704EF68C8D1E69F3A9FF483247558629E519CB3A1EF34ED50DB90

Function 00F647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F64834

Part of subcall function 00F8336C: __lock.LIBCMT ref: 00F83372
Part of subcall function 00F8336C: DecodePointer.KERNEL32(00000001,?,00F64849,00FB7C74), ref: 00F8337E
Part of subcall function 00F8336C: EncodePointer.KERNEL32(?,?,00F64849,00FB7C74), ref: 00F83389

Part of subcall function 00F648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F64915
Part of subcall function 00F648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F6492A

Part of subcall function 00F63B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F63B68
Part of subcall function 00F63B3A: IsDebuggerPresent.KERNEL32 ref: 00F63B7A
Part of subcall function 00F63B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010252F8,010252E0,?,?), ref: 00F63BEB
Part of subcall function 00F63B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F63C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F64874

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 6978b7263db0cf134f521e66bfb4cbf92672e6e0b756f096f1286c0680237986
Instruction ID: 431897c67ed2c875263c2fa2a770a27ace5f07dbe6e6aa7e73e516c2338899e1
Opcode Fuzzy Hash: 6978b7263db0cf134f521e66bfb4cbf92672e6e0b756f096f1286c0680237986
Instruction Fuzzy Hash: A711CD718083419BD720EF38DC4594AFFE8EF8A750F20451EF480872A1DBBA9648DB82

Function 00F80DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F8571C: __FF_MSGBANNER.LIBCMT ref: 00F85733
Part of subcall function 00F8571C: __NMSG_WRITE.LIBCMT ref: 00F8573A
Part of subcall function 00F8571C: RtlAllocateHeap.NTDLL(00A10000,00000000,00000001,00000000,?,?,?,00F80DD3,?), ref: 00F8575F

std::exception::exception.LIBCMT ref: 00F80DEC
__CxxThrowException@8.LIBCMT ref: 00F80E01

Part of subcall function 00F8859B: RaiseException.KERNEL32(?,?,?,01019E78,00000000,?,?,?,?,00F80E06,?,01019E78,?,00000001), ref: 00F885F0

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 68e38576d9c1d1c4da44858615c5a1f6865bc0cade5faf55a97f0f8a97f0a398
Instruction ID: d2cdb696f04c6fe1782b6141717b01f5d8ceb4e8017f7cb3d589f3356822974e
Opcode Fuzzy Hash: 68e38576d9c1d1c4da44858615c5a1f6865bc0cade5faf55a97f0f8a97f0a398
Instruction Fuzzy Hash: A8F0A43290021E66CB10BAA4EC159EF7BAC9F01361F504429FD0496252DF749A45B3D1

Function 00F855FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8562C
__lock_file.LIBCMT ref: 00F8564D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: add2842a71459ea06e308586f7c52b8d23e7682f6e52e34aa1c719edcffea70f
Instruction ID: 21d46408dc3599c574c1b0a78a0926746b7b861e14612e074dcd6d8fd41363ef
Opcode Fuzzy Hash: add2842a71459ea06e308586f7c52b8d23e7682f6e52e34aa1c719edcffea70f
Instruction Fuzzy Hash: 8A01F772C00608EBCF12BF648C024DE7B61AF91B61F804115F8241B151EB398A12FF91

Function 00F853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F88B28: __getptd_noexit.LIBCMT ref: 00F88B28

__lock_file.LIBCMT ref: 00F853EB

Part of subcall function 00F86C11: __lock.LIBCMT ref: 00F86C34

__fclose_nolock.LIBCMT ref: 00F853F6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: dbd241f85698d517934aa7875007d6435ca81eaf3dbf78925151bd9d8b7d72cb
Instruction ID: 5ccb2796ddc123e0a2bc72df0641e29a55a7dbe494c2646666c6e5435cf20f82
Opcode Fuzzy Hash: dbd241f85698d517934aa7875007d6435ca81eaf3dbf78925151bd9d8b7d72cb
Instruction Fuzzy Hash: 38F09032901A049BDB21BBA59C027ED76A16F41BB5F608208E464AB1C1CBBC8A42BB51

Function 00A53565 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00A53D95
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00A53DB9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00A53DDB

Memory Dump Source

Source File: 00000000.00000002.2127804313.0000000000A52000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A52000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a52000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: fc42d9d242fa4add8e5b22c1f1d0339b0dfcc0dd073dd639d4c9bf8b5ef95556
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: FD12EE20E24658C6EB24DF64D8507DEB232FF68301F1090E9910DEB7A5E77A4F85CB5A

Function 00F80C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F80CB7

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: e681cf0d45a626d19e615b7da772b48558723f66e2a45f83329ac3abf2394c77
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9E310A71A001059FC798EF08C494AA9F7A5FF4A310BA48795E40ACB351DB31EDC5EBC0

Function 00F9FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F9FCB7

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: c90f4577c8898e00fbaf6bf2c0b69e8a2bda72eec36fdc35223db7bc1bec48c5
Instruction ID: 16e6adac37d891fdf9073096b87fee9d76c286b336409f43093b8e6ef3fccddf
Opcode Fuzzy Hash: c90f4577c8898e00fbaf6bf2c0b69e8a2bda72eec36fdc35223db7bc1bec48c5
Instruction Fuzzy Hash: 6B4107749083518FDB14DF14C454B1ABBE0BF45318F0988ACE89A9B362C736EC49EF52

Function 00F67B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F67BB3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5265c999e6be0233acbf58096fe377cf776eda66a6dd257057687f239e338677
Instruction ID: 5760a714d769046cc4d9ff08c79ddeb220bdaa5f43905327faa9c7ed9ec6df9e
Opcode Fuzzy Hash: 5265c999e6be0233acbf58096fe377cf776eda66a6dd257057687f239e338677
Instruction Fuzzy Hash: B7213372A04B09EBEF249F21E8417AA7BB4FB54354F20842EF8C6C9094EB358090F745

Function 00F64DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F64BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F64BEF

Part of subcall function 00F8525B: __wfsopen.LIBCMT ref: 00F85266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F64E0F

Part of subcall function 00F64B6A: FreeLibrary.KERNEL32(00000000), ref: 00F64BA4

Part of subcall function 00F64C70: _memmove.LIBCMT ref: 00F64CBA

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c042ad3894119be06094197559ca1556ae0fcc038c93664b5c9a80e245ef29dc
Instruction ID: 6956fba66b6474ddb8e3ef06a38631f30c59566b8b0740ede98b2574eb811d99
Opcode Fuzzy Hash: c042ad3894119be06094197559ca1556ae0fcc038c93664b5c9a80e245ef29dc
Instruction Fuzzy Hash: F911E332600206ABCF11FF70CC16FAD77A8AF94B10F108829F541AB181DE7AAA04BB51

Function 00F9FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F9FD91

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ef49cd0ab55a861362a4b885af95a80ed00b98af74067d21ed1623fa8204971d
Instruction ID: dfa1c5cb2177a9f9bbba44b43e9bd7a31510b90c8f51ef33f6a957f378948821
Opcode Fuzzy Hash: ef49cd0ab55a861362a4b885af95a80ed00b98af74067d21ed1623fa8204971d
Instruction Fuzzy Hash: 4A21F3B4908341DFDB14DF64C844B5ABBE1BF88314F058968F88A97762D735E809EF92

Function 00F84863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F848A6

Part of subcall function 00F88B28: __getptd_noexit.LIBCMT ref: 00F88B28

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9db6ce3fdc75b4c1832a7f7ff656d18f015617aecd20b0c13da98ea00d70827d
Instruction ID: bc24b80dc622d8a3506ef0e2fc27bf36188cc965a12c8bd186f38dd795d7204c
Opcode Fuzzy Hash: 9db6ce3fdc75b4c1832a7f7ff656d18f015617aecd20b0c13da98ea00d70827d
Instruction Fuzzy Hash: ECF0AF3190160AABDF11BFA48C0A7EE3AA1AF01366F558418F4249A192CB7C9952FF51

Function 00F64E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F64E7E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 389db7317c6b37adc14d822d19ddf03405f0ab71c730b4f1822437f85bbdc1dd
Instruction ID: 675a0bd0dec3cadc3ee822a8ba1eafa2e1c8249186c3f174316bcbc8190043e2
Opcode Fuzzy Hash: 389db7317c6b37adc14d822d19ddf03405f0ab71c730b4f1822437f85bbdc1dd
Instruction Fuzzy Hash: EAF01571901B11CFCB34AF64E894812BBE1BF243393208A3EE1D682620C733A844FB40

Function 00F80791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F807B0

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: b07f8461bf6b1a0e4f83261106a10ac1504f0500bb2326b87456fa07e665e885
Instruction ID: d888c586527d5800d8b6d56697feb5f53192a0958815d64796be4a5e5979b13e
Opcode Fuzzy Hash: b07f8461bf6b1a0e4f83261106a10ac1504f0500bb2326b87456fa07e665e885
Instruction Fuzzy Hash: B6E0CD3690422857C720E6589C05FFA77EDDFC87A0F0441B5FD0CD7248D9649C9096D0

Function 00FC8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FC8EC1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: a15444569117135ded545bec3a98b89f7f738628d13b9484181d080b097a23d6
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 16E092B0504B005BDB388A24D801BE373E1AB05314F04081DF2AA83241EB627842D759

Function 00F8525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F85266

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1df90fbf29b9b0b20436c987d747ec8927e93939c1f21599c52da11563c90ade
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: F6B0927644020C77CE012A82EC02A893B199B42B64F408020FB0C18162AA77A664AA89

Function 00A54568 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00A54579

Memory Dump Source

Source File: 00000000.00000002.2127804313.0000000000A52000.00000040.00000020.00020000.00000000.sdmp, Offset: 00A52000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a52000_ZeAX5i7cGB.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 91eb9a5e3b251a3e3b1f0f5284dc885c5c1fb1bfb9b33a080777426fe0889df3
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 70E0E67494420DDFDB00DFB4D54969D7BB4FF04302F100161FD05D2280D6309E50DA62

Non-executed Functions

Function 00FECABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FECB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FECB95
GetWindowLongW.USER32(?,000000F0), ref: 00FECBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FECC00
SendMessageW.USER32 ref: 00FECC29
_wcsncpy.LIBCMT ref: 00FECC95
GetKeyState.USER32(00000011), ref: 00FECCB6
GetKeyState.USER32(00000009), ref: 00FECCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FECCD9
GetKeyState.USER32(00000010), ref: 00FECCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FECD0C
SendMessageW.USER32 ref: 00FECD33
SendMessageW.USER32(?,00001030,?,00FEB348), ref: 00FECE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FECE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FECE60
SetCapture.USER32(?), ref: 00FECE69
ClientToScreen.USER32(?,?), ref: 00FECECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FECEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FECEF5
ReleaseCapture.USER32 ref: 00FECF00
GetCursorPos.USER32(?), ref: 00FECF3A
ScreenToClient.USER32(?,?), ref: 00FECF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FECFA3
SendMessageW.USER32 ref: 00FECFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FED00E
SendMessageW.USER32 ref: 00FED03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FED05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FED06D
GetCursorPos.USER32(?), ref: 00FED08D
ScreenToClient.USER32(?,?), ref: 00FED09A
GetParent.USER32(?), ref: 00FED0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FED123
SendMessageW.USER32 ref: 00FED154
ClientToScreen.USER32(?,?), ref: 00FED1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FED1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FED20C
SendMessageW.USER32 ref: 00FED22F
ClientToScreen.USER32(?,?), ref: 00FED281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FED2B5

Part of subcall function 00F625DB: GetWindowLongW.USER32(?,000000EB), ref: 00F625EC

GetWindowLongW.USER32(?,000000F0), ref: 00FED351

Strings

@GUI_DRAGID, xrefs: 00FECE9C
F, xrefs: 00FED235

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 9a695bd2729ba7fd9b1a08f0ad9893cd394d7985cee5740c76815d43f491aee9
Instruction ID: 6e47fc8a06c01088f18ec71aaf1c804736f4c77bb73a834b34fd95e376d6c2af
Opcode Fuzzy Hash: 9a695bd2729ba7fd9b1a08f0ad9893cd394d7985cee5740c76815d43f491aee9
Instruction Fuzzy Hash: 2242BE346042C0AFD724CF2ACC85BAABBE5FF89320F140519F695DB2A0C771D945EB92

Function 00F76F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F771C3
_memset.LIBCMT ref: 00F77539
_memmove.LIBCMT ref: 00F776AC

Strings

Q\E, xrefs: 00F77FCB
DEFINE, xrefs: 00FB2103
\b(?=\w), xrefs: 00FB3769
\b(?<=\w), xrefs: 00FB3773
[:<:]], xrefs: 00F77479
[:>:]], xrefs: 00F77492

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 72b30a8847636631621288936281cf404454f8873082ee1ead52c7cc06223e1e
Instruction ID: 86ec24079a787ef26c2454e9f22f0a4fbd7319319bd8f1f0a4baf3acd59433b0
Opcode Fuzzy Hash: 72b30a8847636631621288936281cf404454f8873082ee1ead52c7cc06223e1e
Instruction Fuzzy Hash: 0293B375E40215DBDB24DF99C881BEDB7B1FF48320F24816AE949AB281E7749D81EF40

Function 00F648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F648DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F9D665
IsIconic.USER32(?), ref: 00F9D66E
ShowWindow.USER32(?,00000009), ref: 00F9D67B
SetForegroundWindow.USER32(?), ref: 00F9D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F9D69B
GetCurrentThreadId.KERNEL32 ref: 00F9D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F9D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F9D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F9D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F9D6CF
SetForegroundWindow.USER32(?), ref: 00F9D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9D6E7
keybd_event.USER32(00000012,00000000), ref: 00F9D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9D6FC
keybd_event.USER32(00000012,00000000), ref: 00F9D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9D70A
keybd_event.USER32(00000012,00000000), ref: 00F9D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F9D719
keybd_event.USER32(00000012,00000000), ref: 00F9D71E
SetForegroundWindow.USER32(?), ref: 00F9D721
AttachThreadInput.USER32(?,?,00000000), ref: 00F9D748

Strings

Shell_TrayWnd, xrefs: 00F9D660

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9335987c88ae100493d72fbf94da0bf7dcbe8d10115a1b3c5ddf8e1e2de6c334
Instruction ID: c72d12188103902e03062b5fcab0ed50331af52f3511769a2a20560a0a1d3552
Opcode Fuzzy Hash: 9335987c88ae100493d72fbf94da0bf7dcbe8d10115a1b3c5ddf8e1e2de6c334
Instruction Fuzzy Hash: 6B317271A4035CBBFF206BA19C89F7F7E6CEB44B60F204025FA04EA1D1C6B15900BAA1

Function 00FB8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00FB87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB882B
Part of subcall function 00FB87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB8858
Part of subcall function 00FB87E1: GetLastError.KERNEL32 ref: 00FB8865

_memset.LIBCMT ref: 00FB8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FB83A5
CloseHandle.KERNEL32(?), ref: 00FB83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FB83CD
GetProcessWindowStation.USER32 ref: 00FB83E6
SetProcessWindowStation.USER32(00000000), ref: 00FB83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FB840A

Part of subcall function 00FB81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FB8309), ref: 00FB81E0
Part of subcall function 00FB81CB: CloseHandle.KERNEL32(?,?,00FB8309), ref: 00FB81F2

Strings

default, xrefs: 00FB8405
, xrefs: 00FB8362
winsta0, xrefs: 00FB83C8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: ffdce192610b7395ab220f88e50a1db0f5ed49f07ace4b8fe6aed56550ad6ea4
Instruction ID: 523b4027cac8d616e4dc27764374379d494293c554c3d693733a48fdddd2c14a
Opcode Fuzzy Hash: ffdce192610b7395ab220f88e50a1db0f5ed49f07ace4b8fe6aed56550ad6ea4
Instruction Fuzzy Hash: D8816971C00249AFDF219FA5CC85AEE7BBCEF443A4F184169F910A6161DB358E16EF20

Function 00FCC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FCC78D
FindClose.KERNEL32(00000000), ref: 00FCC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FCC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FCC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FCC844
__swprintf.LIBCMT ref: 00FCC890
__swprintf.LIBCMT ref: 00FCC8D3

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

__swprintf.LIBCMT ref: 00FCC927

Part of subcall function 00F83698: __woutput_l.LIBCMT ref: 00F836F1

__swprintf.LIBCMT ref: 00FCC975

Part of subcall function 00F83698: __flsbuf.LIBCMT ref: 00F83713
Part of subcall function 00F83698: __flsbuf.LIBCMT ref: 00F8372B

__swprintf.LIBCMT ref: 00FCC9C4
__swprintf.LIBCMT ref: 00FCCA13
__swprintf.LIBCMT ref: 00FCCA62

Strings

%02d, xrefs: 00FCC91B, 00FCC925, 00FCC973, 00FCC9C2, 00FCCA11, 00FCCA60
%4d%02d%02d%02d%02d%02d, xrefs: 00FCC88A
%4d, xrefs: 00FCC8CD

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 4a1e527e5b943681be6d9e3eaca22f233fae1af42a98fb2e47ec75494820a908
Instruction ID: 7095d50d05e87b88bb1dba8412ca2065c90dd056e5b41d732a40060ddbbd0f9b
Opcode Fuzzy Hash: 4a1e527e5b943681be6d9e3eaca22f233fae1af42a98fb2e47ec75494820a908
Instruction Fuzzy Hash: 6FA11AB2408345ABC700EFA4CD96EAFB7ECEF94704F40091DF59586191EA79DA08DB62

Function 00FCEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FCEFB6
_wcscmp.LIBCMT ref: 00FCEFCB
_wcscmp.LIBCMT ref: 00FCEFE2
GetFileAttributesW.KERNEL32(?), ref: 00FCEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00FCF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00FCF026
FindClose.KERNEL32(00000000), ref: 00FCF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00FCF04D
_wcscmp.LIBCMT ref: 00FCF074
_wcscmp.LIBCMT ref: 00FCF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCF09D
SetCurrentDirectoryW.KERNEL32(01018920), ref: 00FCF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FCF0C5
FindClose.KERNEL32(00000000), ref: 00FCF0D2
FindClose.KERNEL32(00000000), ref: 00FCF0E4

Strings

*.*, xrefs: 00FCF048

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: ed52662a84042494f030c0572e2a6e010ebc25ae9d2a6e8178a820806adb6034
Instruction ID: 09dd293ab8f1ac14593f774f43d47b2ed54c3dbd50dc902ae2a80b2d2dc49f16
Opcode Fuzzy Hash: ed52662a84042494f030c0572e2a6e010ebc25ae9d2a6e8178a820806adb6034
Instruction Fuzzy Hash: 2331073294024E7ACB149BA0DC4AFDEB7AE9F44720F14417AE800D60A1DB74DA48EB51

Function 00FE0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FEF910,00000000,?,00000000,?,?), ref: 00FE09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FE0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FE0A92
RegCloseKey.ADVAPI32(?), ref: 00FE0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00FE0DBF

Strings

REG_QWORD, xrefs: 00FE0D00
REG_DWORD, xrefs: 00FE0C83
REG_EXPAND_SZ, xrefs: 00FE0A2F
REG_SZ, xrefs: 00FE0AD0
REG_BINARY, xrefs: 00FE0D4D
REG_MULTI_SZ, xrefs: 00FE0B7A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d86972b7461a3f8856cd35919bd874d8870a782563e265562c87989b36fb90f4
Instruction ID: 51926ea151aef8b92bcfd904932a1b69f65417fc270a4e99e0c60f7761e6e770
Opcode Fuzzy Hash: d86972b7461a3f8856cd35919bd874d8870a782563e265562c87989b36fb90f4
Instruction Fuzzy Hash: 45027B756046419FCB14EF25C881E2AB7E5FF89324F04886DF8899B362CB74ED45EB81

Function 00FCF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00FCF113
_wcscmp.LIBCMT ref: 00FCF128
_wcscmp.LIBCMT ref: 00FCF13F

Part of subcall function 00FC4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FC43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00FCF16E
FindClose.KERNEL32(00000000), ref: 00FCF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00FCF195
_wcscmp.LIBCMT ref: 00FCF1BC
_wcscmp.LIBCMT ref: 00FCF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCF1E5
SetCurrentDirectoryW.KERNEL32(01018920), ref: 00FCF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FCF20D
FindClose.KERNEL32(00000000), ref: 00FCF21A
FindClose.KERNEL32(00000000), ref: 00FCF22C

Strings

*.*, xrefs: 00FCF190

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: a06a2d845bbc0adb286db559476056051d4b8d0dd74543bc719b2512abd7f975
Instruction ID: e4a8234ea819368521effd12128932e91b46c9df4b5986d1d5c919a3806d2307
Opcode Fuzzy Hash: a06a2d845bbc0adb286db559476056051d4b8d0dd74543bc719b2512abd7f975
Instruction Fuzzy Hash: 7631D53690025F7ACB10AB64EC5AFDEB7AE9F45370F14417AE800E60A0D734DF49EA54

Function 00FCA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FCA20F
__swprintf.LIBCMT ref: 00FCA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FCA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FCA293
_memset.LIBCMT ref: 00FCA2B2
_wcsncpy.LIBCMT ref: 00FCA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FCA323
CloseHandle.KERNEL32(00000000), ref: 00FCA32E
RemoveDirectoryW.KERNEL32(?), ref: 00FCA337
CloseHandle.KERNEL32(00000000), ref: 00FCA341

Strings

:, xrefs: 00FCA252
\??\%s, xrefs: 00FCA22B
\, xrefs: 00FCA247

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: bd0128006f19ea664be2118f4375cc8d603dbea8afd882c4eb930ab3d9ca25a2
Instruction ID: fede9f1c7231a72be88a3224612b494c2aca7ab483ca8a5cdc4f1ed92685bc9f
Opcode Fuzzy Hash: bd0128006f19ea664be2118f4375cc8d603dbea8afd882c4eb930ab3d9ca25a2
Instruction Fuzzy Hash: 7D31C37290015EABDB21DFA0DC89FEB37BCEF88714F1040BAF608D6160E775A6449B25

Function 00FB7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB821E
Part of subcall function 00FB8202: GetLastError.KERNEL32(?,00FB7CE2,?,?,?), ref: 00FB8228
Part of subcall function 00FB8202: GetProcessHeap.KERNEL32(00000008,?,?,00FB7CE2,?,?,?), ref: 00FB8237
Part of subcall function 00FB8202: HeapAlloc.KERNEL32(00000000,?,00FB7CE2,?,?,?), ref: 00FB823E
Part of subcall function 00FB8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB8255

Part of subcall function 00FB829F: GetProcessHeap.KERNEL32(00000008,00FB7CF8,00000000,00000000,?,00FB7CF8,?), ref: 00FB82AB
Part of subcall function 00FB829F: HeapAlloc.KERNEL32(00000000,?,00FB7CF8,?), ref: 00FB82B2
Part of subcall function 00FB829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FB7CF8,?), ref: 00FB82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FB7D13
_memset.LIBCMT ref: 00FB7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FB7D47
GetLengthSid.ADVAPI32(?), ref: 00FB7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00FB7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FB7DB1
GetLengthSid.ADVAPI32(?), ref: 00FB7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FB7DDD
HeapAlloc.KERNEL32(00000000), ref: 00FB7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FB7E05
CopySid.ADVAPI32(00000000), ref: 00FB7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FB7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FB7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FB7E77

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 38abed0559d2b6879fa04c12376764018a6cdddd1cf7f711671313c8b1acea95
Instruction ID: a295caa797c97e9a0e9373f9ebc0fc8046e3fb00635bfbf6f0ed9e7fd125893b
Opcode Fuzzy Hash: 38abed0559d2b6879fa04c12376764018a6cdddd1cf7f711671313c8b1acea95
Instruction Fuzzy Hash: 93613B71904209AFDF00EFA5DC85AEEBB79FF44310F048169E915AA291DB35DA05EF60

Function 00F766E1 Relevance: 19.6, Strings: 15, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 00FB11FC
CR), xrefs: 00FB1287
UTF), xrefs: 00FB10FA
UTF16), xrefs: 00FB10CF
LIMIT_MATCH=, xrefs: 00FB1170
NO_AUTO_POSSESS), xrefs: 00FB112E
ANY), xrefs: 00FB12DE
UCP), xrefs: 00FB110D
BSR_ANYCRLF), xrefs: 00FB131E
LF), xrefs: 00FB12A4
CRLF), xrefs: 00FB12C1
BSR_UNICODE), xrefs: 00FB1338
-es, xrefs: 00FB1349
ANYCRLF), xrefs: 00FB12FB
NO_START_OPT), xrefs: 00FB114F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID: -es$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-1236126243
Opcode ID: 617230e08d8a0fd1d15127f991bd47679fe762356f0514a16fc84488ae271043
Instruction ID: 28e04363733e36f3219d3236f4c1a624f8a4c63ddd70cb94e0726a775875dbca
Opcode Fuzzy Hash: 617230e08d8a0fd1d15127f991bd47679fe762356f0514a16fc84488ae271043
Instruction Fuzzy Hash: 25727F75E00619CBDB25CF59C8907EEB7B5FF44320F54816AE849EB280EB349A41EF91

Function 00FC001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FC0097
SetKeyboardState.USER32(?), ref: 00FC0102
GetAsyncKeyState.USER32(000000A0), ref: 00FC0122
GetKeyState.USER32(000000A0), ref: 00FC0139
GetAsyncKeyState.USER32(000000A1), ref: 00FC0168
GetKeyState.USER32(000000A1), ref: 00FC0179
GetAsyncKeyState.USER32(00000011), ref: 00FC01A5
GetKeyState.USER32(00000011), ref: 00FC01B3
GetAsyncKeyState.USER32(00000012), ref: 00FC01DC
GetKeyState.USER32(00000012), ref: 00FC01EA
GetAsyncKeyState.USER32(0000005B), ref: 00FC0213
GetKeyState.USER32(0000005B), ref: 00FC0221

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b28d26f15c7007a42e8688a8ad47a6c5f3585c4ce0c67912810498e52b521832
Instruction ID: fd2f02a34495472d86592098f6a15f077fac6f27e12d8533412e9001ccf5e08f
Opcode Fuzzy Hash: b28d26f15c7007a42e8688a8ad47a6c5f3585c4ce0c67912810498e52b521832
Instruction Fuzzy Hash: D6513C20D043CA99FB34DBA08A16FEAFFB49F01390F08459E95C1561C3DE649B8DE761

Function 00FE03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDFDAD,?,?), ref: 00FE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE04AC

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FE054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FE05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FE0822
RegCloseKey.ADVAPI32(00000000), ref: 00FE082F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 90905e87664b33f2c8411ce611e34368bd6837c72b3bfc1753f08913c8be5a25
Instruction ID: a657388b93570f71b1199e45137a22cd69c4caf6c397b5093b6f1830843b9399
Opcode Fuzzy Hash: 90905e87664b33f2c8411ce611e34368bd6837c72b3bfc1753f08913c8be5a25
Instruction Fuzzy Hash: 41E17E31604244AFCB14DF25CC91E2ABBE8EF89314F04856DF849DB262DA74ED45DF92

Function 00FD83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

CoInitialize.OLE32 ref: 00FD8403
CoUninitialize.OLE32 ref: 00FD840E
CoCreateInstance.OLE32(?,00000000,00000017,00FF2BEC,?), ref: 00FD846E
IIDFromString.OLE32(?,?), ref: 00FD84E1
VariantInit.OLEAUT32(?), ref: 00FD857B
VariantClear.OLEAUT32(?), ref: 00FD85DC

Strings

Failed to create object, xrefs: 00FD8479, 00FD852F
Invalid parameter, xrefs: 00FD84FA
NULL Pointer assignment, xrefs: 00FD84B3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 8375490115abc8232515e476ee21115ff02b2dc87dd84d0aece43daf6566f97a
Instruction ID: 99a7a699b2745c8108c74fec60c866ca13807c7ed1262b56582f2ed6ef041069
Opcode Fuzzy Hash: 8375490115abc8232515e476ee21115ff02b2dc87dd84d0aece43daf6566f97a
Instruction Fuzzy Hash: A361CD716083129FC700DF14D888F6AB7E9AF457A4F08441EF9819B391CB74ED49EB92

Function 00FD4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00FD418B
EmptyClipboard.USER32 ref: 00FD4191
GlobalAlloc.KERNEL32(00000002,?), ref: 00FD41A6
CloseClipboard.USER32 ref: 00FD4245

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 154945c0883a07523e5cc44a034a92840af19d5c52b7c864a33cabc898c18dab
Instruction ID: 720114ca092a261108942d2c5ee4067cc8845d12bb5583f37082a178e687aa2c
Opcode Fuzzy Hash: 154945c0883a07523e5cc44a034a92840af19d5c52b7c864a33cabc898c18dab
Instruction Fuzzy Hash: 9021E0756002149FDB11AF20EC49B6E7BA9FF45321F18802AF946DB3A1CB78BD00EB45

Function 00FC37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F64743,?,?,00F637AE,?), ref: 00F64770

Part of subcall function 00FC4A31: GetFileAttributesW.KERNEL32(?,00FC370B), ref: 00FC4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FC38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FC394B
MoveFileW.KERNEL32(?,?), ref: 00FC395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FC397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FC399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FC39B9

Strings

\*.*, xrefs: 00FC384E, 00FC3857, 00FC386C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 272ada67b0ae673b5ad322dec8efe12ff0beac4042288b7d298b1e52e896c61e
Instruction ID: cf9732f8bc595ee3231f326ff47550d336f7f93d7aebe87004423767f9d398ec
Opcode Fuzzy Hash: 272ada67b0ae673b5ad322dec8efe12ff0beac4042288b7d298b1e52e896c61e
Instruction Fuzzy Hash: 08519E3180414EAACF05FBA0DE92EEDB779AF10354F60406DE442B6191EB356F0DEB61

Function 00FCF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FCF440
Sleep.KERNEL32(0000000A), ref: 00FCF470
_wcscmp.LIBCMT ref: 00FCF484
_wcscmp.LIBCMT ref: 00FCF49F
FindNextFileW.KERNEL32(?,?), ref: 00FCF53D
FindClose.KERNEL32(00000000), ref: 00FCF553

Strings

*.*, xrefs: 00FCF425

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d5019a777864b2a55d4036c1c1005a37ab354759f5701c1eb32592abaec56ddb
Instruction ID: f4c593017b34f85e7b9063c4e661ce55627f574c9ae1a36061d6ff9fee98ee9a
Opcode Fuzzy Hash: d5019a777864b2a55d4036c1c1005a37ab354759f5701c1eb32592abaec56ddb
Instruction Fuzzy Hash: A1417B71C0020AABCF14EF64DD46BEEBBB5FF04320F14446AE815A6190DB349A48EB50

Function 00F75760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F758A5
_memmove.LIBCMT ref: 00F758F5
_memmove.LIBCMT ref: 00F7595B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 77284da69e8aebfbc6d41e734d72ef375a3617682d4d2c14c5f8e11a28cb2c76
Instruction ID: d8b5a974aeaacde01665b5e6100f92dec6c7e754970beed2bd225ef166ea9f11
Opcode Fuzzy Hash: 77284da69e8aebfbc6d41e734d72ef375a3617682d4d2c14c5f8e11a28cb2c76
Instruction Fuzzy Hash: 3912BC70A00609DFDF14DFA5C981AEEB7F5FF48310F10852AE44AE7250EB3AA915EB51

Function 00FC3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F64743,?,?,00F637AE,?), ref: 00F64770

Part of subcall function 00FC4A31: GetFileAttributesW.KERNEL32(?,00FC370B), ref: 00FC4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FC3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FC3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FC3BEA
FindClose.KERNEL32(00000000), ref: 00FC3C01
FindClose.KERNEL32(00000000), ref: 00FC3C0A

Strings

\*.*, xrefs: 00FC3B5B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ece500014c63408c7439b230ecf654cd9ed4cb5c745de915a85c83fe70b9cd31
Instruction ID: 90c27a1573c9d2dec9bf1bbb50489fe1bc85fed5edf3fb5f5e5a1cd324db2b2c
Opcode Fuzzy Hash: ece500014c63408c7439b230ecf654cd9ed4cb5c745de915a85c83fe70b9cd31
Instruction Fuzzy Hash: F8317A314083859BC200FB24DD92DAFB7E8AE91314F408E2DF4D596191EB25EA0CEB63

Function 00FC51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB882B
Part of subcall function 00FB87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB8858
Part of subcall function 00FB87E1: GetLastError.KERNEL32 ref: 00FB8865

ExitWindowsEx.USER32(?,00000000), ref: 00FC51F9

Strings

SeShutdownPrivilege, xrefs: 00FC51C9
, xrefs: 00FC51E7
@, xrefs: 00FC51EC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 54476756f9445eeda4ab4d9189b049fd9a2e3f51ae6a32a25e384a492da52c84
Instruction ID: fbb8ab92c0aeff1c3a58be987d748313a0382f800e9e6947e5e24ec1d33e1a7d
Opcode Fuzzy Hash: 54476756f9445eeda4ab4d9189b049fd9a2e3f51ae6a32a25e384a492da52c84
Instruction Fuzzy Hash: 67017B32B916172BF72822689D8BFFB72DCEB44B60F24042CF903E60D2DA503C80B590

Function 00FD6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FD62DC
WSAGetLastError.WSOCK32(00000000), ref: 00FD62EB
bind.WSOCK32(00000000,?,00000010), ref: 00FD6307
listen.WSOCK32(00000000,00000005), ref: 00FD6316
WSAGetLastError.WSOCK32(00000000), ref: 00FD6330
closesocket.WSOCK32(00000000,00000000), ref: 00FD6344

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 2776750eef2df96a5a1857e4df649747aebf5328687867c85bb83bcf705071a1
Instruction ID: 5bfc66bf6be785a273b05eb26b80dfecfe8168f7b1790d754f83b22a8a624912
Opcode Fuzzy Hash: 2776750eef2df96a5a1857e4df649747aebf5328687867c85bb83bcf705071a1
Instruction Fuzzy Hash: 9221AD716002049FCB10EF64CC85B6EB7BAEF48724F18816AE816EB3D1CB74AD05EB51

Function 00F75520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F80DB6: std::exception::exception.LIBCMT ref: 00F80DEC
Part of subcall function 00F80DB6: __CxxThrowException@8.LIBCMT ref: 00F80E01

_memmove.LIBCMT ref: 00FB0258
_memmove.LIBCMT ref: 00FB036D
_memmove.LIBCMT ref: 00FB0414

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 56f3cce3c59c18a7d1837721a41b82c1bfe3ef3d3573d03845919fd6840bf9cd
Instruction ID: 0c9035d53d45184ef5f91d2ff6a1efce01ba52b68c82c5292f39d9e2953148e7
Opcode Fuzzy Hash: 56f3cce3c59c18a7d1837721a41b82c1bfe3ef3d3573d03845919fd6840bf9cd
Instruction Fuzzy Hash: CF02EFB1E00209DBCF04DF65D981AAEBBF5EF44310F548069E80ADB255EF39D914EB91

Function 00F61287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F619FA
GetSysColor.USER32(0000000F), ref: 00F61A4E
SetBkColor.GDI32(?,00000000), ref: 00F61A61

Part of subcall function 00F61290: DefDlgProcW.USER32(?,00000020,?), ref: 00F612D8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 5caa756e787915896a4272ea6a7e9b041595a9e8b3e10a00d6b1b640023d3adb
Instruction ID: 4dcb173bd2586ada156c5e39da2faee8e43a707716f9394e3c1967486968293f
Opcode Fuzzy Hash: 5caa756e787915896a4272ea6a7e9b041595a9e8b3e10a00d6b1b640023d3adb
Instruction Fuzzy Hash: 03A16A72512589BEFB38AE699D48FBF355CFB42366B2C0119F402D6182CA2D8D01F3B5

Function 00FCBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FCBCE6
_wcscmp.LIBCMT ref: 00FCBD16
_wcscmp.LIBCMT ref: 00FCBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00FCBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FCBD6C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 9a48dd8dd1e222f710213beaa3d64cb76953985a7a1dc9ddde4311e2b9e72e38
Instruction ID: 19c5d9a6a75bae5874ee82f9525b6d70120b57ace56431d08ce94caf3b3001cd
Opcode Fuzzy Hash: 9a48dd8dd1e222f710213beaa3d64cb76953985a7a1dc9ddde4311e2b9e72e38
Instruction Fuzzy Hash: 4951AC79A047029FC714DF68C992E9AB3E8EF49320F04461DE9568B3A1DB34ED04EB91

Function 00FD6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00FD7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FD679E
WSAGetLastError.WSOCK32(00000000), ref: 00FD67C7
bind.WSOCK32(00000000,?,00000010), ref: 00FD6800
WSAGetLastError.WSOCK32(00000000), ref: 00FD680D
closesocket.WSOCK32(00000000,00000000), ref: 00FD6821

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d807b996a391617d07e92bbd8f51d8f5879530b248dbff52048243d22f5ab25d
Instruction ID: c764c8c9247de3975e3eab69a6b513fd7ac90720408cfd6fe6c593188440aa2f
Opcode Fuzzy Hash: d807b996a391617d07e92bbd8f51d8f5879530b248dbff52048243d22f5ab25d
Instruction Fuzzy Hash: 24411575A00214AFDB10BF648C82F7E77E9DF08754F48815CF905AB3C2CA789D00AB91

Function 00FE5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FE53C5
IsWindowEnabled.USER32 ref: 00FE53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00FE53E0
IsIconic.USER32 ref: 00FE53EE
IsZoomed.USER32 ref: 00FE53FC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3bb9dd2eff2f30ad7fe3e91d7491e0be4e60b0daf7f49e4d48b53283bae9c166
Instruction ID: 94e77e1d985fd537dfba0f8fa1b61e4fb6b546c17c0a47e8351f8e803e9b3bee
Opcode Fuzzy Hash: 3bb9dd2eff2f30ad7fe3e91d7491e0be4e60b0daf7f49e4d48b53283bae9c166
Instruction Fuzzy Hash: 16110431700A946FDB206F27DC84A6E7B9EFF44BA5B444438F845D7241CBB4DC01AAA0

Function 00FB80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FB80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FB80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FB80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FB80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FB80F6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c9cc3152272c5ad85fff026791bd42ac38b052c071fbf8f00c031c4843c3583e
Instruction ID: 43bdb8a8d6b043682635f5006ea327e2daa1ec9a97e280c2e2c7643a93f9ef40
Opcode Fuzzy Hash: c9cc3152272c5ad85fff026791bd42ac38b052c071fbf8f00c031c4843c3583e
Instruction Fuzzy Hash: CAF06831241248AFD7104F65DCCDEA73BACEF857A5B000025F545C6150CB619D46EE60

Function 00F64B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F64AD0), ref: 00F64B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F64B57

Strings

GetNativeSystemInfo, xrefs: 00F64B51
kernel32.dll, xrefs: 00F64B40

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6f8ad40b895cffcbc8186f7136666c02f44eac057198c77cb66d51767cff99d8
Instruction ID: 3ff6288327a982d663e3f4d6d71d4a2c919915f15cfe60be31143f3be45e800c
Opcode Fuzzy Hash: 6f8ad40b895cffcbc8186f7136666c02f44eac057198c77cb66d51767cff99d8
Instruction Fuzzy Hash: 06D0C230E0071BCFC7209F32D858B0272D4AF81350B10C83E9481CA150D674E484E614

Function 00F73030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: ccbdc8137f339876441099abc59106265a675f92052ec469fc3a08e5cfd47781
Instruction ID: 30609682a3607d519ee611bc90d640bd9c2186be3dcb54120dfc68b923eedbea
Opcode Fuzzy Hash: ccbdc8137f339876441099abc59106265a675f92052ec469fc3a08e5cfd47781
Instruction Fuzzy Hash: F422AFB1608300AFC724DF24C891BAEB7E4EF85714F04891DF49A97291DB75E904EB93

Function 00FDEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FDEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00FDEE4B

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Process32NextW.KERNEL32(00000000,?), ref: 00FDEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00FDEF1A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 7c5b4c77665b52e2d2ff6338e6dd118e3107e8b90badbb0f0e5ea939f255a476
Instruction ID: 3cfad35ad0774ce2cdcbd02ce54f6c3c729f64a9db62ba00e87afeadfa4054f9
Opcode Fuzzy Hash: 7c5b4c77665b52e2d2ff6338e6dd118e3107e8b90badbb0f0e5ea939f255a476
Instruction Fuzzy Hash: 3351BE71508305AFD320EF20CC81E6BB7E8EF94750F44482DF495972A1EB74E908DB92

Function 00FBE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FBE628

Strings

|, xrefs: 00FBE658
(, xrefs: 00FBE66E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 3142b15b3090c485b71d8d78dbd67f49f1e52d10be52059f2e4a22c2022b9dde
Instruction ID: f6d57b272b225bebd987a52d34212ad86cd8cccf154d02b83f10ee2eb8927bec
Opcode Fuzzy Hash: 3142b15b3090c485b71d8d78dbd67f49f1e52d10be52059f2e4a22c2022b9dde
Instruction Fuzzy Hash: B3321575A007059FD728DF19C481AAAB7F1FF48320B15C56EE89ADB3A1DB70A941DB40

Function 00FD22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00FD180A,00000000), ref: 00FD23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00FD2418

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 5721799ebf3f9fa48599ca63d181d1948f8be211246c338c018ea3d3ba67a5b9
Instruction ID: 09073363afd9a474c89ac318c03ee4ad5621e0e88385c90f05aaad9a0bf23be6
Opcode Fuzzy Hash: 5721799ebf3f9fa48599ca63d181d1948f8be211246c338c018ea3d3ba67a5b9
Instruction Fuzzy Hash: 3C41F772904209BFEB50DE95DC81FBB77AEEB50324F14402BFA01A6341DA759E41B690

Function 00FCB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FCB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FCB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FCB4B2

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: de0d60bf067f089800338fed7f00cd91d0ee2eed392f844c0707f9c62ae78a6f
Instruction ID: a7a5b826755623f571eafb84d29f8b0be70c79559f27e623670125c20d750d0c
Opcode Fuzzy Hash: de0d60bf067f089800338fed7f00cd91d0ee2eed392f844c0707f9c62ae78a6f
Instruction Fuzzy Hash: BC215C75A00508EFCB00EFA5DC81EEDBBB8FF49314F1480AAE905AB351CB359919DB51

Function 00FB87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F80DB6: std::exception::exception.LIBCMT ref: 00F80DEC
Part of subcall function 00F80DB6: __CxxThrowException@8.LIBCMT ref: 00F80E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FB882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FB8858
GetLastError.KERNEL32 ref: 00FB8865

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 2ff916d8594094bf3472155d6cf7f21cd589316a58dc52fbee787870950b7639
Instruction ID: d4b481109408d804a21c749fdaad470f1cc7269749f891efd3c085d5a7c3f9b9
Opcode Fuzzy Hash: 2ff916d8594094bf3472155d6cf7f21cd589316a58dc52fbee787870950b7639
Instruction Fuzzy Hash: AA119DB2804204AFE718EFA4DC85DABB7ADEB44310B60852EF45587211EE30EC05DB60

Function 00FB874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FB878B
FreeSid.ADVAPI32(?), ref: 00FB879B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 265d16e9b530394c5b0c397475a62fcd810e36aedf87e1a4e203c86aa5fbd386
Instruction ID: 26ada9af785cb08f6b889ab296a41cfc666e5ebdd384bae9019da47d5c7366bd
Opcode Fuzzy Hash: 265d16e9b530394c5b0c397475a62fcd810e36aedf87e1a4e203c86aa5fbd386
Instruction Fuzzy Hash: 10F04975A1130CBFDF00DFF4DC89AAEBBBCEF08311F1044A9AA01E6181E6716A089B50

Function 00FC4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FC4CB3

Strings

DOWN, xrefs: 00FC4C98

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 10c468c0ca6c47c38b47dbcef3d54fa58aa7635a9a41f3dd4d1bc046baa333f1
Instruction ID: 08d11afbbf81c81c884c6f51eccf879dd65ff24261246ec68fcdf4d37c5713a7
Opcode Fuzzy Hash: 10c468c0ca6c47c38b47dbcef3d54fa58aa7635a9a41f3dd4d1bc046baa333f1
Instruction Fuzzy Hash: 28E0867219D7223CF9442519BD13FF7234C8B22731720014AF850D94E1DE583D8235BC

Function 00FCC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FCC6FB
FindClose.KERNEL32(00000000), ref: 00FCC72B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 734dd73711b65066abbdc81e59edb1c9d1e0985947281b2577dacd60d09f6953
Instruction ID: f5aee152a457b0266415acded0045bd686c80ef2459dcd5d5fef79f80e477886
Opcode Fuzzy Hash: 734dd73711b65066abbdc81e59edb1c9d1e0985947281b2577dacd60d09f6953
Instruction Fuzzy Hash: A2118E726042049FDB10EF29CC85A2AF7E9EF85324F04851DF9A9CB290DB74AC05DF81

Function 00FCA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FD9468,?,00FEFB84,?), ref: 00FCA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FD9468,?,00FEFB84,?), ref: 00FCA0A9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 730622bc0af1e5c795614699753a120994f9803e7ce8c3b4f9b378bcaeb20360
Instruction ID: 8008192eb7774dd86bf8351ddee5624264892d14648b99da71cb451ce8002144
Opcode Fuzzy Hash: 730622bc0af1e5c795614699753a120994f9803e7ce8c3b4f9b378bcaeb20360
Instruction Fuzzy Hash: CEF0A73654522EBBDB21AFA4CC89FEA776CFF08361F004169F909D7181D730A944DBA1

Function 00FB81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FB8309), ref: 00FB81E0
CloseHandle.KERNEL32(?,?,00FB8309), ref: 00FB81F2

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3a2b3a359bad5395b69f90995e8cd368fbb33d725510983c2d98665dcb8e07da
Instruction ID: 69408130d04a04dadc4daf182db4f44c6b030942b2d4422938661938606881f0
Opcode Fuzzy Hash: 3a2b3a359bad5395b69f90995e8cd368fbb33d725510983c2d98665dcb8e07da
Instruction Fuzzy Hash: 37E08C32001611AFE7212B20EC08DB37BEEEF00320710882DF8A684470CB22AC95EB10

Function 00F8A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F88D57,?,?,?,00000001), ref: 00F8A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F8A163

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e1e424527fe294bf58993d0f3adb69629a8b5108bba17c53306d9f08c63e0131
Instruction ID: ea93c70c0d5995f0cad53e68cceeb9a7bbc6a47ad8b29831b838b4327625bd66
Opcode Fuzzy Hash: e1e424527fe294bf58993d0f3adb69629a8b5108bba17c53306d9f08c63e0131
Instruction Fuzzy Hash: 41B0923105424CAFCA002B91EC49B883F68EB44AA2F404020F60D88474CB625554AA91

Function 00F6E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00FA3E62

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 0aa700a40d9d7cdb37afdb8785a48d78d2d9ea14825bb650652260d929ef5e46
Instruction ID: 7c4bbcc6da34f63cc5830251345e9490084f82606988fcc526ba6fd28d309cab
Opcode Fuzzy Hash: 0aa700a40d9d7cdb37afdb8785a48d78d2d9ea14825bb650652260d929ef5e46
Instruction Fuzzy Hash: 48A29E7AE00215CFCB24CF98C480AAEB7B2FF59324F248059E855AB341D775ED46EB90

Function 00F8F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2ad69c5bb21c585423ab2a96f66e229a9fd5772d8362836de2907ec5519710
Instruction ID: 2a52168b04e4eb745af653bfc3e94e01f4cf2a14b56dfb6d13a567d0dcd4a69f
Opcode Fuzzy Hash: 1c2ad69c5bb21c585423ab2a96f66e229a9fd5772d8362836de2907ec5519710
Instruction Fuzzy Hash: 6032F621D29F454DD723A634DC72336A24DAFB73D4F15D737E81AB59A9EB28C483A200

Function 00F9242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecdedd649629bccec2d3448b39a2bf2558d3ec9074e7a9ace37925d20803e522
Instruction ID: d4a95deb2d3f17f2b250850b4e900695803c4e15f3e4bedda655371228996e25
Opcode Fuzzy Hash: ecdedd649629bccec2d3448b39a2bf2558d3ec9074e7a9ace37925d20803e522
Instruction Fuzzy Hash: 6AB1F160D2AF454DD72397398871336B65CAFBB2C5F52D71BFC2A70D22EB228583A141

Function 00FC8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FC889B

Part of subcall function 00F8520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FC8F6E,00000000,?,?,?,?,00FC911F,00000000,?), ref: 00F85213
Part of subcall function 00F8520A: __aulldiv.LIBCMT ref: 00F85233

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 88c2c8ffdd3b52b73d02b4621601e1a5aba624d4c258a61006553c41533cdd4f
Instruction ID: 36f85898e4c57eea3fdba89840809571c50f2de96ce2ccea12306ebf15e675ae
Opcode Fuzzy Hash: 88c2c8ffdd3b52b73d02b4621601e1a5aba624d4c258a61006553c41533cdd4f
Instruction Fuzzy Hash: 3821B432A355218BC729CF25D441B52B3E1EFA5321F688E6CD4F5CB2C0CA39B905DB54

Function 00FB87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FB8389), ref: 00FB87D1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 9c85d6578cd1bdd33f1b67365867ae4bc1656697d7764954665494b697128e72
Instruction ID: 7391776a51f09323181cb5a69d38d24164bd75897e0a2f4c04b1841ffc5cca8d
Opcode Fuzzy Hash: 9c85d6578cd1bdd33f1b67365867ae4bc1656697d7764954665494b697128e72
Instruction Fuzzy Hash: FAD05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 00F8A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F8A12A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ad0afc299c20166fef98dabd9a19f45a63aeedf8aa78721750f758c07e9a43e
Instruction ID: 99a35fbfdbbbc54432f9fc16fc11a5b48b001e8d42552d7defeff3dc5d13647f
Opcode Fuzzy Hash: 8ad0afc299c20166fef98dabd9a19f45a63aeedf8aa78721750f758c07e9a43e
Instruction Fuzzy Hash: 4CA0223000020CFFCF002F82FC08888BFACEB002E0B008030F80C88032CB33A820AAC0

Function 00F78808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234a74d94bef03caa4ebc0d66d8d99b36f2af0750bfc0c0e9b874abb2313a082
Instruction ID: 21b20399950e26b6952e4ec16dd393ccf12c5a54ddbbabf7e97fb2aa4c1d5de7
Opcode Fuzzy Hash: 234a74d94bef03caa4ebc0d66d8d99b36f2af0750bfc0c0e9b874abb2313a082
Instruction Fuzzy Hash: 66224731D481469BDF388A19C4987BC77B1BB417A4F28C02BD54ACB592DB789C82FB43

Function 00F821C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: d2481929ae5b53d8ae4dd880d72633d1a81d73d0e4caf7d4be561b7f22d89722
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: E7C1C6336050930ADF6DA73984341BEFAA16EA27B131A476DD4B3CF1D5EE20D925E720

Function 00F825FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 8cc5e9d8408bb76da8ba25c7ad0c8eacede3a3c8dd5f05b05bc688e1e14f00cb
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B0C193336051930ADF6D663AC4341BEBAA16EA27B131A076DD4B3DB1D4EE20D925F720

Function 00F81978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 74cbaef21aa79415181c2c5368e0a237d64b385852725e9f555b349e9407a012
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 40C1833370519309DF2D5639C4742BEBAA96EA27B131A476DD4B3CB1C4EE20C966E720

Function 00FD7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FD785B
DeleteObject.GDI32(00000000), ref: 00FD786D
DestroyWindow.USER32 ref: 00FD787B
GetDesktopWindow.USER32 ref: 00FD7895
GetWindowRect.USER32(00000000), ref: 00FD789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00FD79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00FD79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7A35
GetClientRect.USER32(00000000,?), ref: 00FD7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FD7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7ABB
GlobalLock.KERNEL32(00000000), ref: 00FD7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7AD3
GlobalUnlock.KERNEL32(00000000), ref: 00FD7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7AE3
GlobalFree.KERNEL32(00000000), ref: 00FD7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00FF2CAC,00000000), ref: 00FD7B16
GlobalFree.KERNEL32(00000000), ref: 00FD7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00FD7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00FD7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FD7D7A

Strings

DISPLAY, xrefs: 00FD7BDD
, xrefs: 00FD7D00
static, xrefs: 00FD7A75, 00FD7BCC
AutoIt v3, xrefs: 00FD7A2D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4328c6bdd97cc9e2e81a6d3ccd286d5d98c67fdf06ca2dac7691c84f2878c025
Instruction ID: 96329db7a35f1bd7d0ff0dc964d19624ca311699a2d777c0e622cff1871ebc40
Opcode Fuzzy Hash: 4328c6bdd97cc9e2e81a6d3ccd286d5d98c67fdf06ca2dac7691c84f2878c025
Instruction Fuzzy Hash: 30029B71900219EFDB14DFA4CC89EAE7BBAEF49310F148159F905AB3A0D774AD05EB60

Function 00FE356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00FEF910), ref: 00FE3627
IsWindowVisible.USER32(?), ref: 00FE364B

Strings

SETCURRENTSELECTION, xrefs: 00FE37B6
ISVISIBLE, xrefs: 00FE3637
CHECK, xrefs: 00FE386D
GETSELECTED, xrefs: 00FE38A3
GETCURRENTSELECTION, xrefs: 00FE37E3
TABRIGHT, xrefs: 00FE369D
GETCURRENTCOL, xrefs: 00FE3928
UNCHECK, xrefs: 00FE3883
SELECTSTRING, xrefs: 00FE3806
DELSTRING, xrefs: 00FE3749
GETLINE, xrefs: 00FE399B
TABLEFT, xrefs: 00FE3687
ISENABLED, xrefs: 00FE366B
SHOWDROPDOWN, xrefs: 00FE36E0
ADDSTRING, xrefs: 00FE3716
GETLINECOUNT, xrefs: 00FE38C6
CURRENTTAB, xrefs: 00FE36BD
HIDEDROPDOWN, xrefs: 00FE3700
SENDCOMMANDID, xrefs: 00FE39DA
ISCHECKED, xrefs: 00FE3839
EDITPASTE, xrefs: 00FE395F
GETCURRENTLINE, xrefs: 00FE38ED
FINDSTRING, xrefs: 00FE3776

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 881d935c1ae2c01d89eb42522fec4430b997abeeb0190362cbcc9692725c623d
Instruction ID: 11184f208777778c1eb7655b464d53532471158e5d7effa8c7e9449e7fa7b0fa
Opcode Fuzzy Hash: 881d935c1ae2c01d89eb42522fec4430b997abeeb0190362cbcc9692725c623d
Instruction Fuzzy Hash: A7D1C3752083419BCA04FF11C85AAAE77E6AF94354F454458F8825B3A3CF39EE4AEB41

Function 00FEA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FEA630
GetSysColorBrush.USER32(0000000F), ref: 00FEA661
GetSysColor.USER32(0000000F), ref: 00FEA66D
SetBkColor.GDI32(?,000000FF), ref: 00FEA687
SelectObject.GDI32(?,00000000), ref: 00FEA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00FEA6C1
GetSysColor.USER32(00000010), ref: 00FEA6C9
CreateSolidBrush.GDI32(00000000), ref: 00FEA6D0
FrameRect.USER32(?,?,00000000), ref: 00FEA6DF
DeleteObject.GDI32(00000000), ref: 00FEA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00FEA731
FillRect.USER32(?,?,00000000), ref: 00FEA763
GetWindowLongW.USER32(?,000000F0), ref: 00FEA78E

Part of subcall function 00FEA8CA: GetSysColor.USER32(00000012), ref: 00FEA903
Part of subcall function 00FEA8CA: SetTextColor.GDI32(?,?), ref: 00FEA907
Part of subcall function 00FEA8CA: GetSysColorBrush.USER32(0000000F), ref: 00FEA91D
Part of subcall function 00FEA8CA: GetSysColor.USER32(0000000F), ref: 00FEA928
Part of subcall function 00FEA8CA: GetSysColor.USER32(00000011), ref: 00FEA945
Part of subcall function 00FEA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FEA953
Part of subcall function 00FEA8CA: SelectObject.GDI32(?,00000000), ref: 00FEA964
Part of subcall function 00FEA8CA: SetBkColor.GDI32(?,00000000), ref: 00FEA96D
Part of subcall function 00FEA8CA: SelectObject.GDI32(?,?), ref: 00FEA97A
Part of subcall function 00FEA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00FEA999
Part of subcall function 00FEA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FEA9B0
Part of subcall function 00FEA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00FEA9C5
Part of subcall function 00FEA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FEA9ED

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: b186b6ec772a0f0311ee1d6e2f94ef01ac12d1a92420ddfe2741172d11382b56
Instruction ID: 021487adda421e7feb351f7bfdca554d54c0f5402b6e65021f6982fb76d73fc3
Opcode Fuzzy Hash: b186b6ec772a0f0311ee1d6e2f94ef01ac12d1a92420ddfe2741172d11382b56
Instruction Fuzzy Hash: 9F919072408349EFD7109F64DC48A5B7BB9FF89331F140A29F562DA1A0D734E948EB52

Function 00F62C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F62CA2
DeleteObject.GDI32(00000000), ref: 00F62CE8
DeleteObject.GDI32(00000000), ref: 00F62CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F62CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F62D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F9C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F9C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F9C89D

Part of subcall function 00F61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F62036,?,00000000,?,?,?,?,00F616CB,00000000,?), ref: 00F61B9A

SendMessageW.USER32(?,00001053), ref: 00F9C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F9C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F9C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F9C912

Strings

0, xrefs: 00F9C731

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: ede82d616a2d8531d11ef8e1d6ec8dedde06a9d3dc6b1836d2253a29c904fd68
Instruction ID: 77dd2634718fec17d01dada4797fe64c76ff1d4a21c668bb0d2b611cc872e23c
Opcode Fuzzy Hash: ede82d616a2d8531d11ef8e1d6ec8dedde06a9d3dc6b1836d2253a29c904fd68
Instruction Fuzzy Hash: 9A129F30A00641EFEF55CF24C884BA9BBE1FF44320F584569F999CB262C731E846EB91

Function 00FD74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00FD74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FD759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00FD75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00FD75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00FD7633
GetClientRect.USER32(00000000,?), ref: 00FD763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00FD7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FD7692
GetStockObject.GDI32(00000011), ref: 00FD76A2
SelectObject.GDI32(00000000,00000000), ref: 00FD76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00FD76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD76BF
DeleteDC.GDI32(00000000), ref: 00FD76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FD76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00FD770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00FD7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FD775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00FD776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00FD779B
GetStockObject.GDI32(00000011), ref: 00FD77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FD77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00FD77BB

Strings

DISPLAY, xrefs: 00FD7688
msctls_progress32, xrefs: 00FD773C
static, xrefs: 00FD767D, 00FD7795
AutoIt v3, xrefs: 00FD762B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 806b9fa90fe9c9742ab6b529b16217f44c1f8131f3a617ff02998b4669325722
Instruction ID: ea4f2853ba616cd46e2d0224b1451a1bb982a5c9e27d6c27b59f5761dcb08bb7
Opcode Fuzzy Hash: 806b9fa90fe9c9742ab6b529b16217f44c1f8131f3a617ff02998b4669325722
Instruction Fuzzy Hash: 0DA1B271A00219BFEB20DFA4DC4AFAE7BB9EB45710F148115FA14AB2E0D774AD04DB64

Function 00FCAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FCAD1E
GetDriveTypeW.KERNEL32(?,00FEFAC0,?,\\.\,00FEF910), ref: 00FCADFB
SetErrorMode.KERNEL32(00000000,00FEFAC0,?,\\.\,00FEF910), ref: 00FCAF59

Strings

MMC, xrefs: 00FCAF1A
Removable, xrefs: 00FCAE4D
Fibre, xrefs: 00FCAEE9
\\.\, xrefs: 00FCAD70
RAID, xrefs: 00FCAEF7
USB, xrefs: 00FCAEF0
ATAPI, xrefs: 00FCAECD
SATA, xrefs: 00FCAF0C
Virtual, xrefs: 00FCAF21
Fixed, xrefs: 00FCAE43
Network, xrefs: 00FCAE39
SSA, xrefs: 00FCAEE2
PhysicalDrive, xrefs: 00FCADA7
SSD, xrefs: 00FCAE86
ATA, xrefs: 00FCAED4
SCSI, xrefs: 00FCAEC6
1394, xrefs: 00FCAEDB
SAS, xrefs: 00FCAF05
FileBackedVirtual, xrefs: 00FCAF28
iSCSI, xrefs: 00FCAEFE
CDROM, xrefs: 00FCAE2F
RAMDisk, xrefs: 00FCAE25
Unknown, xrefs: 00FCAE1B, 00FCAEBF

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: d431a24fc40c6b981b6f9542d7cb2f0c3d7404085e613de2993705bbf993fa4f
Instruction ID: 7708c122250d7a6ebbd92cff0428cc916c1dc8a718c354419f0070f1c35c019a
Opcode Fuzzy Hash: d431a24fc40c6b981b6f9542d7cb2f0c3d7404085e613de2993705bbf993fa4f
Instruction Fuzzy Hash: 5C51C6B1A4420E9B8B00DB11CF83FBD7360EB48718760855EE447AB155C679BE01FB53

Function 00F668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F66931
__wcsnicmp.LIBCMT ref: 00F66949
__wcsnicmp.LIBCMT ref: 00F66961
__wcsnicmp.LIBCMT ref: 00F66979
__wcsnicmp.LIBCMT ref: 00F66991
__wcsnicmp.LIBCMT ref: 00F669A9
__wcsnicmp.LIBCMT ref: 00F669C1
__wcsnicmp.LIBCMT ref: 00F669D5
__wcsnicmp.LIBCMT ref: 00F66A16
__wcsnicmp.LIBCMT ref: 00F66A2A
__wcsnicmp.LIBCMT ref: 00F66A3E
__wcsnicmp.LIBCMT ref: 00F66A52

Strings

#OnAutoItStartRegister, xrefs: 00F66973
#comments-start, xrefs: 00F669BB, 00F66A10
Cannot parse #include, xrefs: 00F9E3F0
#ce, xrefs: 00F66A4C
#include, xrefs: 00F669A3
#requireadmin, xrefs: 00F6695B
#notrayicon, xrefs: 00F66943
#cs, xrefs: 00F669CF, 00F66A24
#comments-end, xrefs: 00F66A38
#include-once, xrefs: 00F6698B
Unterminated group of comments, xrefs: 00F9E403
#pragma compile, xrefs: 00F6692B
Bad directive syntax error, xrefs: 00F9E31A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 3623827a9d528e106acb5c8c7d73a33a45a503af93fa5cf8576362822a79b480
Instruction ID: 221c4bf77953ad1b28bc1ca3c9bb1b0a95b04bc1de96f6ba59f994fa5f87eab0
Opcode Fuzzy Hash: 3623827a9d528e106acb5c8c7d73a33a45a503af93fa5cf8576362822a79b480
Instruction Fuzzy Hash: AA81E4B1A40205ABDF20FF61DC42FBF3B68AF15710F044029FD05EA196EB69DA45F6A1

Function 00FE9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00FE9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00FE9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00FE9BA7

Strings

0, xrefs: 00FE9BE4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 4f38e9e0569986e8fe3dbb68d4ee9df2467fbfa27714acd6cd4a7055fb15d56a
Instruction ID: 0c61d5a46f1a3d1a846a418ae34ac54d5831db053cb553580f9e2b25e390ac78
Opcode Fuzzy Hash: 4f38e9e0569986e8fe3dbb68d4ee9df2467fbfa27714acd6cd4a7055fb15d56a
Instruction Fuzzy Hash: CB020230508381AFD725CF16CC89BAABBE5FF48320F04852DF995D62A1C7B5D944EB62

Function 00FEA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FEA903
SetTextColor.GDI32(?,?), ref: 00FEA907
GetSysColorBrush.USER32(0000000F), ref: 00FEA91D
GetSysColor.USER32(0000000F), ref: 00FEA928
CreateSolidBrush.GDI32(?), ref: 00FEA92D
GetSysColor.USER32(00000011), ref: 00FEA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FEA953
SelectObject.GDI32(?,00000000), ref: 00FEA964
SetBkColor.GDI32(?,00000000), ref: 00FEA96D
SelectObject.GDI32(?,?), ref: 00FEA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00FEA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FEA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FEA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FEA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FEAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00FEAA32
DrawFocusRect.USER32(?,?), ref: 00FEAA3D
GetSysColor.USER32(00000011), ref: 00FEAA4B
SetTextColor.GDI32(?,00000000), ref: 00FEAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FEAA67
SelectObject.GDI32(?,00FEA5FA), ref: 00FEAA7E
DeleteObject.GDI32(?), ref: 00FEAA89
SelectObject.GDI32(?,?), ref: 00FEAA8F
DeleteObject.GDI32(?), ref: 00FEAA94
SetTextColor.GDI32(?,?), ref: 00FEAA9A
SetBkColor.GDI32(?,?), ref: 00FEAAA4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: b346e526adfaac35dc6d8e70d3078d34dc8b405decfbf6c50fdede8cbfbd79e7
Instruction ID: bf0429bf8e7055796d11a17f32439498e469e35878e255f3a1ed293c9cda058d
Opcode Fuzzy Hash: b346e526adfaac35dc6d8e70d3078d34dc8b405decfbf6c50fdede8cbfbd79e7
Instruction Fuzzy Hash: 3C514B7190024CEFDB109FA5DC88EAE7BB9EF48320F114225F911AB2A1D7759A44EF90

Function 00FE89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FE8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE8AD2
CharNextW.USER32(0000014E), ref: 00FE8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FE8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FE8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FE8B86
SetWindowTextW.USER32(?,0000014E), ref: 00FE8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FE8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE8C1F
_memset.LIBCMT ref: 00FE8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FE8C8D
_memset.LIBCMT ref: 00FE8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FE8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FE8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00FE8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00FE8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FE8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FE8EB4
DrawMenuBar.USER32(?), ref: 00FE8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00FE8EEB

Strings

0, xrefs: 00FE8E55

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 332ec610e18670d5a6b4797d75a587925e9edd27da2e01c1446853217038aac5
Instruction ID: 08a6b09bb71d0cf2317e64cfd0f5a3cd7912946571e76755905b52b5fd065ad7
Opcode Fuzzy Hash: 332ec610e18670d5a6b4797d75a587925e9edd27da2e01c1446853217038aac5
Instruction Fuzzy Hash: 0AE1A271900288AFDF20EF55CC84EEE7B79FF05760F108166F919AA190DB749A85EF60

Function 00FE488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FE49CA
GetDesktopWindow.USER32 ref: 00FE49DF
GetWindowRect.USER32(00000000), ref: 00FE49E6
GetWindowLongW.USER32(?,000000F0), ref: 00FE4A48
DestroyWindow.USER32(?), ref: 00FE4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FE4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FE4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FE4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00FE4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FE4B09
IsWindowVisible.USER32(?), ref: 00FE4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FE4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FE4B58
GetWindowRect.USER32(?,?), ref: 00FE4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00FE4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00FE4BB0
CopyRect.USER32(?,?), ref: 00FE4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00FE4C32

Strings

0, xrefs: 00FE4975
(, xrefs: 00FE4BA3
tooltips_class32, xrefs: 00FE4A96

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 51f595e5daeb4d4d9b41b84bee982b2095fd141fe37b7616da21ee386e833b9f
Instruction ID: e5d23ceea629196fb68e052933bf8f0fa014859fa72f1887774cc4f9a17ad44c
Opcode Fuzzy Hash: 51f595e5daeb4d4d9b41b84bee982b2095fd141fe37b7616da21ee386e833b9f
Instruction Fuzzy Hash: D8B1BD71608380AFDB04DF65C888B6ABBE4FF88714F00892DF5999B2A1D774EC05DB55

Function 00FC449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FC44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FC44D2
_wcscpy.LIBCMT ref: 00FC4500
_wcscmp.LIBCMT ref: 00FC450B
_wcscat.LIBCMT ref: 00FC4521
_wcsstr.LIBCMT ref: 00FC452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FC4548
_wcscat.LIBCMT ref: 00FC4591
_wcscat.LIBCMT ref: 00FC4598
_wcsncpy.LIBCMT ref: 00FC45C3

Strings

04090000, xrefs: 00FC457E
%u.%u.%u.%u, xrefs: 00FC4626
DefaultLangCodepage, xrefs: 00FC45AB
\VarFileInfo\Translation, xrefs: 00FC4540
StringFileInfo\, xrefs: 00FC451B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 7142e91a14729902c6abeeef5a9d7f38682d091d757ca3e3d40aa770de7991f4
Instruction ID: d71f5e967a0f520b66f584f27d33dfaaaa1581ca33b8c0d9aeb942ec5bf8a261
Opcode Fuzzy Hash: 7142e91a14729902c6abeeef5a9d7f38682d091d757ca3e3d40aa770de7991f4
Instruction Fuzzy Hash: 5941EA32A002057BDB10BA75CC57FFF776CDF45710F04446AF905E6182EA39AA05B7A5

Function 00F627D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F628BC
GetSystemMetrics.USER32(00000007), ref: 00F628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F628EF
GetSystemMetrics.USER32(00000008), ref: 00F628F7
GetSystemMetrics.USER32(00000004), ref: 00F6291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F62939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F62949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F6297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F62990
GetClientRect.USER32(00000000,000000FF), ref: 00F629AE
GetStockObject.GDI32(00000011), ref: 00F629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F629D5

Part of subcall function 00F62344: GetCursorPos.USER32(?), ref: 00F62357
Part of subcall function 00F62344: ScreenToClient.USER32(010257B0,?), ref: 00F62374
Part of subcall function 00F62344: GetAsyncKeyState.USER32(00000001), ref: 00F62399
Part of subcall function 00F62344: GetAsyncKeyState.USER32(00000002), ref: 00F623A7

SetTimer.USER32(00000000,00000000,00000028,00F61256), ref: 00F629FC

Strings

0000006689857cffffffb97400000066898d7effffffba2e00000066895580b85300000066894582b96800000066894d84ba6500000066895586b86c0000006689, xrefs: 00F9C189
AutoIt v3 GUI, xrefs: 00F62974

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: 0000006689857cffffffb97400000066898d7effffffba2e00000066895580b85300000066894582b96800000066894d84ba6500000066895586b86c0000006689$AutoIt v3 GUI
API String ID: 1458621304-380698221
Opcode ID: d3e21eb1c05ac8cd9dcab3ae6d3ab6e69ab5f99de6387dcc6bd05861c8cd9a26
Instruction ID: feb7e52122cd0f9ec267e8109ba5bf6f91e894a8fb6e92ca1eb65f53ad859f40
Opcode Fuzzy Hash: d3e21eb1c05ac8cd9dcab3ae6d3ab6e69ab5f99de6387dcc6bd05861c8cd9a26
Instruction Fuzzy Hash: 8CB16E71A0064ADFDB24DFA8DC85BED7BB4FB48310F104129FA15EB290DB789941EB54

Function 00FE3DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FE3E6F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FE3F2F

Strings

SELECT, xrefs: 00FE3FC9
GETSELECTED, xrefs: 00FE405D
DESELECT, xrefs: 00FE401D
GETSELECTEDCOUNT, xrefs: 00FE3F12
VIEWCHANGE, xrefs: 00FE40EE
SELECTALL, xrefs: 00FE3F96
FINDITEM, xrefs: 00FE40A2
GETITEMCOUNT, xrefs: 00FE3EA1
SELECTINVERT, xrefs: 00FE3FFF
SELECTCLEAR, xrefs: 00FE3FAE
ISSELECTED, xrefs: 00FE3F3A
GETSUBITEMCOUNT, xrefs: 00FE3EBA
GETTEXT, xrefs: 00FE3ED8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 090cb805a8059f57355c3a946c0f0a6d925ddabfc950d59ce7beab709f3e6797
Instruction ID: b1221d73d5c96ea36b5baf67bad0a8c57621802730c0663b8f6fb6b73d8c395a
Opcode Fuzzy Hash: 090cb805a8059f57355c3a946c0f0a6d925ddabfc950d59ce7beab709f3e6797
Instruction Fuzzy Hash: F4A190316043819BCB14FF25CC56A6AB3E5FF84314F54486CB9A69B2D2CB78ED09EB41

Function 00FBA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FBA47A
__swprintf.LIBCMT ref: 00FBA51B
_wcscmp.LIBCMT ref: 00FBA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FBA583
_wcscmp.LIBCMT ref: 00FBA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00FBA5F6
GetDlgCtrlID.USER32(?), ref: 00FBA648
GetWindowRect.USER32(?,?), ref: 00FBA67E
GetParent.USER32(?), ref: 00FBA69C
ScreenToClient.USER32(00000000), ref: 00FBA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00FBA71D
_wcscmp.LIBCMT ref: 00FBA731
GetWindowTextW.USER32(?,?,00000400), ref: 00FBA757
_wcscmp.LIBCMT ref: 00FBA76B

Part of subcall function 00F8362C: _iswctype.LIBCMT ref: 00F83634

Strings

%s%u, xrefs: 00FBA515

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d60d821a6f7e36697873545cce07eaa3b41f418f7595c940a62c673215340301
Instruction ID: 99750c8677c03bc309599e717252d1c3e897e252e559d7202d6d4b51f464e69d
Opcode Fuzzy Hash: d60d821a6f7e36697873545cce07eaa3b41f418f7595c940a62c673215340301
Instruction Fuzzy Hash: 4DA1F171604206AFC714DF25C884FEAB7E8FF44320F148529F999C61A0EB34EA55EF92

Function 00FBAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FBAF18
_wcscmp.LIBCMT ref: 00FBAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FBAF51
CharUpperBuffW.USER32(?,00000000), ref: 00FBAF6E
_wcscmp.LIBCMT ref: 00FBAF8C
_wcsstr.LIBCMT ref: 00FBAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FBAFD5
_wcscmp.LIBCMT ref: 00FBAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FBB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FBB055
_wcscmp.LIBCMT ref: 00FBB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00FBB08D
GetWindowRect.USER32(00000004,?), ref: 00FBB0F6

Strings

@, xrefs: 00FBAEF9
ThumbnailClass, xrefs: 00FBAFE0, 00FBB060

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: aeac094001670d388bd78c0fb6a1f2fe6cd0bd5ae64072178816f821833a0da7
Instruction ID: 403ff4dbc70053a3d50250f37f10b4d1ab23c7ec657b1f07754c5311911fbaae
Opcode Fuzzy Hash: aeac094001670d388bd78c0fb6a1f2fe6cd0bd5ae64072178816f821833a0da7
Instruction Fuzzy Hash: BF81BF715082099FDB00EF16C885BFA77E8EF44764F04846AFD858A0A2DB74DE49EF61

Function 00FBABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FBAC33

Strings

LAST, xrefs: 00FBABF8
CLASSNAME=, xrefs: 00FBAC70
ALL, xrefs: 00FBACC7
HANDLE=, xrefs: 00FBAC2C
ACTIVE, xrefs: 00FBAC0E
[LAST, xrefs: 00FBACE0
[ACTIVE, xrefs: 00FBAC20
[HANDLE:, xrefs: 00FBAC3F
[CLASS:, xrefs: 00FBAC83
[ALL, xrefs: 00FBACD9
REGEXP=, xrefs: 00FBAC48
[REGEXPTITLE:, xrefs: 00FBAC5B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: bd29c10f4f3b9929e764f352048464fe070e9bad12dfe04c4498d4334f01e770
Instruction ID: 2db60d3962a4570e13f8e393e1a5160d5b6992e564e00ff9940b64c54afbc933
Opcode Fuzzy Hash: bd29c10f4f3b9929e764f352048464fe070e9bad12dfe04c4498d4334f01e770
Instruction Fuzzy Hash: 1A31A572984309A6DB14FA92DD03EEE7774AF10760FA0051DF481750D9EF69AF04FA52

Function 00FD4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00FD5013
LoadCursorW.USER32(00000000,00007F00), ref: 00FD501E
LoadCursorW.USER32(00000000,00007F03), ref: 00FD5029
LoadCursorW.USER32(00000000,00007F8B), ref: 00FD5034
LoadCursorW.USER32(00000000,00007F01), ref: 00FD503F
LoadCursorW.USER32(00000000,00007F81), ref: 00FD504A
LoadCursorW.USER32(00000000,00007F88), ref: 00FD5055
LoadCursorW.USER32(00000000,00007F80), ref: 00FD5060
LoadCursorW.USER32(00000000,00007F86), ref: 00FD506B
LoadCursorW.USER32(00000000,00007F83), ref: 00FD5076
LoadCursorW.USER32(00000000,00007F85), ref: 00FD5081
LoadCursorW.USER32(00000000,00007F82), ref: 00FD508C
LoadCursorW.USER32(00000000,00007F84), ref: 00FD5097
LoadCursorW.USER32(00000000,00007F04), ref: 00FD50A2
LoadCursorW.USER32(00000000,00007F02), ref: 00FD50AD
LoadCursorW.USER32(00000000,00007F89), ref: 00FD50B8
GetCursorInfo.USER32(?), ref: 00FD50C8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 045d510fe897766d54b711fe57c3ad7d6af9b4792c27b369d3a369396f3ecbaa
Instruction ID: c6fa28e7b2024aaee075346e31a21ada49999ef195c99ad25bca91624ed610c2
Opcode Fuzzy Hash: 045d510fe897766d54b711fe57c3ad7d6af9b4792c27b369d3a369396f3ecbaa
Instruction Fuzzy Hash: F93114B1D0831E6ADF109FB68C8995EBFE9FF04750F54452BA50CE7280DA78A5009F91

Function 00FEA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FEA259
DestroyWindow.USER32(?,?), ref: 00FEA2D3

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FEA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FEA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FEA382
DestroyWindow.USER32(00000000), ref: 00FEA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F60000,00000000), ref: 00FEA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FEA3F4
GetDesktopWindow.USER32 ref: 00FEA40D
GetWindowRect.USER32(00000000), ref: 00FEA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FEA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FEA444

Part of subcall function 00F625DB: GetWindowLongW.USER32(?,000000EB), ref: 00F625EC

Strings

0, xrefs: 00FEA26F
tooltips_class32, xrefs: 00FEA346, 00FEA3D4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a2f58af44aedb80b1b101b88fb0b5c23a2f17e60946bdd7369d6c9b4a328d3d2
Instruction ID: 3628663150f486b80fe9a611a2b4f8cf92d3af44f2a5c85fbddef3a69cdec483
Opcode Fuzzy Hash: a2f58af44aedb80b1b101b88fb0b5c23a2f17e60946bdd7369d6c9b4a328d3d2
Instruction Fuzzy Hash: C871CC71540284AFD721CF28CC48FAA7BE6FB88314F04452CF985DB2A0C7B5E906EB56

Function 00FEC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

DragQueryPoint.SHELL32(?,?), ref: 00FEC627

Part of subcall function 00FEAB37: ClientToScreen.USER32(?,?), ref: 00FEAB60
Part of subcall function 00FEAB37: GetWindowRect.USER32(?,?), ref: 00FEABD6
Part of subcall function 00FEAB37: PtInRect.USER32(?,?,00FEC014), ref: 00FEABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00FEC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FEC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FEC6BE
_wcscat.LIBCMT ref: 00FEC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FEC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00FEC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FEC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00FEC757
DragFinish.SHELL32(?), ref: 00FEC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FEC851

Strings

@GUI_DRAGID, xrefs: 00FEC7C9
@GUI_DROPID, xrefs: 00FEC77E
@GUI_DRAGFILE, xrefs: 00FEC800

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 61281b441b80cbe81fc90d6941019418dd5b5be50450491cd059f8e519d683ab
Instruction ID: c48e6f659a685f5de295a323091a77a2af9e13d0c0768248ee6d788db019becc
Opcode Fuzzy Hash: 61281b441b80cbe81fc90d6941019418dd5b5be50450491cd059f8e519d683ab
Instruction Fuzzy Hash: A1616871108384AFC701EF65CC85DAFBBE8FF89750F00092EF595961A1DB74AA09DB92

Function 00FE4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FE4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE446F

Strings

CHECK, xrefs: 00FE448F
SELECT, xrefs: 00FE4620
GETSELECTED, xrefs: 00FE457F
EXISTS, xrefs: 00FE44D8
GETITEMCOUNT, xrefs: 00FE4551
ISCHECKED, xrefs: 00FE45F2
UNCHECK, xrefs: 00FE464B
GETTOTALCOUNT, xrefs: 00FE4456
EXPAND, xrefs: 00FE4521
COLLAPSE, xrefs: 00FE44B5
GETTEXT, xrefs: 00FE45C2

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: e7fc49646f2288dc7f365975b1e3c4657b6292f3f0af155903f08f28905cc9f6
Instruction ID: 91e6ef196c06d4c159472c893183933c8466141b391d80f235cc7b50134f46e8
Opcode Fuzzy Hash: e7fc49646f2288dc7f365975b1e3c4657b6292f3f0af155903f08f28905cc9f6
Instruction Fuzzy Hash: 40917B756083019FCB04EF21C851AAEB7E5AF95354F44885CF8965B3A2CB78ED09EB81

Function 00FEB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FEB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FE91C2), ref: 00FEB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FEB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FEB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FEB9C3
FreeLibrary.KERNEL32(?), ref: 00FEB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FEB9DF
DestroyIcon.USER32(?,?,?,?,?,00FE91C2), ref: 00FEB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FEBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FEBA17

Part of subcall function 00F82EFD: __wcsicmp_l.LIBCMT ref: 00F82F86

Strings

.icl, xrefs: 00FEB82A
.exe, xrefs: 00FEB84A
.dll, xrefs: 00FEB86D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: ad89ff4c7eae825b5f0c2008286eb28770df386bf80e081afdf81d7c70dbc7d8
Instruction ID: 020910abb654dc81b1d0f8f86fe386a9caa701d3920ae1f31d9fafc7f804d56f
Opcode Fuzzy Hash: ad89ff4c7eae825b5f0c2008286eb28770df386bf80e081afdf81d7c70dbc7d8
Instruction Fuzzy Hash: 4361D071900259BAEB14DF65CC85FBF77ACFB08720F104119F915DA1D1DB78AA80EBA0

Function 00FCDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FCDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00FCDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FCDCF8
__wsplitpath.LIBCMT ref: 00FCDD56
_wcscat.LIBCMT ref: 00FCDD6E
_wcscat.LIBCMT ref: 00FCDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FCDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCDDFC
_wcscpy.LIBCMT ref: 00FCDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FCDE47

Strings

*.*, xrefs: 00FCDE02

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: ce21a98e1a46f2faad942cfc631a8a1bab3dee001e24d1d68c6e1e206063e64f
Instruction ID: 0a397330c32a80c5db0453f701757ec1e9222c6e6dc01582675c3b84555cb50d
Opcode Fuzzy Hash: ce21a98e1a46f2faad942cfc631a8a1bab3dee001e24d1d68c6e1e206063e64f
Instruction Fuzzy Hash: 97619D725082469FCB10EF20C945EAEB3E8FF89324F04482DF98987251DB75EA05DB92

Function 00FC9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FC9C7F

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FC9CA0
__swprintf.LIBCMT ref: 00FC9CF9
__swprintf.LIBCMT ref: 00FC9D12
_wprintf.LIBCMT ref: 00FC9DB9
_wprintf.LIBCMT ref: 00FC9DD7

Strings

^ ERROR , xrefs: 00FC9D4E
Error: , xrefs: 00FC9D81
Incorrect parameters to object property !, xrefs: 00FC9D5B
"%s" (%d) : ==> %s:, xrefs: 00FC9DD2
"%s" (%d) : ==> %s:%s%s, xrefs: 00FC9DB4
Line %d (File "%s"):, xrefs: 00FC9CF3, 00FC9D0C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 59ede9b40b1ddf8f7592d95be1ea177cb6a5075fe5e360228dcfcda2f1d78fad
Instruction ID: b8c71de2db0c422471ee1d7fd0f9a96aedb5b74f6753dc509f7fc68a21057737
Opcode Fuzzy Hash: 59ede9b40b1ddf8f7592d95be1ea177cb6a5075fe5e360228dcfcda2f1d78fad
Instruction Fuzzy Hash: 3451A53290020AAACF14FBE0DD46EEEB778AF14304F204069F54572061EB796F59EF61

Function 00FCA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

CharLowerBuffW.USER32(?,?), ref: 00FCA3CB
GetDriveTypeW.KERNEL32 ref: 00FCA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FCA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FCA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FCA4C5

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

Strings

open, xrefs: 00FCA3F2
type cdaudio alias cd wait, xrefs: 00FCA443
set cd door , xrefs: 00FCA466
open , xrefs: 00FCA427
close cd wait, xrefs: 00FCA4B0
wait, xrefs: 00FCA482
close, xrefs: 00FCA3D1
closed, xrefs: 00FCA3DF, 00FCA3E8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e0f74d591cfa236cde9d115fd3c06eaac83f8562a0a79e0b0e39e90c69c61afb
Instruction ID: 77f62146e526ddf277acf144ebf4004b3be16a9e9a429b43010374eb4d9a7bfe
Opcode Fuzzy Hash: e0f74d591cfa236cde9d115fd3c06eaac83f8562a0a79e0b0e39e90c69c61afb
Instruction Fuzzy Hash: 0D514A715083059FC704EF20CD8296AB3E8EF98718F44896DF89657261DB75EE09DB42

Function 00FBF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F9E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FBF8DF
LoadStringW.USER32(00000000,?,00F9E029,00000001), ref: 00FBF8E8

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

GetModuleHandleW.KERNEL32(00000000,01025310,?,00000FFF,?,?,00F9E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FBF90A
LoadStringW.USER32(00000000,?,00F9E029,00000001), ref: 00FBF90D
__swprintf.LIBCMT ref: 00FBF95D
__swprintf.LIBCMT ref: 00FBF96E
_wprintf.LIBCMT ref: 00FBFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FBFA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FBFA12
Error: , xrefs: 00FBF9E5
Line %d:, xrefs: 00FBF968
Line %d (File "%s"):, xrefs: 00FBF957
^ ERROR, xrefs: 00FBF9C3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: f70040965c6b1db6dd22c28623e570dab8f21b453a10ae8b21040fd7c742ec61
Instruction ID: 77780a0d798412e466f2b22355211176c755695fe233215325eec5623831111a
Opcode Fuzzy Hash: f70040965c6b1db6dd22c28623e570dab8f21b453a10ae8b21040fd7c742ec61
Instruction Fuzzy Hash: D6414C7280020DAACF15FBE1DD86EEEB778AF14704F500065F505B60A6EA396F09EF61

Function 00FEBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FE9207,?,?), ref: 00FEBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FE9207,?,?,00000000,?), ref: 00FEBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FE9207,?,?,00000000,?), ref: 00FEBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00FE9207,?,?,00000000,?), ref: 00FEBA85
GlobalLock.KERNEL32(00000000), ref: 00FEBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FE9207,?,?,00000000,?), ref: 00FEBA9D
GlobalUnlock.KERNEL32(00000000), ref: 00FEBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00FE9207,?,?,00000000,?), ref: 00FEBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FE9207,?,?,00000000,?), ref: 00FEBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FF2CAC,?), ref: 00FEBAD7
GlobalFree.KERNEL32(00000000), ref: 00FEBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00FEBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00FEBB36
DeleteObject.GDI32(00000000), ref: 00FEBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FEBB74

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9c9738094fce88b9f97f17eb4cdba3dc859d39e44fa05f808d6f791cab3ea10a
Instruction ID: 0363ba1dc5c8278dbd37169ba2f2549402d07c184132c552f09e6bc6a431261b
Opcode Fuzzy Hash: 9c9738094fce88b9f97f17eb4cdba3dc859d39e44fa05f808d6f791cab3ea10a
Instruction Fuzzy Hash: 58411C75901248EFDB119F65DC88EAB7BB9FF89B21F104068F906DB260D7349E05EB60

Function 00FCD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00FCDA10
_wcscat.LIBCMT ref: 00FCDA28
_wcscat.LIBCMT ref: 00FCDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FCDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCDA63
GetFileAttributesW.KERNEL32(?), ref: 00FCDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FCDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00FCDAA7

Strings

*.*, xrefs: 00FCDAE6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 8c0094f8b6d27d67d2d7c53b63ab48e99a33fb2e7f8c4e652f9f3032c589a261
Instruction ID: e3b388a2e86f675e097936ed28c24eed11bd907f5fbce81cdee8ab5cbc36f289
Opcode Fuzzy Hash: 8c0094f8b6d27d67d2d7c53b63ab48e99a33fb2e7f8c4e652f9f3032c589a261
Instruction Fuzzy Hash: 328193769042429FCB24EF64C946F6EB7E8AF89314F14483EF489CB251D734D944EB51

Function 00FEC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FEC1FC
GetFocus.USER32 ref: 00FEC20C
GetDlgCtrlID.USER32(00000000), ref: 00FEC217
_memset.LIBCMT ref: 00FEC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FEC36D
GetMenuItemCount.USER32(?), ref: 00FEC38D
GetMenuItemID.USER32(?,00000000), ref: 00FEC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FEC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FEC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FEC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FEC489

Strings

0, xrefs: 00FEC33A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 5a98993c8a085560dfecfed0cd3eb6729ea808ad1755f6d9b5603698cb346ef8
Instruction ID: b45d58a921ea2fb8d985eb1bbff8fdd20f36f9d5072fbf885bde5c1080fa8175
Opcode Fuzzy Hash: 5a98993c8a085560dfecfed0cd3eb6729ea808ad1755f6d9b5603698cb346ef8
Instruction Fuzzy Hash: 7F8190716083819FD710DF15CC94ABBBBE4FB88724F10492EF99597291C770D906EB92

Function 00FD731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FD738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00FD739B
CreateCompatibleDC.GDI32(?), ref: 00FD73A7
SelectObject.GDI32(00000000,?), ref: 00FD73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00FD7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00FD7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00FD7468
SelectObject.GDI32(00000006,?), ref: 00FD7470
DeleteObject.GDI32(?), ref: 00FD7479
DeleteDC.GDI32(00000006), ref: 00FD7480
ReleaseDC.USER32(00000000,?), ref: 00FD748B

Strings

(, xrefs: 00FD7410

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4147128e5b224ce3490da3964c457605106c63f94d3f993b008693d7a9a10317
Instruction ID: c4050b66677ba6044ad80ccc6d660de09b3817168dbf7c76948472f89751d515
Opcode Fuzzy Hash: 4147128e5b224ce3490da3964c457605106c63f94d3f993b008693d7a9a10317
Instruction Fuzzy Hash: 66514B71904349EFCB15DFA8CC84EAEBBB9EF48310F14852EF95A9B310D731A9449B50

Function 00F66A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F80957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F66B0C,?,00008000), ref: 00F80973

Part of subcall function 00F64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F64743,?,?,00F637AE,?), ref: 00F64770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F66BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F66CFA

Part of subcall function 00F6586D: _wcscpy.LIBCMT ref: 00F658A5

Part of subcall function 00F8363D: _iswctype.LIBCMT ref: 00F83645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F9E496
EA06, xrefs: 00F9E452
AU3!, xrefs: 00F66B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F9E421
Error opening the file, xrefs: 00F9E43D, 00F9E4B8
Unterminated string, xrefs: 00F9E7E4
Bad directive syntax error, xrefs: 00F9E79D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: f72877c600215acf81f565deef97c16a5d839bab6a100dc5b65b43af4144c555
Instruction ID: 8694eb8ef1d3d046bffd008ee5cf285fd271ae03788aa9c350c59de2c3cef51b
Opcode Fuzzy Hash: f72877c600215acf81f565deef97c16a5d839bab6a100dc5b65b43af4144c555
Instruction Fuzzy Hash: A602AC315083419FCB24EF24CC91AAFBBE5AF94314F14491DF496972A2DB38DA49EB42

Function 00FC2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FC2DDD
GetMenuItemCount.USER32(01025890), ref: 00FC2E66
DeleteMenu.USER32(01025890,00000005,00000000,000000F5,?,?), ref: 00FC2EF6
DeleteMenu.USER32(01025890,00000004,00000000), ref: 00FC2EFE
DeleteMenu.USER32(01025890,00000006,00000000), ref: 00FC2F06
DeleteMenu.USER32(01025890,00000003,00000000), ref: 00FC2F0E
GetMenuItemCount.USER32(01025890), ref: 00FC2F16
SetMenuItemInfoW.USER32(01025890,00000004,00000000,00000030), ref: 00FC2F4C
GetCursorPos.USER32(?), ref: 00FC2F56
SetForegroundWindow.USER32(00000000), ref: 00FC2F5F
TrackPopupMenuEx.USER32(01025890,00000000,?,00000000,00000000,00000000), ref: 00FC2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FC2F7E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d6543cb81522074d2d4e2a1701ef6e7bd41b3181f05d2628dcceacf9c15ee6e5
Instruction ID: 7b1af1ddf329a76cd4ba69382d6685cf20c1d70eb2e3ec5a84da74de309138f2
Opcode Fuzzy Hash: d6543cb81522074d2d4e2a1701ef6e7bd41b3181f05d2628dcceacf9c15ee6e5
Instruction Fuzzy Hash: 5371E371A0020BBAEB619F54DD86FAABF64FF05324F14021EF615AA1E1C7B16C14FB91

Function 00FB77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

_memset.LIBCMT ref: 00FB786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FB78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FB78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FB78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FB7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FB792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FB7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FB793A

Strings

\IPC$, xrefs: 00FB7882
\CLSID, xrefs: 00FB7822
SOFTWARE\Classes\, xrefs: 00FB780C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: dad5fce9d261575ca738fc7e3645aec1913af2785e7fb21b243a881cacd2f8b7
Instruction ID: c3e060450b022088ee0fe0b50c96eac408c8c6413c4f7b1fd5c77e3f17c5c981
Opcode Fuzzy Hash: dad5fce9d261575ca738fc7e3645aec1913af2785e7fb21b243a881cacd2f8b7
Instruction Fuzzy Hash: A5411572C1422DABCB11EBA4DC85DEEB7B8BF44714F004129E905A7261EA359E08EF90

Function 00FE0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDFDAD,?,?), ref: 00FE0E31

Strings

HKLM, xrefs: 00FE0EAF
HKEY_CURRENT_CONFIG, xrefs: 00FE0EEE
HKEY_CURRENT_USER, xrefs: 00FE0F10
HKEY_USERS, xrefs: 00FE0F32
HKCR, xrefs: 00FE0ED9
HKEY_CLASSES_ROOT, xrefs: 00FE0EC4
HKCC, xrefs: 00FE0EFF
HKEY_LOCAL_MACHINE, xrefs: 00FE0E9A
HKCU, xrefs: 00FE0F21
HKU, xrefs: 00FE0F43

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 24112fd9016e32051bcf2ed4a0b7e012cfcd1b24f9ba4c3c30885a96b3e1c6d7
Instruction ID: 1c38047a8f5a51a349242fe0a08cd324fb9b72d260a170af0eadf4282a333bd3
Opcode Fuzzy Hash: 24112fd9016e32051bcf2ed4a0b7e012cfcd1b24f9ba4c3c30885a96b3e1c6d7
Instruction Fuzzy Hash: 4A41583650028A8BCF14FE11DC62AEE3764FF11318F540454FC951B296DF7899A9EBA0

Function 00FBF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F9E2A0,00000010,?,Bad directive syntax error,00FEF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FBF7C2
LoadStringW.USER32(00000000,?,00F9E2A0,00000010), ref: 00FBF7C9

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

_wprintf.LIBCMT ref: 00FBF7FC
__swprintf.LIBCMT ref: 00FBF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FBF88D

Strings

., xrefs: 00FBF873
Line %d:, xrefs: 00FBF818
%s (%d) : ==> %s.: %s %s, xrefs: 00FBF7F7
Line %d (File "%s"):, xrefs: 00FBF833
Error: , xrefs: 00FBF85B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 850038117cb3ef151d4d0b85ec55b1f231cbdd68f4c354830b1eba5d4d4228c3
Instruction ID: 797d2df06e61fa4ce92f6ba8df4e08b7dc7d2f6e2ee7008fd6af0bbfe64f789f
Opcode Fuzzy Hash: 850038117cb3ef151d4d0b85ec55b1f231cbdd68f4c354830b1eba5d4d4228c3
Instruction Fuzzy Hash: 6E21713290021EFBCF12FF91CC4AEEE7779BF18704F04446AF515660A2EA799618EB51

Function 00FC52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

Part of subcall function 00F67924: _memmove.LIBCMT ref: 00F679AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FC5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FC5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FC5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FC5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FC537A

Strings

close PlayMe, xrefs: 00FC5341, 00FC536E
open , xrefs: 00FC52DF
status PlayMe mode, xrefs: 00FC532B
play PlayMe wait, xrefs: 00FC5364
alias PlayMe, xrefs: 00FC5309
play PlayMe, xrefs: 00FC5375

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: fd39866f584b50f81f52a42d72de090e6ad52b455046f4850360bb2de43f972e
Instruction ID: 2c0b636142114d3b306d6185ee3789a1d64fbdc97405502acb297fdccce187a6
Opcode Fuzzy Hash: fd39866f584b50f81f52a42d72de090e6ad52b455046f4850360bb2de43f972e
Instruction Fuzzy Hash: 9611E220A5026E79D720B662CD4AEFF7BBCEBD5F84F00042EB441A6095EAA45E44D9A0

Function 00FC46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FC46D2
gethostname.WSOCK32(?,00000100), ref: 00FC46EC
gethostbyname.WSOCK32(?), ref: 00FC46F9
_wcscpy.LIBCMT ref: 00FC4721
_memmove.LIBCMT ref: 00FC4734
inet_ntoa.WSOCK32(?), ref: 00FC473F
_strcat.LIBCMT ref: 00FC474D
_wcscpy.LIBCMT ref: 00FC4764
WSACleanup.WSOCK32 ref: 00FC4772
_wcscpy.LIBCMT ref: 00FC4780

Strings

0.0.0.0, xrefs: 00FC471B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: dbc932ac0b62a99b5b902de0d51d1f715c5c8577bd2954d8a6db519919cca88c
Instruction ID: 6ac8a9eab9c9d41937f9aaf3b7a3c57cc2947e71651458a801dc844342d0aa20
Opcode Fuzzy Hash: dbc932ac0b62a99b5b902de0d51d1f715c5c8577bd2954d8a6db519919cca88c
Instruction Fuzzy Hash: DB11D532900119ABCB24BB309D86FDE77BCEF01721F0441BAF845D6051EF78AA85AB51

Function 00FC4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FC4F7A

Part of subcall function 00F8049F: timeGetTime.WINMM(?,75A8B400,00F70E7B), ref: 00F804A3

Sleep.KERNEL32(0000000A), ref: 00FC4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00FC4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FC4FEC
SetActiveWindow.USER32 ref: 00FC500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FC5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FC5038
Sleep.KERNEL32(000000FA), ref: 00FC5043
IsWindow.USER32 ref: 00FC504F
EndDialog.USER32(00000000), ref: 00FC5060

Strings

BUTTON, xrefs: 00FC4FDE

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: f59440df655a3d019c66d9d1b0b96db34543d8c1b23cbffe0ef63f25822a6428
Instruction ID: 9b6840a01cebf1b2d71ca98767c44578d32a82f3ad2b2086caf4e0f1ec7a6c2d
Opcode Fuzzy Hash: f59440df655a3d019c66d9d1b0b96db34543d8c1b23cbffe0ef63f25822a6428
Instruction Fuzzy Hash: 4621F37064064AAFE7305F20EECAF263B69EB46755F14102CF845C61A9CB3B9E44F761

Function 00FCD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

CoInitialize.OLE32(00000000), ref: 00FCD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FCD67D
SHGetDesktopFolder.SHELL32(?), ref: 00FCD691
CoCreateInstance.OLE32(00FF2D7C,00000000,00000001,01018C1C,?), ref: 00FCD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FCD74C
CoTaskMemFree.OLE32(?,?), ref: 00FCD7A4
_memset.LIBCMT ref: 00FCD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00FCD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FCD840
CoTaskMemFree.OLE32(00000000), ref: 00FCD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FCD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00FCD880

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 11976bea91e703ce7c43d49c82975df19e52a2a47031b54d34dba0a97a4b34cc
Instruction ID: a61b4c2fdb90eec6829d795bd20d02cc3bd02bd2041d3a59916f99aac043118d
Opcode Fuzzy Hash: 11976bea91e703ce7c43d49c82975df19e52a2a47031b54d34dba0a97a4b34cc
Instruction Fuzzy Hash: 9FB10A75A00109AFDB04DFA4CD85EAEBBB9FF48314B148069F809EB261DB34EE45DB50

Function 00FBC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FBC283
GetWindowRect.USER32(00000000,?), ref: 00FBC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FBC2F3
GetDlgItem.USER32(?,00000002), ref: 00FBC2FE
GetWindowRect.USER32(00000000,?), ref: 00FBC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FBC364
GetDlgItem.USER32(?,000003E9), ref: 00FBC372
GetWindowRect.USER32(00000000,?), ref: 00FBC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FBC3C6
GetDlgItem.USER32(?,000003EA), ref: 00FBC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FBC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00FBC3FE

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 97ded801c87dd4ea02b5d3bec214c8842dc1eeae4b27ffb306edc3e5bf27c591
Instruction ID: be62ad77cac4605fe89eb75f9e03c97da10c860c3f971a686c2ebdcd01edd696
Opcode Fuzzy Hash: 97ded801c87dd4ea02b5d3bec214c8842dc1eeae4b27ffb306edc3e5bf27c591
Instruction Fuzzy Hash: D0514071F00209AFDB18CFA9DD99AAEBBBAFB88710F14812DF515D7290D7709D049B50

Function 00F6201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F61B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F62036,?,00000000,?,?,?,?,00F616CB,00000000,?), ref: 00F61B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F620D3
KillTimer.USER32(-00000001,?,?,?,?,00F616CB,00000000,?,?,00F61AE2,?,?), ref: 00F6216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F9BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F616CB,00000000,?,?,00F61AE2,?,?), ref: 00F9BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F616CB,00000000,?,?,00F61AE2,?,?), ref: 00F9BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F616CB,00000000,?,?,00F61AE2,?,?), ref: 00F9BD0A
DeleteObject.GDI32(00000000), ref: 00F9BD1C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f5f9a8f35253a7567b9c9976454a862933f138c53be0aa7f28da5fa9df583efe
Instruction ID: a3d47f2d5b13dd7c83610ae5bbb3a8fdb633787b962ea3ef57ad43111320f472
Opcode Fuzzy Hash: f5f9a8f35253a7567b9c9976454a862933f138c53be0aa7f28da5fa9df583efe
Instruction Fuzzy Hash: CA61C031905A40EFDB359F14ED88B69B7F1FF40322F208429E5829B964C7B9A891FF44

Function 00F621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F625DB: GetWindowLongW.USER32(?,000000EB), ref: 00F625EC

GetSysColor.USER32(0000000F), ref: 00F621D3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f92fadcf10581399a75791eb8f5be17dd2caf9646a0c6ffd7c21b35b93ae3af4
Instruction ID: eeff85dea65c4e39c9fae2861ce931c1b1a5eadda80a743be698d775e9084336
Opcode Fuzzy Hash: f92fadcf10581399a75791eb8f5be17dd2caf9646a0c6ffd7c21b35b93ae3af4
Instruction Fuzzy Hash: 4441C131400948DBEF215F28EC98BB93B66EB46331F188265FE658E1E1C7758D42FB21

Function 00FCA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00FEF910), ref: 00FCA90B
GetDriveTypeW.KERNEL32(00000061,010189A0,00000061), ref: 00FCA9D5
_wcscpy.LIBCMT ref: 00FCA9FF

Strings

ramdisk, xrefs: 00FCA97F
removable, xrefs: 00FCA93D
network, xrefs: 00FCA969
cdrom, xrefs: 00FCA927
fixed, xrefs: 00FCA953
unknown, xrefs: 00FCA996
all, xrefs: 00FCA911

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 1ea6bd46d6a95995fc21c1db3d852ef7065b635154f646787f8ac0beeff57d0e
Instruction ID: 9fceca6eada4095cd7cc0f77773899bbcc2f172054dbcb8c8479c01a4aedb2fa
Opcode Fuzzy Hash: 1ea6bd46d6a95995fc21c1db3d852ef7065b635154f646787f8ac0beeff57d0e
Instruction Fuzzy Hash: A651AC315083069BC204EF24CE93FAEB7A5FF84718F54481DF496572A2DB79A909EB43

Function 00F69837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F69862
__swprintf.LIBCMT ref: 00F698AC
__i64tow.LIBCMT ref: 00F9F5E6

Strings

True, xrefs: 00F9F5A7
False, xrefs: 00F9F5AE
0x%p, xrefs: 00F9F5C8
%.15g, xrefs: 00F698A6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: aea3b1852071c939a924f2bf09a657b23fc0ec51f77535111becb153fb80f2b7
Instruction ID: 2a206c11aea2a30c305e7654caffd76d23ee0cfb01cf357581428feaaef5a307
Opcode Fuzzy Hash: aea3b1852071c939a924f2bf09a657b23fc0ec51f77535111becb153fb80f2b7
Instruction Fuzzy Hash: CC41F772904205AFEF24EF34DC42E7A73E8EF05310F64446EE549D7251EA759946BB10

Function 00FE7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE716A
CreateMenu.USER32 ref: 00FE7185
SetMenu.USER32(?,00000000), ref: 00FE7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE7221
IsMenu.USER32(?), ref: 00FE7237
CreatePopupMenu.USER32 ref: 00FE7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FE726E
DrawMenuBar.USER32 ref: 00FE7276

Strings

F, xrefs: 00FE7262
0, xrefs: 00FE7160

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8eae537bd004cd72ab9c7286076d7a3a98ac60b0086659e601936d0d39f7ebb7
Instruction ID: 0d97edb778f61290666747a74f7e26dfb09b8c981c10c2a176ed3b280dea49f8
Opcode Fuzzy Hash: 8eae537bd004cd72ab9c7286076d7a3a98ac60b0086659e601936d0d39f7ebb7
Instruction Fuzzy Hash: 9C417775A01349EFDB20EF65E884EAABBB5FF48310F144028FA45AB350D731A914EF90

Function 00FE74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FE755E
CreateCompatibleDC.GDI32(00000000), ref: 00FE7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FE7578
SelectObject.GDI32(00000000,00000000), ref: 00FE7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FE758B
DeleteDC.GDI32(00000000), ref: 00FE7594
GetWindowLongW.USER32(?,000000EC), ref: 00FE759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FE75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FE75BE

Strings

static, xrefs: 00FE74F6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 1687e47156aa8189da4ecb5bc0807a6b1ca7bbca6049296da1ccf38759512fc3
Instruction ID: 7b94dc1f9990ec5faada50cc0e7b1cb7cebf3090683df9d3d8093ee7171e1e68
Opcode Fuzzy Hash: 1687e47156aa8189da4ecb5bc0807a6b1ca7bbca6049296da1ccf38759512fc3
Instruction Fuzzy Hash: 3D318D32504398BBDF21AF65DC48FEB3B69FF09720F150225FA15A60A0C735D815EBA4

Function 00F86E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F86E3E

Part of subcall function 00F88B28: __getptd_noexit.LIBCMT ref: 00F88B28

__gmtime64_s.LIBCMT ref: 00F86ED7
__gmtime64_s.LIBCMT ref: 00F86F0D
__gmtime64_s.LIBCMT ref: 00F86F2A
__allrem.LIBCMT ref: 00F86F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F86F9C
__allrem.LIBCMT ref: 00F86FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F86FD1
__allrem.LIBCMT ref: 00F86FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F87006
__invoke_watson.LIBCMT ref: 00F87077

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 74af2bf6a109c239e4efc38c091b390bfb2d473a7a9e3785347e71f93584c384
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 0A710776E00716ABEB14FF68DC41BDAB7A8AF04774F144229F514D7281E774ED40AB90

Function 00FC2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC2542
GetMenuItemInfoW.USER32(01025890,000000FF,00000000,00000030), ref: 00FC25A3
SetMenuItemInfoW.USER32(01025890,00000004,00000000,00000030), ref: 00FC25D9
Sleep.KERNEL32(000001F4), ref: 00FC25EB
GetMenuItemCount.USER32(?), ref: 00FC262F
GetMenuItemID.USER32(?,00000000), ref: 00FC264B
GetMenuItemID.USER32(?,-00000001), ref: 00FC2675
GetMenuItemID.USER32(?,?), ref: 00FC26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FC2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC2735

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 46f53e8397087937748cd55b3ae5f3072f013129e250bcabbe922a02cfb7416c
Instruction ID: 7a4538a7bd727fbcb355c227884079e81e159cb94e6573db370fab9964efde1a
Opcode Fuzzy Hash: 46f53e8397087937748cd55b3ae5f3072f013129e250bcabbe922a02cfb7416c
Instruction Fuzzy Hash: AA618F7190024AAFDB61CF64CE89FBE7BB8EB45314F14046DE841A7291D735AD09FB21

Function 00FE6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FE6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FE6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00FE6FCC
_memset.LIBCMT ref: 00FE6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FE7067

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c46176a1097d29382977b6e558b068def821a303f5d30ebf7e4a4957b8a495f6
Instruction ID: e3adc80e3f0c7d67ae5ccd408ff878924e45b24881bef8d38b7624ef89300e5f
Opcode Fuzzy Hash: c46176a1097d29382977b6e558b068def821a303f5d30ebf7e4a4957b8a495f6
Instruction Fuzzy Hash: 2C617A75900288AFDB21DFA4CC81EEE77B8EB08710F100159FA14EB2A1D775AE41EB90

Function 00FB6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FB6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00FB6C18
VariantInit.OLEAUT32(?), ref: 00FB6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FB6C4A
VariantCopy.OLEAUT32(?,?), ref: 00FB6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FB6CB1
VariantClear.OLEAUT32(?), ref: 00FB6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FB6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB6CDC
VariantClear.OLEAUT32(?), ref: 00FB6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FB6CF9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6cf483c1a461ed34ae3039f6a715db8fb2b3a7d13ac7b3c2f39391cc8aa008d8
Instruction ID: 5fdee7ae0855bbbd0c6c6d2f0a32807b9a5f05c0a3790c5c2e44729620c20d29
Opcode Fuzzy Hash: 6cf483c1a461ed34ae3039f6a715db8fb2b3a7d13ac7b3c2f39391cc8aa008d8
Instruction Fuzzy Hash: 4D413071A001199FDB00DF65DC84DEEBBB9EF48351F008069E955EB2A1CB35A949DF90

Function 00FD5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FD5793
inet_addr.WSOCK32(?,?,?), ref: 00FD57D8
gethostbyname.WSOCK32(?), ref: 00FD57E4
IcmpCreateFile.IPHLPAPI ref: 00FD57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FD5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00FD58ED
WSACleanup.WSOCK32 ref: 00FD58F3

Strings

Ping, xrefs: 00FD5816

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e44c82d57cfd1d7bc7ebed95d56ec93ca844351d24ffce13da52da91b50ba669
Instruction ID: 887d1113956eac7a51e386c9a8949915c9c8e0893b6a900505cd86b19dda28f1
Opcode Fuzzy Hash: e44c82d57cfd1d7bc7ebed95d56ec93ca844351d24ffce13da52da91b50ba669
Instruction Fuzzy Hash: 12518071A046009FDB20AF25DC85B2A7BE5EF44B20F08452AF956DB3A1DB74E904FB41

Function 00FCB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FCB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FCB546
GetLastError.KERNEL32 ref: 00FCB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00FCB5BD

Strings

READY, xrefs: 00FCB596
NOTREADY, xrefs: 00FCB57C
INVALID, xrefs: 00FCB58F
READONLY, xrefs: 00FCB588
UNKNOWN, xrefs: 00FCB575

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 57c6b28f380299a3b75082d6114f2435ba47de2c5c1d9882e060432d1399a197
Instruction ID: 0741fadcf972ec2abec3b1bf456d3b5e096fe44947f4e0c97fa4a7368f776ded
Opcode Fuzzy Hash: 57c6b28f380299a3b75082d6114f2435ba47de2c5c1d9882e060432d1399a197
Instruction Fuzzy Hash: 50319E39E0020A9FCB00EB68CD87FA977B4FF44314F18842EE501DB295DB799A06EB41

Function 00FB8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FBAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FB9014
GetDlgCtrlID.USER32 ref: 00FB901F
GetParent.USER32 ref: 00FB903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB903E
GetDlgCtrlID.USER32(?), ref: 00FB9047
GetParent.USER32(?), ref: 00FB9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FB9066

Strings

ComboBox, xrefs: 00FB8F9C
ListBox, xrefs: 00FB8FD1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 97ee517fba25162f098d4e6dae0c64ef8a26441203cc2696dccfa37d0267a0d3
Instruction ID: 5fc3d9d5a187483f76015652b3b33995531b56dcb4d805e454fedf4f9bbc6c7a
Opcode Fuzzy Hash: 97ee517fba25162f098d4e6dae0c64ef8a26441203cc2696dccfa37d0267a0d3
Instruction Fuzzy Hash: 0E21F870A00148BBDF04ABA1CC85EFEBB78EF45310F104119F961972A1DB795819EF20

Function 00FB907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FBAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FB90FD
GetDlgCtrlID.USER32 ref: 00FB9108
GetParent.USER32 ref: 00FB9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FB9127
GetDlgCtrlID.USER32(?), ref: 00FB9130
GetParent.USER32(?), ref: 00FB914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FB914F

Strings

ComboBox, xrefs: 00FB9087
ListBox, xrefs: 00FB90BC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5665ed77f1289f64a7a3b5a3cb06418ff2a67a530d472a4ab9d7ffc854df5e95
Instruction ID: 4d88a4f050ff097342e12896fe8c4eef10b87558685cf0beb0b185f31b9a4560
Opcode Fuzzy Hash: 5665ed77f1289f64a7a3b5a3cb06418ff2a67a530d472a4ab9d7ffc854df5e95
Instruction Fuzzy Hash: 1B21B675A40148BBDF01ABA5CC85EFEBB78EF44310F104019B951972A1DB795519FE20

Function 00FB9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FB916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00FB9184
_wcscmp.LIBCMT ref: 00FB9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FB9211

Strings

largeicons, xrefs: 00FB91A5
smallicons, xrefs: 00FB91D9
details, xrefs: 00FB91BF
list, xrefs: 00FB91F3
SHELLDLL_DefView, xrefs: 00FB9190

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 16c1f47f654e506fd8113dc86f352c4c0c34e3bd3cc9818e498e233bf4f0b717
Instruction ID: 0a69a49f15df177203689ffbab8198b15073425c84a9c217e574d4a94e7a24d2
Opcode Fuzzy Hash: 16c1f47f654e506fd8113dc86f352c4c0c34e3bd3cc9818e498e233bf4f0b717
Instruction Fuzzy Hash: 67112C3BA8C307BAFA113626DC06DE7379D9B15730B200026FB00E80A5FEF569557E54

Function 00FD88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD88D7
CoInitialize.OLE32(00000000), ref: 00FD8904
CoUninitialize.OLE32 ref: 00FD890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00FD8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00FD8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00FF2C0C), ref: 00FD8B6F
CoGetObject.OLE32(?,00000000,00FF2C0C,?), ref: 00FD8B92
SetErrorMode.KERNEL32(00000000), ref: 00FD8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FD8C25
VariantClear.OLEAUT32(?), ref: 00FD8C35

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 0b23b84c6f1e1ba253e9abe86c454c303b65309e7e0f7cc276ce934f40a450b9
Instruction ID: af8ed66a066c5274a27024a3f584ac2f9bc9bf186fa7694ffc20639e6e6dba7d
Opcode Fuzzy Hash: 0b23b84c6f1e1ba253e9abe86c454c303b65309e7e0f7cc276ce934f40a450b9
Instruction Fuzzy Hash: B5C125B1608305AFC700EF64C88492AB7EAFF89798F04491EF5899B351DB71ED06DB52

Function 00FC7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FC7A6C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 09523e8643dc748ece51db2d18aa33d2a78b8a0e58eff7cd7e4518e798a36fe4
Instruction ID: 6d4530701c9af1c8dc6743c0b6a5064b29d1eeca667289fcd6f097317bbd2905
Opcode Fuzzy Hash: 09523e8643dc748ece51db2d18aa33d2a78b8a0e58eff7cd7e4518e798a36fe4
Instruction Fuzzy Hash: 86B15E7190821B9FDB00EFA4C986FBEB7B4EF49321F244429E511E7291D738A945EF90

Function 00FC11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FC11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC1204
GetWindowThreadProcessId.USER32(00000000), ref: 00FC120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FC122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FC0268,?,00000001), ref: 00FC12BC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2fb95611cc7bbff4461c3917516736574ad246072329be2842ce963848d4c470
Instruction ID: dc57428bf6626ec2fe733eeca367d28649edbf659b9e12e5c10a863a9cb65b35
Opcode Fuzzy Hash: 2fb95611cc7bbff4461c3917516736574ad246072329be2842ce963848d4c470
Instruction Fuzzy Hash: D131E179A00209FBDF309F50DE89FA937A9FB56321F208119FC01CA196D37A9D40AB50

Function 00F6FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F6FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F6FB45
UnregisterHotKey.USER32(?), ref: 00F6FC9C
DestroyWindow.USER32(?), ref: 00FA45D6
FreeLibrary.KERNEL32(?), ref: 00FA463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FA4668

Strings

close all, xrefs: 00F6FAA1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 84c1c87e8ebb90fa5317f61d2dfd7e031954c4e5d227670568d9732d846cb7a7
Instruction ID: 3845ac251ded4b41f5d689b7c4538658c2b1942e7e55bae0c00aac3d9295d540
Opcode Fuzzy Hash: 84c1c87e8ebb90fa5317f61d2dfd7e031954c4e5d227670568d9732d846cb7a7
Instruction Fuzzy Hash: D6A1AD71B01212CFCB28EF14C995B69F364BF46710F5442ADE80AAB261CB74ED1AEF50

Function 00FBA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FBA439), ref: 00FBA377

Strings

CLASSNN, xrefs: 00FBA119
NAME, xrefs: 00FBA1A9
INSTANCE, xrefs: 00FBA285
TEXT, xrefs: 00FBA2AE
REGEXPCLASS, xrefs: 00FBA13C
CLASS, xrefs: 00FBA0F6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 46170947069854272a0319015d636e7e9976cbaa11ba05168df9c52f6b52eec1
Instruction ID: e0687267744018f07a64bf6236b91557b5d19dbd2ca99ded00e178a4c9c81f4e
Opcode Fuzzy Hash: 46170947069854272a0319015d636e7e9976cbaa11ba05168df9c52f6b52eec1
Instruction Fuzzy Hash: E891B531A00606ABCB08EFA5C882BEEFBB5BF04310F548119D859A7251DF356999FF91

Function 00F62E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F62EAE

Part of subcall function 00F61DB3: GetClientRect.USER32(?,?), ref: 00F61DDC
Part of subcall function 00F61DB3: GetWindowRect.USER32(?,?), ref: 00F61E1D
Part of subcall function 00F61DB3: ScreenToClient.USER32(?,?), ref: 00F61E45

GetDC.USER32 ref: 00F9CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F9CD45
SelectObject.GDI32(00000000,00000000), ref: 00F9CD53
SelectObject.GDI32(00000000,00000000), ref: 00F9CD68
ReleaseDC.USER32(?,00000000), ref: 00F9CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F9CDFB

Strings

U, xrefs: 00F9CCD0

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 39274a4bd5f3823f8d1a70f7d2d1c2af59480a4b1c0513226d12ae2c4812cdbb
Instruction ID: f742c348420d2c9bcd3d37f961f36589671247ba4ef4b412ded0a20365585e45
Opcode Fuzzy Hash: 39274a4bd5f3823f8d1a70f7d2d1c2af59480a4b1c0513226d12ae2c4812cdbb
Instruction Fuzzy Hash: 3D71D231900209DFDF219F64CC80AEA7BB5FF59360F14427AED659A2A6C7318C41FBA0

Function 00FD1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FD1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FD1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00FD1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FD1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FD1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00FD1B10
InternetCloseHandle.WININET(00000000), ref: 00FD1B57

Part of subcall function 00FD2483: GetLastError.KERNEL32(?,?,00FD1817,00000000,00000000,00000001), ref: 00FD2498
Part of subcall function 00FD2483: SetEvent.KERNEL32(?,?,00FD1817,00000000,00000000,00000001), ref: 00FD24AD

Strings

, xrefs: 00FD1B01

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 7201dec2eed9d50b1a6faa182e518df11c34160dd5f394665714dbdbd0201397
Instruction ID: e723d13e4c35e6d760e93bb361b5e77c403fb82b601754c635f4893798a8af70
Opcode Fuzzy Hash: 7201dec2eed9d50b1a6faa182e518df11c34160dd5f394665714dbdbd0201397
Instruction Fuzzy Hash: DE4171B1901219BFEB119F50CC85FBA7BADFF48354F084127F9059A251E7749E44ABA0

Function 00FD8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00FEF910), ref: 00FD8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00FEF910), ref: 00FD8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FD8ED6
SysFreeString.OLEAUT32(?), ref: 00FD8F00

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 129971261c8709aaa18e4129c32466dd87ddc8d1c5df6c16e67214badd24fc4e
Instruction ID: 5e668272e2980e4daf2bb5aba616c4ff30c72cda2c3bf5ef7876ad63195910be
Opcode Fuzzy Hash: 129971261c8709aaa18e4129c32466dd87ddc8d1c5df6c16e67214badd24fc4e
Instruction Fuzzy Hash: FBF14A71A00209EFCB04DFA4C888EAEB7BAFF48354F148559F505AB251DB71AE46EF50

Function 00FDF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FDF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FDF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FDF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FDF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FDF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FDFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00FDFA7C
CloseHandle.KERNEL32(?), ref: 00FDFAAB
CloseHandle.KERNEL32(?), ref: 00FDFB22

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: e0659c1d29aab968e602457427d269a4020b4484c0c3e323eb43773af65c291f
Instruction ID: e91568690412fdd74a5549932289fe8da8b97ba8a0db0283630234fb26b7a003
Opcode Fuzzy Hash: e0659c1d29aab968e602457427d269a4020b4484c0c3e323eb43773af65c291f
Instruction Fuzzy Hash: 9FE1A1316042419FC714EF24C891F6ABBE5EF85354F18856EF89A8B3A1CB34DC49EB52

Function 00FC4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FC3697,?), ref: 00FC468B

Part of subcall function 00FC466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FC3697,?), ref: 00FC46A4

Part of subcall function 00FC4A31: GetFileAttributesW.KERNEL32(?,00FC370B), ref: 00FC4A32

lstrcmpiW.KERNEL32(?,?), ref: 00FC4D40
_wcscmp.LIBCMT ref: 00FC4D5A
MoveFileW.KERNEL32(?,?), ref: 00FC4D75

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9de2e8b479f3f7664c8f3ca4a9bdd92a3783bd2d669c9ac3b5d7fcda36606104
Instruction ID: 62a98a71590b14f2639e9770d6369db56738c541a1090cecb0094bd74f182659
Opcode Fuzzy Hash: 9de2e8b479f3f7664c8f3ca4a9bdd92a3783bd2d669c9ac3b5d7fcda36606104
Instruction Fuzzy Hash: C35132B25083859BC764EB60DD92EDBB3ECAF84750F00092EB589D3151EE34B688DB56

Function 00FE8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FE86FF

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c7c53cf4273f7ab3d75f85d1e521f2814256a5ba57abb806684ca8c88ef284ea
Instruction ID: 7080220857ef8ee4b09294efde66f97bc9826e94ab21c19e227411070f9e2b70
Opcode Fuzzy Hash: c7c53cf4273f7ab3d75f85d1e521f2814256a5ba57abb806684ca8c88ef284ea
Instruction Fuzzy Hash: FC5196319002C4BFEB20AB26CC85F9D7B65BB053A0F604215F959EA1E1CF75AE81FB50

Function 00F62B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F9C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F9C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F9C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F9C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F9C370
DestroyIcon.USER32(00000000), ref: 00F9C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F9C39C
DestroyIcon.USER32(?), ref: 00F9C3AB

Part of subcall function 00FEA4AF: DeleteObject.GDI32(00000000), ref: 00FEA4E8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6711366eafef1305b35e61676cc146d6135092d0b7f05853d1a065c33be2608f
Instruction ID: b4cdc946d1061f544ee11cd27f4f0bb5a55fd2dbd78f5beec7344f74a12607af
Opcode Fuzzy Hash: 6711366eafef1305b35e61676cc146d6135092d0b7f05853d1a065c33be2608f
Instruction Fuzzy Hash: 57516D71A00609AFEF24DF64CC45FAA37B5FB54320F104528F946A7290DBB5AD50EB90

Function 00FB966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FBA84C
Part of subcall function 00FBA82C: GetCurrentThreadId.KERNEL32 ref: 00FBA853
Part of subcall function 00FBA82C: AttachThreadInput.USER32(00000000,?,00FB9683,?,00000001), ref: 00FBA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FB96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FB96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FB96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FB96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FB96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FB96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FB96FB

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3dde571e1be60607c33548f170786504b55b7c3953ff6ac0532194300c8f9e7f
Instruction ID: 0a3b1ead2f87e1f81772223fa4e8b53b78509c2028d3b23c7742b8a546c7a352
Opcode Fuzzy Hash: 3dde571e1be60607c33548f170786504b55b7c3953ff6ac0532194300c8f9e7f
Instruction Fuzzy Hash: 7511CEB191061CBFF6106B619C89FAA3F2DEB4C750F100425F244AB0E1C9F25C10AAA4

Function 00FB8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FB853C,00000B00,?,?), ref: 00FB892A
HeapAlloc.KERNEL32(00000000,?,00FB853C,00000B00,?,?), ref: 00FB8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FB853C,00000B00,?,?), ref: 00FB8946
GetCurrentProcess.KERNEL32(?,00000000,?,00FB853C,00000B00,?,?), ref: 00FB894E
DuplicateHandle.KERNEL32(00000000,?,00FB853C,00000B00,?,?), ref: 00FB8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FB853C,00000B00,?,?), ref: 00FB8961
GetCurrentProcess.KERNEL32(00FB853C,00000000,?,00FB853C,00000B00,?,?), ref: 00FB8969
DuplicateHandle.KERNEL32(00000000,?,00FB853C,00000B00,?,?), ref: 00FB896C
CreateThread.KERNEL32(00000000,00000000,00FB8992,00000000,00000000,00000000), ref: 00FB8986

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 52c2155d8510cf34d8098dd0c2a25c8509c9f7a4a22eea72cfc0f308231978f8
Instruction ID: b02a172475b03c1c4af278a01374a468e998d2fdf333848646707d1b83206c45
Opcode Fuzzy Hash: 52c2155d8510cf34d8098dd0c2a25c8509c9f7a4a22eea72cfc0f308231978f8
Instruction Fuzzy Hash: 6E01A8B524034CFFE610ABA5DC89F6B3BACEB89711F418421FA05DF1A1CA749804DA21

Function 00FD9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00FD9B7B
NULL Pointer assignment, xrefs: 00FD9BA4, 00FD9EC8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 792c8ff5a0ca5c2bbd076dc68deddec1e8ac75536400e1393d2b19e42439c2ed
Instruction ID: 4f0a643431b61bc41bf177bddd4a26b97871b6919e609739021946706c98cc18
Opcode Fuzzy Hash: 792c8ff5a0ca5c2bbd076dc68deddec1e8ac75536400e1393d2b19e42439c2ed
Instruction Fuzzy Hash: E7C19571E0421A9BDF10DF98D884BAEB7F6FB48314F18846AE905A7380E7B09D45DB60

Function 00FD9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD9167
VariantInit.OLEAUT32(?), ref: 00FD9238
VariantInit.OLEAUT32(?), ref: 00FD9339
VariantClear.OLEAUT32(?), ref: 00FD9343
VariantClear.OLEAUT32(?), ref: 00FD93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00FD91C8, 00FD92F6, 00FD93AE
Incorrect Object type in FOR..IN loop, xrefs: 00FD931C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 42a331975c392d98fc3626a53b1dfa3ea6280c2738bb7d05592c2510d5593c8a
Instruction ID: 319e639886050f2fb13e3ed17f2838211771af40b95bafbc48cd0d7e5b75d85d
Opcode Fuzzy Hash: 42a331975c392d98fc3626a53b1dfa3ea6280c2738bb7d05592c2510d5593c8a
Instruction Fuzzy Hash: A7919C71E04219ABDF24DFE5CC48FAEBBB9EF45720F14811AF515AB280D7B09905DBA0

Function 00FD975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00FB710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?,?,00FB7455), ref: 00FB7127
Part of subcall function 00FB710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?), ref: 00FB7142
Part of subcall function 00FB710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?), ref: 00FB7150
Part of subcall function 00FB710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?), ref: 00FB7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00FD9806
_memset.LIBCMT ref: 00FD9813
_memset.LIBCMT ref: 00FD9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00FD9982
CoTaskMemFree.OLE32(?), ref: 00FD998D

Strings

NULL Pointer assignment, xrefs: 00FD99DB

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4f0bfe8e8f582ddc0c0e8332629e1e3dd42debe9d470651675bddba111b75083
Instruction ID: edaa451d27e05e1d7f2c1c19c913be80659ee3248a2f5ae57a5d03433228b4b6
Opcode Fuzzy Hash: 4f0bfe8e8f582ddc0c0e8332629e1e3dd42debe9d470651675bddba111b75083
Instruction Fuzzy Hash: 69914971D00229EBDB10DFA5DC81EDEBBB9EF08710F20415AF419A7281DB759A44EFA1

Function 00FE6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FE6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00FE6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FE6E52
_wcscat.LIBCMT ref: 00FE6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FE6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FE6EF2

Strings

SysListView32, xrefs: 00FE6DF6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 8ca7a4ce5d2b7293a9564ce0f103d9e32dd2d56fd6c1623a6696222961e88808
Instruction ID: 69122a4550c9ad330ef480ec4119fd6576d8a5572ac8ac4c136356cc72a29632
Opcode Fuzzy Hash: 8ca7a4ce5d2b7293a9564ce0f103d9e32dd2d56fd6c1623a6696222961e88808
Instruction Fuzzy Hash: 1341B271A0038CABDB21DF65CC85BEE77E8EF183A0F10042AF584E7191D6759D849B64

Function 00FDE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00FC3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00FC3C7A
Part of subcall function 00FC3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00FC3C88
Part of subcall function 00FC3C55: CloseHandle.KERNEL32(00000000), ref: 00FC3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FDE9A4
GetLastError.KERNEL32 ref: 00FDE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FDE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00FDEA63
GetLastError.KERNEL32(00000000), ref: 00FDEA6E
CloseHandle.KERNEL32(00000000), ref: 00FDEAA3

Strings

SeDebugPrivilege, xrefs: 00FDE9C2

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a002f3f0cd0a614e15d54ef76d020444887311eb3c6a125ceb24788ec9ee7700
Instruction ID: b4a35a5fc02975ad6ad56030b3feac844a80c7cab18810936fcf9d47879eed9a
Opcode Fuzzy Hash: a002f3f0cd0a614e15d54ef76d020444887311eb3c6a125ceb24788ec9ee7700
Instruction Fuzzy Hash: 8441AD716042059FDB24EF24CC95F6DB7A6AF40314F188419F9069F3D2CBB8AC08EB92

Function 00FC2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FC3033

Strings

blank, xrefs: 00FC2FB5
question, xrefs: 00FC2FEC
stop, xrefs: 00FC3004
info, xrefs: 00FC2FD4
warning, xrefs: 00FC301C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 82d3cde7c21038e92ef790ae340801b7f437d410e753cdd8552dcd4822af0eed
Instruction ID: 4c556bb9eb9780f1762a2ae404d095f88530d9d77ee06e94acaafa21b653dd64
Opcode Fuzzy Hash: 82d3cde7c21038e92ef790ae340801b7f437d410e753cdd8552dcd4822af0eed
Instruction Fuzzy Hash: A8112E33B88347BED7149A55DC83EAB779CDF153B4B10806EF9006A181DB746F4076A4

Function 00FC42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FC4312
LoadStringW.USER32(00000000), ref: 00FC4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FC432F
LoadStringW.USER32(00000000), ref: 00FC4336
_wprintf.LIBCMT ref: 00FC435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FC437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FC4357

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 1ffd3f672f08f74b1a753d134eacaf0a5801acfd14207fe1115c84f878ee4fce
Instruction ID: f1e4a3fd2462e29c2eaf557275ec941799da8ebf64817647562ab129ba2784b6
Opcode Fuzzy Hash: 1ffd3f672f08f74b1a753d134eacaf0a5801acfd14207fe1115c84f878ee4fce
Instruction Fuzzy Hash: AC0167F290024CBFE711AB90DD89FE6776CD708700F4045A6BB45E6011E6755F895B70

Function 00FED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

GetSystemMetrics.USER32(0000000F), ref: 00FED47C
GetSystemMetrics.USER32(0000000F), ref: 00FED49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FED6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FED6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FED716
ShowWindow.USER32(00000003,00000000), ref: 00FED735
InvalidateRect.USER32(?,00000000,00000001), ref: 00FED75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FED77D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 7aeece943b5a74e481abaf9641d7f3becfa5205f26d0abec3dda599fb0d25e76
Instruction ID: 90064af77578a12d9198cecb82ce532bd7eb06c81acac51b862e424dfff381aa
Opcode Fuzzy Hash: 7aeece943b5a74e481abaf9641d7f3becfa5205f26d0abec3dda599fb0d25e76
Instruction Fuzzy Hash: 51B1BA35A00269EFDF14CF6AC9C57AD7BB1BF04710F088069EC48AF695D774A950EB90

Function 00F62A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F9C1C7,00000004,00000000,00000000,00000000), ref: 00F62ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F9C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F62B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F9C1C7,00000004,00000000,00000000,00000000), ref: 00F9C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F9C1C7,00000004,00000000,00000000,00000000), ref: 00F9C286

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bdb2a9a515198fcf3f8956619ec2d9fdba86ae85aac94fbe32f57d0631c35d45
Instruction ID: 5b8b1c2fc4f1dd986b6950130efdba2f380f0d5eab0f5baa81508753954eaeac
Opcode Fuzzy Hash: bdb2a9a515198fcf3f8956619ec2d9fdba86ae85aac94fbe32f57d0631c35d45
Instruction Fuzzy Hash: FC412A31E08FC09BDBB59B68DCCCB7B7B92AB85320F14891DE08786561C6B9A845F750

Function 00FC70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FC70DD

Part of subcall function 00F80DB6: std::exception::exception.LIBCMT ref: 00F80DEC
Part of subcall function 00F80DB6: __CxxThrowException@8.LIBCMT ref: 00F80E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FC7114
EnterCriticalSection.KERNEL32(?), ref: 00FC7130
_memmove.LIBCMT ref: 00FC717E
_memmove.LIBCMT ref: 00FC719B
LeaveCriticalSection.KERNEL32(?), ref: 00FC71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FC71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC71DE

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b03d3f4a9f4938275966b3e60a91b4f2cf723c34ce1da08672fa441dc24ce74c
Instruction ID: 0fe295a43a033ed71d15238acd8e18c69c99b1cdff1b33341077d1b0bf7551f3
Opcode Fuzzy Hash: b03d3f4a9f4938275966b3e60a91b4f2cf723c34ce1da08672fa441dc24ce74c
Instruction Fuzzy Hash: CB315E32900205EBDB50EFA4DD85EABB7B8EF45710F1481A9F9049B256DB349A14EB60

Function 00FE61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FE61EB
GetDC.USER32(00000000), ref: 00FE61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FE61FE
ReleaseDC.USER32(00000000,00000000), ref: 00FE620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FE6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FE6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FE902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00FE6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FE62B1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 5d5856676a2817a2e66859848f3a85e2de2c7e4e05ef0779d3e4a50b473070aa
Instruction ID: 5e3c823a8677593a8033204d4bee2b898d92cd0fd69d3b64ac1107025269bc3c
Opcode Fuzzy Hash: 5d5856676a2817a2e66859848f3a85e2de2c7e4e05ef0779d3e4a50b473070aa
Instruction Fuzzy Hash: 2B316B72201258BFEF118F51CC8AFEA3BA9EF59765F044065FE08DE2A1C6759841DB60

Function 00FBBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FBBBC4
_memcmp.LIBCMT ref: 00FBBBE6
_memcmp.LIBCMT ref: 00FBBBFE
_memcmp.LIBCMT ref: 00FBBC11
_memcmp.LIBCMT ref: 00FBBC2B
_memcmp.LIBCMT ref: 00FBBC3E
_memcmp.LIBCMT ref: 00FBBC56
_memcmp.LIBCMT ref: 00FBBC71

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 80acb14944081705a3e4ab242875e548b610543b93063e2b4dc524dab64a32a1
Instruction ID: 3f6096ccb6ffb795440c450837b7c0697e58b3e1943350d2718f44d2c66c1d70
Opcode Fuzzy Hash: 80acb14944081705a3e4ab242875e548b610543b93063e2b4dc524dab64a32a1
Instruction Fuzzy Hash: FA21AAB27016097BE605F7129D42FFF775DAE51368F044010FE0456747EB98DE11BAA1

Function 00FCEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

Part of subcall function 00F7FC86: _wcscpy.LIBCMT ref: 00F7FCA9

_wcstok.LIBCMT ref: 00FCEC94
_wcscpy.LIBCMT ref: 00FCED23
_memset.LIBCMT ref: 00FCED56

Strings

X, xrefs: 00FCED93

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 38c0329c9fc5d78acf237b75add875515173ab819a49bc53a46ee4d0e04c90e1
Instruction ID: 1380d6bbc215c1cbf656da6beb73b3373a0e9c5b7ff749278534839238cceaea
Opcode Fuzzy Hash: 38c0329c9fc5d78acf237b75add875515173ab819a49bc53a46ee4d0e04c90e1
Instruction Fuzzy Hash: 91C18F315083419FC754EF24C982E5AB7E4FF85314F00492DF8999B2A2DB74ED49EB42

Function 00FD6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FD6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FD6C21
WSAGetLastError.WSOCK32(00000000), ref: 00FD6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00FD6CEA
inet_ntoa.WSOCK32(?), ref: 00FD6CA7

Part of subcall function 00FBA7E9: _strlen.LIBCMT ref: 00FBA7F3
Part of subcall function 00FBA7E9: _memmove.LIBCMT ref: 00FBA815

_strlen.LIBCMT ref: 00FD6D44
_memmove.LIBCMT ref: 00FD6DAD

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: f7f1a07ef94b2b7c985f1fb01ec11b8d172461895cda39ceebe9a5514a75a71c
Instruction ID: 0fd7c62477e0e44f3c5b06965954f5df08bd72a905eba56139fec1210a58e5cb
Opcode Fuzzy Hash: f7f1a07ef94b2b7c985f1fb01ec11b8d172461895cda39ceebe9a5514a75a71c
Instruction Fuzzy Hash: 4C810272608300ABC710EB24DC82F6EB7AAEF94724F144A1EF545DB292DA74ED05EB51

Function 00F61424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80ad53f78e5a48db0d795e3b6eb54ebd6a9af8c0c4fccd1b38d5c21756d2105
Instruction ID: 5d6bbc12e7a9f77aaf6c0c67b29671e169be3cb5776ded7d47de7d288c226064
Opcode Fuzzy Hash: c80ad53f78e5a48db0d795e3b6eb54ebd6a9af8c0c4fccd1b38d5c21756d2105
Instruction Fuzzy Hash: 8E715F31900109EFDF14CF98CC85ABEBB75FF86324F288259F915AB251C734AA51EB61

Function 00FEB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00A26198), ref: 00FEB3EB
IsWindowEnabled.USER32(00A26198), ref: 00FEB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FEB4DB
SendMessageW.USER32(00A26198,000000B0,?,?), ref: 00FEB512
IsDlgButtonChecked.USER32(?,?), ref: 00FEB54F
GetWindowLongW.USER32(00A26198,000000EC), ref: 00FEB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FEB589

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 231c3d73edd342813bad79a5df4a1ec8f1db13d7869cdcf0ee7acb62ef85c284
Instruction ID: c24e3a89b4edb67135dea7bb55d0200694b4e253bd102d6e49781f0e3056570e
Opcode Fuzzy Hash: 231c3d73edd342813bad79a5df4a1ec8f1db13d7869cdcf0ee7acb62ef85c284
Instruction Fuzzy Hash: 2D718D34A00284AFDB21DF56CCD5FBB7BA9FF09320F144059E986972A2C776AD40EB50

Function 00FDF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FDF448
_memset.LIBCMT ref: 00FDF511
ShellExecuteExW.SHELL32(?), ref: 00FDF556

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

Part of subcall function 00F7FC86: _wcscpy.LIBCMT ref: 00F7FCA9

GetProcessId.KERNEL32(00000000), ref: 00FDF5CD
CloseHandle.KERNEL32(00000000), ref: 00FDF5FC

Strings

@, xrefs: 00FDF525

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3be5f63f677ea42ab585a04678283312ba391766f4e63b028d95e0db0981e80e
Instruction ID: fa7a4ed70737ab200cd385beb80503f66d40054658c6865b6767935d5b13607e
Opcode Fuzzy Hash: 3be5f63f677ea42ab585a04678283312ba391766f4e63b028d95e0db0981e80e
Instruction Fuzzy Hash: B361C375A00619DFCB14EFA4C8819AEB7F5FF49310F18806AE856AB351CB34AD45EF80

Function 00FC0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FC0F8C
GetKeyboardState.USER32(?), ref: 00FC0FA1
SetKeyboardState.USER32(?), ref: 00FC1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FC1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FC104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FC1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FC10B8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d917f40d2c8bf23fec78f496e10be2c46265467785e53a538e9fab61d661eb73
Instruction ID: a766cc5db20dcaf20d046fed444245f5315c46512ccbbe456f333262b415abc3
Opcode Fuzzy Hash: d917f40d2c8bf23fec78f496e10be2c46265467785e53a538e9fab61d661eb73
Instruction Fuzzy Hash: 9F5102A0A447D67DFB3642348D16FBABEA96B07310F08858DE1D4858C3C798DCE9E750

Function 00FC0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FC0DA5
GetKeyboardState.USER32(?), ref: 00FC0DBA
SetKeyboardState.USER32(?), ref: 00FC0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FC0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FC0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FC0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FC0EC9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6e4cd8529b3cc7b6864c5ec431db11153f039da79cec9a7f56e76fb27044c3ad
Instruction ID: 93a2b2c18bf5a8f311d1d194138a627c56811f7f5079d47e9b1aa653072fd361
Opcode Fuzzy Hash: 6e4cd8529b3cc7b6864c5ec431db11153f039da79cec9a7f56e76fb27044c3ad
Instruction Fuzzy Hash: C95117A09447D7BDFB3243748D56FBA7E996B06310F08888CE1D54A4C3CB95AC99F760

Function 00FC55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FC560A
_wcsncpy.LIBCMT ref: 00FC563F
_wcsncpy.LIBCMT ref: 00FC5671
_wcsncpy.LIBCMT ref: 00FC56A4
_wcsncpy.LIBCMT ref: 00FC56E6
_wcsncpy.LIBCMT ref: 00FC5720
_wcsncpy.LIBCMT ref: 00FC574F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 6bfd51e04f6b9d914ca41130135a6b3a244ff50249f3f0f489ac2d3b6b3e318e
Instruction ID: 04fa87f59d24ddf0238e3249424bc3ee0a8d640fe6f343c1375af32e0ef8cf02
Opcode Fuzzy Hash: 6bfd51e04f6b9d914ca41130135a6b3a244ff50249f3f0f489ac2d3b6b3e318e
Instruction Fuzzy Hash: C841A375C1161976CB11FBB48C86ACFB3B89F04710F508956E909E3221EB38B785E7A6

Function 00F62344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F62357
ScreenToClient.USER32(010257B0,?), ref: 00F62374
GetAsyncKeyState.USER32(00000001), ref: 00F62399
GetAsyncKeyState.USER32(00000002), ref: 00F623A7

Strings

-es, xrefs: 00F9BFF9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: -es
API String ID: 4210589936-508736453
Opcode ID: c8ce6eb02ed54f4ac48fa12040a095d7123f5c2525830a7139c1d234bb66c1f7
Instruction ID: 57d9ebb8aacaa69f244e7debb6ae1e1c0f1ccdb62d1c1b4a497d6b7500ecb2c1
Opcode Fuzzy Hash: c8ce6eb02ed54f4ac48fa12040a095d7123f5c2525830a7139c1d234bb66c1f7
Instruction Fuzzy Hash: F9418E35A04609FBDF258F68CC45AEDBB74BB05370F20435AF828962A0CB349954EF91

Function 00FC3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FC3697,?), ref: 00FC468B

Part of subcall function 00FC466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FC3697,?), ref: 00FC46A4

lstrcmpiW.KERNEL32(?,?), ref: 00FC36B7
_wcscmp.LIBCMT ref: 00FC36D3
MoveFileW.KERNEL32(?,?), ref: 00FC36EB
_wcscat.LIBCMT ref: 00FC3733
SHFileOperationW.SHELL32(?), ref: 00FC379F

Strings

\*.*, xrefs: 00FC372D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 88f9b541a5d264d3121c250b003b9c1a01403072dbe191d680a4f52ad8f1e883
Instruction ID: 2f2981383f5a67c22a89aa541e9ef21ea77bc55ad087895485638f3b95875c31
Opcode Fuzzy Hash: 88f9b541a5d264d3121c250b003b9c1a01403072dbe191d680a4f52ad8f1e883
Instruction Fuzzy Hash: 874182B1508345AEC751EF64C952FDFB7E8AF88390F00482EB499C7251EA38D689E752

Function 00FE7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FE72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FE7351
IsMenu.USER32(?), ref: 00FE7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FE73B1
DrawMenuBar.USER32 ref: 00FE73C4

Strings

0, xrefs: 00FE729E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: b5f68f6d4eb7393615f19bdf0ff9cb3c58974d55cd0650e3b72484a1547d4a0f
Instruction ID: cf82c2b98dc90867e9a4db2a77f443e8af34b5fff4e2859e641ddcf97e68463a
Opcode Fuzzy Hash: b5f68f6d4eb7393615f19bdf0ff9cb3c58974d55cd0650e3b72484a1547d4a0f
Instruction Fuzzy Hash: EE413975A04389EFDB20EF51D884AAABBF4FB04320F14842AFD45AB250D771AD54EF61

Function 00FE0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00FE0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FE0FFE
FreeLibrary.KERNEL32(00000000), ref: 00FE10B5

Part of subcall function 00FE0FA5: RegCloseKey.ADVAPI32(?), ref: 00FE101B
Part of subcall function 00FE0FA5: FreeLibrary.KERNEL32(?), ref: 00FE106D
Part of subcall function 00FE0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FE1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FE1058

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: cf4f0fd7ca6297fb9a09815ece4c7d47ee89c0d3eeac7039a812f3b2319223c5
Instruction ID: d93a997db372f83c611f0b456c5d5b8e95461194c7839e013da7a17c3250226c
Opcode Fuzzy Hash: cf4f0fd7ca6297fb9a09815ece4c7d47ee89c0d3eeac7039a812f3b2319223c5
Instruction Fuzzy Hash: CA31EE71D01149BFDB259F91DC89EFFB7BCEF08310F00016AE616A6151DA745E89AAA0

Function 00FE62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FE62EC
GetWindowLongW.USER32(00A26198,000000F0), ref: 00FE631F
GetWindowLongW.USER32(00A26198,000000F0), ref: 00FE6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FE6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FE63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FE63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FE63DB

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 9d449162d25c3612f776c2a3bfb2dd0337518c3e7bd6e4e7f0e00d072bc3b58b
Instruction ID: 9ac514559b6d739968f6a6c9be154723fe58523e589a28f9c8893bd8a386f73e
Opcode Fuzzy Hash: 9d449162d25c3612f776c2a3bfb2dd0337518c3e7bd6e4e7f0e00d072bc3b58b
Instruction Fuzzy Hash: B5310731A402989FDB30CF1ADC84F5937E1FB59764F2901A4F951DF2B2CBB2A844AB51

Function 00FBDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FBDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FBDB54
SysAllocString.OLEAUT32(00000000), ref: 00FBDB57
SysAllocString.OLEAUT32(?), ref: 00FBDB75
SysFreeString.OLEAUT32(?), ref: 00FBDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00FBDBA3
SysAllocString.OLEAUT32(?), ref: 00FBDBB1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9634495920697e5123fe67512ca4590cc3b4332621669254863ed55894632844
Instruction ID: 0f5d97be0bec2203b542640d95b38ba567b0a09b8a63bf1ee5b7df7d12473a3f
Opcode Fuzzy Hash: 9634495920697e5123fe67512ca4590cc3b4332621669254863ed55894632844
Instruction Fuzzy Hash: 3821B536601219AFDF10DFA9DC84DFB73ACFB48360B018125F914DB290E7709D45AB61

Function 00FD6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00FD7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00FD7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FD61C6
WSAGetLastError.WSOCK32(00000000), ref: 00FD61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00FD620E
connect.WSOCK32(00000000,?,00000010), ref: 00FD6217
WSAGetLastError.WSOCK32 ref: 00FD6221
closesocket.WSOCK32(00000000), ref: 00FD624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00FD6263

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: b131f2051952fcc2e874b1ac3aaf92afaae7d5d715271e11e84462e3fa4e1349
Instruction ID: a9ec85d82138411d90334a3bd49fb3a9685502e65b4b56e7273acd39dc8e5de1
Opcode Fuzzy Hash: b131f2051952fcc2e874b1ac3aaf92afaae7d5d715271e11e84462e3fa4e1349
Instruction Fuzzy Hash: 4C318471600118ABEF10AF64CC85BBD77AEEB45765F08402AFD05DB291DB74AD08ABA1

Function 00FBF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FBF671
__wcsnicmp.LIBCMT ref: 00FBF692
__wcsnicmp.LIBCMT ref: 00FBF6AC

Strings

#OnAutoItStartRegister, xrefs: 00FBF6A6
#requireadmin, xrefs: 00FBF68C
#notrayicon, xrefs: 00FBF669

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 5d83b7902a83e54bdeecb94cdbbbdba4f79b0a87656544069b38a897294cfcdc
Instruction ID: 2d91a4aaa1130ecbf85fbca108037f63f5cc6f36ccca9e28dcaa35ab8987eed2
Opcode Fuzzy Hash: 5d83b7902a83e54bdeecb94cdbbbdba4f79b0a87656544069b38a897294cfcdc
Instruction Fuzzy Hash: 3B21987260411166C320FA36AC02FFB73D9EF55320F20403AF946C60A1EF549E4AF795

Function 00FBDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FBDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FBDC2F
SysAllocString.OLEAUT32(00000000), ref: 00FBDC32
SysAllocString.OLEAUT32 ref: 00FBDC53
SysFreeString.OLEAUT32 ref: 00FBDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00FBDC76
SysAllocString.OLEAUT32(?), ref: 00FBDC84

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4411edc6e95a56760184b0975bcf57794d7d3bd6049eb95373c649c764a138dd
Instruction ID: 2264402a8520adc09f094d29a5dbfe141840ce8c99677b786132e864b41e280c
Opcode Fuzzy Hash: 4411edc6e95a56760184b0975bcf57794d7d3bd6049eb95373c649c764a138dd
Instruction Fuzzy Hash: BD218876604109AFDB10DFA9DC88DFB77ECEB08360B108125F914CB2A1EA74DD45EB65

Function 00FEB14B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

GetWindowLongW.USER32(?,000000F0), ref: 00FEB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00FEB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FEB1CF
GetSystemMetrics.USER32(00000004), ref: 00FEB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00FD0E90,00000000), ref: 00FEB216

Strings

0000006689857cffffffb97400000066898d7effffffba2e00000066895580b85300000066894582b96800000066894d84ba6500000066895586b86c0000006689, xrefs: 00FEB19B, 00FEB1E3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: 0000006689857cffffffb97400000066898d7effffffba2e00000066895580b85300000066894582b96800000066894d84ba6500000066895586b86c0000006689
API String ID: 2294984445-365026190
Opcode ID: f232b152d19e4a42969a1ffc3f0e844cc445ccdfb735c46e116f4c15ee122a9f
Instruction ID: 88e382391f245de844264d06bebd2936bc260baa43d2e2861a4129bf648f0733
Opcode Fuzzy Hash: f232b152d19e4a42969a1ffc3f0e844cc445ccdfb735c46e116f4c15ee122a9f
Instruction Fuzzy Hash: 522180719106A5AFCB209F39DC44A6B37A4FB05331F244729FA26D71E0D7349811AB90

Function 00FE75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F61D73
Part of subcall function 00F61D35: GetStockObject.GDI32(00000011), ref: 00F61D87
Part of subcall function 00F61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F61D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FE7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FE763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FE764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FE7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FE7665

Strings

Msctls_Progress32, xrefs: 00FE7603

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e206fce1618b21d4e37477f239effb9e951ac71bb9bf97c6cbbb16a4210468f5
Instruction ID: 0c2385c7e8fac60e24fae058b4ba345f8201538e49ab2bfc4380dc09d1fc0442
Opcode Fuzzy Hash: e206fce1618b21d4e37477f239effb9e951ac71bb9bf97c6cbbb16a4210468f5
Instruction Fuzzy Hash: 7111D0B2110219BFEF109F65CC85EE77F6DFF087A8F014114FA04A6050CA729C21EBA4

Function 00F8406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F83F85), ref: 00F84085
GetProcAddress.KERNEL32(00000000), ref: 00F8408C
EncodePointer.KERNEL32(00000000), ref: 00F84097
DecodePointer.KERNEL32(00F83F85), ref: 00F840B2

Strings

RoUninitialize, xrefs: 00F84074
combase.dll, xrefs: 00F84080

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 74bb71d2cb89c291670823238c71f9ecf2e8a4ac8e7e94c9f00c307d51a5facc
Instruction ID: ed793dfcf4fb20d8fb3d6463e56683ac1eb9ce65b56c05924e083705b9264c18
Opcode Fuzzy Hash: 74bb71d2cb89c291670823238c71f9ecf2e8a4ac8e7e94c9f00c307d51a5facc
Instruction Fuzzy Hash: FBE09A706453499FEA70AF61EC49B553AB4BB08742F204025FA51D90A4CB7F9504AB15

Function 00FC64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FC660B
_memmove.LIBCMT ref: 00FC6546

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

_memmove.LIBCMT ref: 00FC65B9
_memmove.LIBCMT ref: 00FC66A0
_memmove.LIBCMT ref: 00FC66B9
_memmove.LIBCMT ref: 00FC66D5

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction ID: 07fb2884ef7fc78834e831f8c78767f0f0de13f452b7b61412fdc9c0a8482944
Opcode Fuzzy Hash: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction Fuzzy Hash: EE618A3190865A9BCF01FF60CD82FFE37A9AF05308F444919F855AB292DB79A905EB50

Function 00FE01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDFDAD,?,?), ref: 00FE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FE02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FE0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FE0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FE038C
RegCloseKey.ADVAPI32(00000000), ref: 00FE0399

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ba80bf8d8ea640208ea9d272c01d1c97ca0f8b900728768c6b55cde1f75a86ce
Instruction ID: cf38829e0910273689237eb64067e0130599521cd1be2ab1aac388bc117c6c3f
Opcode Fuzzy Hash: ba80bf8d8ea640208ea9d272c01d1c97ca0f8b900728768c6b55cde1f75a86ce
Instruction Fuzzy Hash: 9E516831508244AFC710EF64CC85EAABBE8FF84314F44491DF5858B2A2DB75E949EB52

Function 00FE5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FE57FB
GetMenuItemCount.USER32(00000000), ref: 00FE5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FE585A
GetMenuItemID.USER32(?,?), ref: 00FE58C9
GetSubMenu.USER32(?,?), ref: 00FE58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00FE5928

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 963d1db922e6a27bd1336cf70b3e9e1da89eaabe738039d7b9a92e4ca41f7007
Instruction ID: f8e7042bcdbe34ccbf8a581ed57068cdf7cd5e7bb1bbbc0af35875f838997ae5
Opcode Fuzzy Hash: 963d1db922e6a27bd1336cf70b3e9e1da89eaabe738039d7b9a92e4ca41f7007
Instruction Fuzzy Hash: 33514B36E00659EFCF11EF65C885AAEB7B5EF48724F144069E801BB351CB74AE41EB90

Function 00FBEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FBEF06
VariantClear.OLEAUT32(00000013), ref: 00FBEF78
VariantClear.OLEAUT32(00000000), ref: 00FBEFD3
_memmove.LIBCMT ref: 00FBEFFD
VariantClear.OLEAUT32(?), ref: 00FBF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FBF078

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 818437e6b300532a6084c5d441f44c61650bee65897464abaa00bcf7649d2e24
Instruction ID: 155e335a9652288e044a8a78a11e81214ad8ff77b97e88bf924d29b77e49c281
Opcode Fuzzy Hash: 818437e6b300532a6084c5d441f44c61650bee65897464abaa00bcf7649d2e24
Instruction Fuzzy Hash: 2B5178B5A00209EFCB10DF58C880AAAB7B8FF4C350B15856AED49DB355E334E915CFA0

Function 00FC220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FC22A3
IsMenu.USER32(00000000), ref: 00FC22C3
CreatePopupMenu.USER32 ref: 00FC22F7
GetMenuItemCount.USER32(000000FF), ref: 00FC2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FC2386

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d3b851233f7ca1ce61fefde70b487ea524f6da5fa449c41ab6fcd00f85ae262f
Instruction ID: e30a1342c63776e66ee85996973f6ec55962eb76ae8b672a6bfbed6c72df67a2
Opcode Fuzzy Hash: d3b851233f7ca1ce61fefde70b487ea524f6da5fa449c41ab6fcd00f85ae262f
Instruction Fuzzy Hash: 5351BE30A0038ADBDF61CF68CA8AFADBBF5EF45324F14412DE8159B290D3789904EB51

Function 00F61765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F6179A
GetWindowRect.USER32(?,?), ref: 00F617FE
ScreenToClient.USER32(?,?), ref: 00F6181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F6182C
EndPaint.USER32(?,?), ref: 00F61876

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: ec9cd9e34f24e04ed30d824bff4668b5fcc43c405de3b10d9eed2ceac43689a3
Instruction ID: ae7b30b4932bcdca806f4117402e4604f3a3d59cb4ebbdf4363fba3c075d2f97
Opcode Fuzzy Hash: ec9cd9e34f24e04ed30d824bff4668b5fcc43c405de3b10d9eed2ceac43689a3
Instruction Fuzzy Hash: 1841CF31504300AFDB20DF24DC84FBA7BE8FB4A324F184668F9A48B2A1C7759805EB61

Function 00FEB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010257B0,00000000,00A26198,?,?,010257B0,?,00FEB5A8,?,?), ref: 00FEB712
EnableWindow.USER32(00000000,00000000), ref: 00FEB736
ShowWindow.USER32(010257B0,00000000,00A26198,?,?,010257B0,?,00FEB5A8,?,?), ref: 00FEB796
ShowWindow.USER32(00000000,00000004,?,00FEB5A8,?,?), ref: 00FEB7A8
EnableWindow.USER32(00000000,00000001), ref: 00FEB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FEB7EF

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1570493404290b9a51e3cd46284557de683864786dd2adf91144dbbfb8a1b95e
Instruction ID: 9489a16b8b936718fbd4d3dea44b3bb028eb0ef19fd9b059bd6dcf1ccf6b4c2f
Opcode Fuzzy Hash: 1570493404290b9a51e3cd46284557de683864786dd2adf91144dbbfb8a1b95e
Instruction Fuzzy Hash: 4B418734A01284EFDB25CF25C4D9B967BE1FF45320F1841B9F9488FAA2C731A856EB51

Function 00FD709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00FD4E41,?,?,00000000,00000001), ref: 00FD70AC

Part of subcall function 00FD39A0: GetWindowRect.USER32(?,?), ref: 00FD39B3

GetDesktopWindow.USER32 ref: 00FD70D6
GetWindowRect.USER32(00000000), ref: 00FD70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00FD710F

Part of subcall function 00FC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FC52BC

GetCursorPos.USER32(?), ref: 00FD713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FD7199

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 630d5e5d5a24a049f11bb18b02f2fecb06435ebd85ad190c41032199668184b4
Instruction ID: c663ddf7fb33bf5c6ba8344134ac0c456643f00725b08c6d27dbefa5b0df62c8
Opcode Fuzzy Hash: 630d5e5d5a24a049f11bb18b02f2fecb06435ebd85ad190c41032199668184b4
Instruction Fuzzy Hash: 9E31E67250534AABD720EF14CC49F9BB7EAFF88314F04051AF5859B291D734EA09DB92

Function 00FB8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FB80C0
Part of subcall function 00FB80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FB80CA
Part of subcall function 00FB80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FB80D9
Part of subcall function 00FB80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FB80E0
Part of subcall function 00FB80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FB80F6

GetLengthSid.ADVAPI32(?,00000000,00FB842F), ref: 00FB88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FB88D6
HeapAlloc.KERNEL32(00000000), ref: 00FB88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FB88F6
GetProcessHeap.KERNEL32(00000000,00000000,00FB842F), ref: 00FB890A
HeapFree.KERNEL32(00000000), ref: 00FB8911

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 18acb627421f097c504556f4d90ca78829986b6a93697722770efbbc09e637a7
Instruction ID: 137a24a7e39ead2bfa11b01e9f103ff4c1064eb002e604bdbdb6d689b0b4f96a
Opcode Fuzzy Hash: 18acb627421f097c504556f4d90ca78829986b6a93697722770efbbc09e637a7
Instruction Fuzzy Hash: 3C11AF32901209FFDF119FA5DC49BFE7B6CEB853A1F108028E84597151CB369A06EF60

Function 00FB85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FB85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00FB85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FB85F8
CloseHandle.KERNEL32(00000004), ref: 00FB8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FB8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FB8646

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7d192a2578dc9354b47ee013b68c4e8f2e5bddfd0ed321812209c331972cc2e7
Instruction ID: 01a815c53a62a3783b5c77589a800ad24725e7dc0cc040501da14f033b8ecaa3
Opcode Fuzzy Hash: 7d192a2578dc9354b47ee013b68c4e8f2e5bddfd0ed321812209c331972cc2e7
Instruction Fuzzy Hash: F5116A7250024DABDF118FA4DC48FDE7BA9EF48354F044024FE01A6160C7718E65EB60

Function 00FBB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FBB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FBB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FBB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00FBB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FBB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00FBB7FE

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c1ea3debee73c18c08b896bf0241273337ae4afb2918774ca3f8db73760c7b11
Instruction ID: 4724ae30e283655c37c90c61285ea2b19b78ddbcd948a402634c00bb279b7fb4
Opcode Fuzzy Hash: c1ea3debee73c18c08b896bf0241273337ae4afb2918774ca3f8db73760c7b11
Instruction Fuzzy Hash: DA018875E00349BBEB105BA69C85A5EBFB8EB48361F004075FA04EB291D6709D00DF51

Function 00F80162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F80193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F8019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F801A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F801B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F801B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F801C1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 15b74b1b4fe4f7e41e6ad27789e9ab1f9c8cdfefaa08d4e24601faedb97b1f02
Instruction ID: 6b6b98f33abeb5c106c7d7b958ce25a675de3bd843a406afe56e0fa7f1ab5e81
Opcode Fuzzy Hash: 15b74b1b4fe4f7e41e6ad27789e9ab1f9c8cdfefaa08d4e24601faedb97b1f02
Instruction Fuzzy Hash: DB016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4B941C7F5A868CBE5

Function 00FC53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FC53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FC540F
GetWindowThreadProcessId.USER32(?,?), ref: 00FC541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FC542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FC5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FC543E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: abc30061a31aab2d7d9c2445993720c664f8faf3bba5818ccd979022879e446a
Instruction ID: f0a83ad745c5200282c578ec6459b2856e2e9d49ff807f925e74e30608fbce82
Opcode Fuzzy Hash: abc30061a31aab2d7d9c2445993720c664f8faf3bba5818ccd979022879e446a
Instruction Fuzzy Hash: E4F0903224119CBBE7205BA2DC4EEEF7B7CEFC6B11F000169FA04D50A0D7A41A05A6B5

Function 00FC7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FC7243
EnterCriticalSection.KERNEL32(?,?,00F70EE4,?,?), ref: 00FC7254
TerminateThread.KERNEL32(00000000,000001F6,?,00F70EE4,?,?), ref: 00FC7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F70EE4,?,?), ref: 00FC726E

Part of subcall function 00FC6C35: CloseHandle.KERNEL32(00000000,?,00FC727B,?,00F70EE4,?,?), ref: 00FC6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FC7281
LeaveCriticalSection.KERNEL32(?,?,00F70EE4,?,?), ref: 00FC7288

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 15b944f8fdb40cd15d364b3846e736b40cd88dac1fb7112a78c411562be47a1a
Instruction ID: 7fde1c24c1c03bc035f04751d73838406d47a0cae1ba61ca007a0a4355827821
Opcode Fuzzy Hash: 15b944f8fdb40cd15d364b3846e736b40cd88dac1fb7112a78c411562be47a1a
Instruction Fuzzy Hash: D0F0BE36841206EBD7112B24ED8DEEA7729EF45312B010135F203980A0CB7A1808EF50

Function 00FB8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FB899D
UnloadUserProfile.USERENV(?,?), ref: 00FB89A9
CloseHandle.KERNEL32(?), ref: 00FB89B2
CloseHandle.KERNEL32(?), ref: 00FB89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00FB89C3
HeapFree.KERNEL32(00000000), ref: 00FB89CA

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a50badaac7900717a49a4f84df06479854e5cebf292282424b8dd365d913863d
Instruction ID: d3c1ca235203e48b61118f9d7174927692239fa213c959d1931517d8e5491aeb
Opcode Fuzzy Hash: a50badaac7900717a49a4f84df06479854e5cebf292282424b8dd365d913863d
Instruction Fuzzy Hash: 4AE0C236004049FFDA011FE1EC4C90ABB69FB89322B108230F219890B0CB369468EB50

Function 00FD85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FD8613
CharUpperBuffW.USER32(?,?), ref: 00FD8722
VariantClear.OLEAUT32(?), ref: 00FD889A

Part of subcall function 00FC7562: VariantInit.OLEAUT32(00000000), ref: 00FC75A2
Part of subcall function 00FC7562: VariantCopy.OLEAUT32(00000000,?), ref: 00FC75AB
Part of subcall function 00FC7562: VariantClear.OLEAUT32(00000000), ref: 00FC75B7

Strings

Incorrect Parameter format, xrefs: 00FD864B, 00FD880D
AUTOIT.ERROR, xrefs: 00FD8728

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e87abfad2b57ca38aee23440f94c61303fa5b47abaad9a0ff392b9542cba422a
Instruction ID: 6913119947831ab585460b3ead6e4656a536f903f0b02f29abc2683d943b3e86
Opcode Fuzzy Hash: e87abfad2b57ca38aee23440f94c61303fa5b47abaad9a0ff392b9542cba422a
Instruction Fuzzy Hash: 6D918F71A08301DFC710DF24C88095ABBE5EF89754F18896EF88A8B361DB35ED06EB51

Function 00FC2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7FC86: _wcscpy.LIBCMT ref: 00F7FCA9

_memset.LIBCMT ref: 00FC2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FC2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FC2C97

Strings

0, xrefs: 00FC2B73

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: d42655f005deef9ecba8a8f2b40b94db5d849e1fd851e8c191fe41a607ee5fbf
Instruction ID: b88398ca0de48e105f68bdd9e6de27ba85d751d1a5119d79dad5fd62a81f5243
Opcode Fuzzy Hash: d42655f005deef9ecba8a8f2b40b94db5d849e1fd851e8c191fe41a607ee5fbf
Instruction Fuzzy Hash: 6D51B071A083029AD7A4EE28DA86F6F77E4EF95330F040A2DF895D7190DB74CD04A752

Function 00FBD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FBD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FBD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FBD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FBD69D

Strings

DllGetClassObject, xrefs: 00FBD610

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 2e3555f98f69210011d6b4ace67417be8ddac697980ddfd9ba0588ae0ab600aa
Instruction ID: f2856941c8a67807dda38a87b6f9ef622b8d8b077c8b4c7c0ccdfe951b95e5ea
Opcode Fuzzy Hash: 2e3555f98f69210011d6b4ace67417be8ddac697980ddfd9ba0588ae0ab600aa
Instruction Fuzzy Hash: 0641CFB5600208EFDB04CF15C884ADA7BAAEF48310F1580A9ED099F205E7B5DA44EFA1

Function 00FC2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FC27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00FC2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01025890,00000000), ref: 00FC286B

Strings

0, xrefs: 00FC27B5

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3898fdb9a9716c2b961796a3765d266cce08133a7907f75b02c1c9c19b67c497
Instruction ID: e8b6f0506a95b878d11998f873f3e7dd0b6ab441d7eb210aedea015b226e4db3
Opcode Fuzzy Hash: 3898fdb9a9716c2b961796a3765d266cce08133a7907f75b02c1c9c19b67c497
Instruction Fuzzy Hash: 3841CE716043429FDB60EF24CD86F5ABBE4EF84324F044A2EF8A5972D1C734A804DB62

Function 00FC0AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FC0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FC0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FC0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FC0BFB

Strings

-es, xrefs: 00FC0B5D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: -es
API String ID: 432972143-508736453
Opcode ID: 398d9dac1bbf2b1710cb09836382010f7fd615393eca60ae6c86a0efecddac3a
Instruction ID: f3bc40479ce52bc91e042b4a00fbde1b403b3a973a612af04028bf024948467b
Opcode Fuzzy Hash: 398d9dac1bbf2b1710cb09836382010f7fd615393eca60ae6c86a0efecddac3a
Instruction Fuzzy Hash: 33314830D40609EAFB30CB258D06FF9BBA9AB85338F08426EE481911D1CB748D46B751

Function 00FC0C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FC0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FC0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FC0CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FC0D33

Strings

-es, xrefs: 00FC0C9F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID: -es
API String ID: 432972143-508736453
Opcode ID: f3af25a5ea999b66dbb5da46a599ce401fbda57a168f8251e58fd17180358160
Instruction ID: dd9964d377bbd1841d70ba17f5fb6582e1ea35eec345efec9278b592f508ed00
Opcode Fuzzy Hash: f3af25a5ea999b66dbb5da46a599ce401fbda57a168f8251e58fd17180358160
Instruction Fuzzy Hash: 25312630E00719EEFF34CA658D06FFEBB66AB45320F08432EE491621D1CB39994AA751

Function 00FDD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00FDD7C5

Part of subcall function 00F6784B: _memmove.LIBCMT ref: 00F67899

Strings

cdecl, xrefs: 00FDD81C
winapi, xrefs: 00FDD836
stdcall, xrefs: 00FDD847
none, xrefs: 00FDD8A0

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 1f11ef49973ff725e6a45477c9a74e3d181e1e6560ee444806a57f0ab28f47d8
Instruction ID: b22e6f83231d3290adde58110bd7beb11ce969fd09fd660c668c06df5624d6b2
Opcode Fuzzy Hash: 1f11ef49973ff725e6a45477c9a74e3d181e1e6560ee444806a57f0ab28f47d8
Instruction Fuzzy Hash: E031B071904219ABCF00EF54CC519EEB3B5FF14724B14862AE865A77D1DB35AD09EB80

Function 00FB8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FBAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FB8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FB8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FB8F57

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

Strings

ComboBox, xrefs: 00FB8E9E
ListBox, xrefs: 00FB8ED3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 532acaa79aa4c4eb02b07a6ed56e245cb397d9c64ae3581f1285b542da1b9dca
Instruction ID: 8ae2f7b4dc4d805caeebb338752af75a1e6489bfc9497edf3d03acdadfcdd5e8
Opcode Fuzzy Hash: 532acaa79aa4c4eb02b07a6ed56e245cb397d9c64ae3581f1285b542da1b9dca
Instruction Fuzzy Hash: C121D075A00108BADB14ABA1CC85DFFB76DDF85360F144529F821A71E1DE39490AFA20

Function 00FD182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FD184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FD1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FD18A2
InternetCloseHandle.WININET(00000000), ref: 00FD18E9

Part of subcall function 00FD2483: GetLastError.KERNEL32(?,?,00FD1817,00000000,00000000,00000001), ref: 00FD2498
Part of subcall function 00FD2483: SetEvent.KERNEL32(?,?,00FD1817,00000000,00000000,00000001), ref: 00FD24AD

Strings

, xrefs: 00FD1893

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 5674d412bc618197ab469afde0e7fb7858950161b6a4dcd0d6f347f650e40c6d
Instruction ID: b45880c0141cebf727ef512d002b73eb36c1d1ffd512c002f7eee51c7e2f4053
Opcode Fuzzy Hash: 5674d412bc618197ab469afde0e7fb7858950161b6a4dcd0d6f347f650e40c6d
Instruction Fuzzy Hash: 8421ACB250020CBFEB11DB60DC85EBF76AEFB88754F14412BF805A7240EA358D08B7A1

Function 00FE63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F61D73
Part of subcall function 00F61D35: GetStockObject.GDI32(00000011), ref: 00F61D87
Part of subcall function 00F61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F61D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FE6461
LoadLibraryW.KERNEL32(?), ref: 00FE6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FE647D
DestroyWindow.USER32(?), ref: 00FE6485

Strings

SysAnimate32, xrefs: 00FE643C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d4ae4bf25b293e2324a1f4d1a8a008aa25de16949b5aad36b857ce424db58641
Instruction ID: cbebbfd2afc87a0aa98f47eeb6b7c2f476950c841bb10ffa7364353e3140e496
Opcode Fuzzy Hash: d4ae4bf25b293e2324a1f4d1a8a008aa25de16949b5aad36b857ce424db58641
Instruction Fuzzy Hash: 24218E7150028DAFEF108F66DC80EBA77ADEB693B8F104629F950D61D0D7359C41B760

Function 00FC6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FC6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00FC6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FC6E3B

Strings

nul, xrefs: 00FC6E36

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ea74738c24d404ec7549fb7cbf8f15e1e138923f9c0b47bf7a10c88ba3bee1ec
Instruction ID: d4a1acc2921025f6d4ceea6ee81669fc2397ad5cafc0ea5202bfd9b7a30791a7
Opcode Fuzzy Hash: ea74738c24d404ec7549fb7cbf8f15e1e138923f9c0b47bf7a10c88ba3bee1ec
Instruction Fuzzy Hash: 3221D175A0420BABCB209F29DD46F9A77A4EF44720F20462DFDA1DB2D0D7709815AB14

Function 00FC6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FC6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FC6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00FC6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FC6F06

Strings

nul, xrefs: 00FC6F01

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3d95d2e240cd33342bbac27db045e2e8d17a1b86c344a85c28d557598ad53a17
Instruction ID: c058b78dcb32990d5b49ad93594e76625650b8f5c7ad6d1ce8765c59bfc8a089
Opcode Fuzzy Hash: 3d95d2e240cd33342bbac27db045e2e8d17a1b86c344a85c28d557598ad53a17
Instruction Fuzzy Hash: DD21B2759043069BDB209F69CD46F9A77E8AF45730F200A1EF9A0D72D0D7709851E714

Function 00FCAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FCAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FCACA8
__swprintf.LIBCMT ref: 00FCACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00FEF910), ref: 00FCACFF

Strings

%lu, xrefs: 00FCACBB

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 153e022489d75c936608ec3bee24a66279efc4448291fb836990c8367d0918aa
Instruction ID: eb279605e2b6a443ca8d29fd25c05039fd9441cad3c325c3fc92f2b2acc2ad3c
Opcode Fuzzy Hash: 153e022489d75c936608ec3bee24a66279efc4448291fb836990c8367d0918aa
Instruction Fuzzy Hash: 12216230A0010DAFCB10DF65CD85EEE77B8EF49714B004069F909DB252DA75EA45EB21

Function 00FC1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FC1B19

Strings

KEYS, xrefs: 00FC1B30
EXISTS, xrefs: 00FC1B41
REMOVE, xrefs: 00FC1B1F
APPEND, xrefs: 00FC1B52

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 348ba62999213b4291ce057abfa76b39625cc7112ac168407ccf1479f1c86a4f
Instruction ID: 9aae68fef7099f32b8a245426871e777dcea2181d913da7eb935239d2bf53edb
Opcode Fuzzy Hash: 348ba62999213b4291ce057abfa76b39625cc7112ac168407ccf1479f1c86a4f
Instruction Fuzzy Hash: 96118E349002098FCF04EF54DD529EEB3B4FF66304B508459D85467296EB365D0AEF40

Function 00FDEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FDEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FDEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00FDED6A
CloseHandle.KERNEL32(?), ref: 00FDEDEB

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 91cdeb5c2c095b61a29498f7a3fbade624968a878da83c1f7085262aa70c83ae
Instruction ID: 823f92a60b7aeb81f0111b93cc8ad915ff3bcdf2e7f75f355260ba4678568469
Opcode Fuzzy Hash: 91cdeb5c2c095b61a29498f7a3fbade624968a878da83c1f7085262aa70c83ae
Instruction Fuzzy Hash: 158181B16043009FD720EF28CC86F6AB7E5EF54760F04891EF9999B392DAB4AC41DB51

Function 00FE0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FE0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FDFDAD,?,?), ref: 00FE0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FE00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FE013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FE0183
RegCloseKey.ADVAPI32(?,?), ref: 00FE01AF
RegCloseKey.ADVAPI32(00000000), ref: 00FE01BC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: be52ef7a8f26a715cad0629451392060668bc0def5c3e90e39df7dda187888dc
Instruction ID: d5dce8cd3ce2381423f0a06cb1b8ddffa535e507658310ef7759237ff8c3daa7
Opcode Fuzzy Hash: be52ef7a8f26a715cad0629451392060668bc0def5c3e90e39df7dda187888dc
Instruction Fuzzy Hash: FF518C71608244AFC714EF54CC81F6AB7E8FF84314F40482DF5858B2A2DB79E948EB52

Function 00FDD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FDD927
GetProcAddress.KERNEL32(00000000,?), ref: 00FDD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00FDD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00FDDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00FDDA21

Part of subcall function 00F65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FC7896,?,?,00000000), ref: 00F65A2C
Part of subcall function 00F65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FC7896,?,?,00000000,?,?), ref: 00F65A50

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 02d89608bd9b38e305a161c003117d0ee352d27c647f718e9f56710ae48ff887
Instruction ID: da06acd135c02f383e6790ce8e9600b0ea5fbfaaafd6a0b7c5b05a5d3c1163b4
Opcode Fuzzy Hash: 02d89608bd9b38e305a161c003117d0ee352d27c647f718e9f56710ae48ff887
Instruction Fuzzy Hash: F3512835A04209DFCB00EFA8C8949ADB7B5FF59324B08806AE855AB312D739ED45DF51

Function 00FCE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FCE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FCE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FCE687

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FCE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FCE6B4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 084e0f68d54e033f11941bdf2ca9c98574cf12423643b4098f874d01cdff5cb4
Instruction ID: cb3188a70951c3b910b36a1f0a8a933f341c7533dd5fda966cae480060528b28
Opcode Fuzzy Hash: 084e0f68d54e033f11941bdf2ca9c98574cf12423643b4098f874d01cdff5cb4
Instruction Fuzzy Hash: 89510B35A10105DFCB01EF64C981AAEBBF9EF09314F1480A9E909AB361CB35ED15EF50

Function 00FEA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea55b59d5367bedc9aac6493c40d5ac63b721cd88355cf41b8fcdc1b3e6d708c
Instruction ID: da64d83def4082c67b493e78e8365a07fb6861cde5c90f0b44a1fe4e716c906c
Opcode Fuzzy Hash: ea55b59d5367bedc9aac6493c40d5ac63b721cd88355cf41b8fcdc1b3e6d708c
Instruction Fuzzy Hash: 1041F336D04284AFC720DF29CC88FA9BBA5EB09320F154165F916A72E1C774BD41FE51

Function 00FB63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00FB6433
TranslateMessage.USER32(?), ref: 00FB645C
DispatchMessageW.USER32(?), ref: 00FB6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB6475

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: fcaedfbec0d675cb4189cc910d17151239f5e641c10edebcfad1926285f7ca89
Instruction ID: 064501ce0b73afaf8a0b34d9c9e890b6f797dd88e2e26b1cb158d38a7ff15a2f
Opcode Fuzzy Hash: fcaedfbec0d675cb4189cc910d17151239f5e641c10edebcfad1926285f7ca89
Instruction Fuzzy Hash: 7931A431900646EFDB34CEB1DC48BF67BA8AB05320F244175E465C6191E76D9889EF60

Function 00FB8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FB8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00FB8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FB8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00FB8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FB8AF8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a82f036230d17b80d0e119ed0c4eb24ccef457cefb4258217a9adf7d8bed2660
Instruction ID: 1fcfaa0bd8c7b5ebcf0476c96514d3392f19c16aaafd0f835154d2baedaca50a
Opcode Fuzzy Hash: a82f036230d17b80d0e119ed0c4eb24ccef457cefb4258217a9adf7d8bed2660
Instruction Fuzzy Hash: 6F31F171900219EBCF00CF68DD8CADE3BB9EB44325F108229F825EA1D0C7B49915EF90

Function 00FBB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FBB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FBB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FBB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FBB27F
_wcsstr.LIBCMT ref: 00FBB289

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: d6601247bea3d8cad1655508580af8bfa1ec4f584fc432937eef82ad3019ccdc
Instruction ID: ef14b67889abffa6cddb5bb85704f13624366e53da528da49f107b3c5d1ebcac
Opcode Fuzzy Hash: d6601247bea3d8cad1655508580af8bfa1ec4f584fc432937eef82ad3019ccdc
Instruction Fuzzy Hash: 4221F5326042457BEB266B7ADC49EBF7B98DF49720F004139F804DA1A1EFA5DC40BB60

Function 00FB9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FB9320

Part of subcall function 00F67BCC: _memmove.LIBCMT ref: 00F67C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FB9352
__itow.LIBCMT ref: 00FB936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FB9392
__itow.LIBCMT ref: 00FB93A3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: bcef309a85119e6001d7c9debfe016ff8b05880d3e4155b40d846d9cb77e6330
Instruction ID: 5305e5bb6ef286199ae043516bdb79b1fbda9f15d64d86627c63a591150e13a4
Opcode Fuzzy Hash: bcef309a85119e6001d7c9debfe016ff8b05880d3e4155b40d846d9cb77e6330
Instruction Fuzzy Hash: DF21C831B04208BBDB10AA669CC5EEE7BEDEF48720F084025FA45DB191D6B48D45AB91

Function 00FD5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00FD5A6E
GetForegroundWindow.USER32 ref: 00FD5A85
GetDC.USER32(00000000), ref: 00FD5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00FD5ACD
ReleaseDC.USER32(00000000,00000003), ref: 00FD5B08

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 7d8c7eec9754b7523e82e28d94664720d9dbe72154dc595058b4569653ce491d
Instruction ID: d30d2205062487173da1a92063c81e7ddb61fb7f2ee175f914d6288116a80540
Opcode Fuzzy Hash: 7d8c7eec9754b7523e82e28d94664720d9dbe72154dc595058b4569653ce491d
Instruction Fuzzy Hash: E121C675A00118AFDB00EF64DC84A5ABBF9EF88350F14C079F809DB351CA74AD05EB90

Function 00F612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F6134D
SelectObject.GDI32(?,00000000), ref: 00F6135C
BeginPath.GDI32(?), ref: 00F61373
SelectObject.GDI32(?,00000000), ref: 00F6139C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3e5e95c0912f137601a4d935d37220106f2455ab0d681dfbdcb2ffa81de49fbd
Instruction ID: 2c7298978906326151d66c340398e57ebe8f3ce7e91d0447ee8480ca5a817ff9
Opcode Fuzzy Hash: 3e5e95c0912f137601a4d935d37220106f2455ab0d681dfbdcb2ffa81de49fbd
Instruction Fuzzy Hash: 6A214131C00208EFDB319F25DD467A97BA8FB04321F384216F851AA2A4D7F69995EF94

Function 00FBBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FBBCB3
_memcmp.LIBCMT ref: 00FBBCD1
_memcmp.LIBCMT ref: 00FBBCE4
_memcmp.LIBCMT ref: 00FBBCFC
_memcmp.LIBCMT ref: 00FBBD14

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 811af26d3f37174bfe917ca6c1bae26d723bb05b85f78c83984bfc63fdc6addb
Instruction ID: bfab6f485b81997a382e1de7bdbf94eecec738934b7938c9dc1480ace803912d
Opcode Fuzzy Hash: 811af26d3f37174bfe917ca6c1bae26d723bb05b85f78c83984bfc63fdc6addb
Instruction Fuzzy Hash: BB01B5B27011097BD204FB129D42FFBB75CEE553A8F044021FE0596342EB94DE11BAE1

Function 00FC4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FC4ABA
__beginthreadex.LIBCMT ref: 00FC4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00FC4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FC4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FC4B0A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f9660164e91818a2580cbc896ae3f364f906df3d246f3bb2917fb720c8bdfcba
Instruction ID: 266f8216fb3d6db56cf2b9d6d2267eda8422d892392ff443f30571d5c1c28711
Opcode Fuzzy Hash: f9660164e91818a2580cbc896ae3f364f906df3d246f3bb2917fb720c8bdfcba
Instruction Fuzzy Hash: 32110876904249BBC7219FA89C45FDB7FACEB86334F144269F814D3290D679DD089BA0

Function 00FB8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FB821E
GetLastError.KERNEL32(?,00FB7CE2,?,?,?), ref: 00FB8228
GetProcessHeap.KERNEL32(00000008,?,?,00FB7CE2,?,?,?), ref: 00FB8237
HeapAlloc.KERNEL32(00000000,?,00FB7CE2,?,?,?), ref: 00FB823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FB8255

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d9cfcd5baf7d93e95b892b7fc733625d4ea93a6665ece24fd2dfcb54edc23260
Instruction ID: 53967e89cd562b347c209f9df9a47c1bda22538825e409786714822f941c065c
Opcode Fuzzy Hash: d9cfcd5baf7d93e95b892b7fc733625d4ea93a6665ece24fd2dfcb54edc23260
Instruction Fuzzy Hash: 15016271601249BFDB104FA6DC88DA77B6CEF867A47504429F809C6160DA318C05EA60

Function 00FB710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?,?,00FB7455), ref: 00FB7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?), ref: 00FB7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?), ref: 00FB7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?), ref: 00FB7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FB7044,80070057,?,?), ref: 00FB716C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 427094509afedd113b73471be9c3e9496f9b27745dc174008ba6752306e0252b
Instruction ID: bbe94fce01d34afd3b7c07b02ae7a2c8d9052e8b9613469cce607a1196da53d6
Opcode Fuzzy Hash: 427094509afedd113b73471be9c3e9496f9b27745dc174008ba6752306e0252b
Instruction Fuzzy Hash: 820184B2601308BFDB115F69DC84BAA7BADEF84761F144064FD04D6220D731DE40ABA0

Function 00FC5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FC5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FC526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FC5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FC5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FC52BC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d3291056a4e82f2f77c9259c5d5e3f3975172c05c1e67241dcfa732de6c868f8
Instruction ID: 9c41810a5605932f4340825f44b4f3aa7b728d22e8b7ab53ceb92fe3a068ddaf
Opcode Fuzzy Hash: d3291056a4e82f2f77c9259c5d5e3f3975172c05c1e67241dcfa732de6c868f8
Instruction Fuzzy Hash: 04012D31D01A1EDBDF00DFE4E98AAEDBBB8FB09B11F400159E941F6181CB346594A7A5

Function 00FB810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FB8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FB812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB8157

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d201723e9600249d21cf9e9c0977670165eec146bee81c96522cd9b9cda8bd2b
Instruction ID: 22411515ed4ffd824c1b2f89675cb4fc5ee1dcaa60064d2ecddb9b571ed6ad38
Opcode Fuzzy Hash: d201723e9600249d21cf9e9c0977670165eec146bee81c96522cd9b9cda8bd2b
Instruction Fuzzy Hash: B9F06871601348AFD7110F65DCC8EA73BACFF857A4B000025F545D6150CB619D46EE60

Function 00FBC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FBC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FBC20E
MessageBeep.USER32(00000000), ref: 00FBC226
KillTimer.USER32(?,0000040A), ref: 00FBC242
EndDialog.USER32(?,00000001), ref: 00FBC25C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: be4ad540a29bfc77f72e7b4f59e29eb4f0e92d30a5091bd2df8ba69d6a1f92df
Instruction ID: f3f22486638a23c777f2d57be17dce4252150d92442305b23ecc926c28443c0f
Opcode Fuzzy Hash: be4ad540a29bfc77f72e7b4f59e29eb4f0e92d30a5091bd2df8ba69d6a1f92df
Instruction Fuzzy Hash: 20018B3090470897EB206B55DD8EFD77778FF00706F000669F586954E1D7F46958AF90

Function 00F613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F613BF
StrokeAndFillPath.GDI32(?,?,00F9B888,00000000,?), ref: 00F613DB
SelectObject.GDI32(?,00000000), ref: 00F613EE
DeleteObject.GDI32 ref: 00F61401
StrokePath.GDI32(?), ref: 00F6141C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: d5ebc77b595db5de5226c3b4ebe0c3f3c4cead42575d523c03a72f98bf23c088
Instruction ID: 0ee34aabffac07690bf3f8ffd15a3723da447fdae80a2a2e708e3539cf0f0311
Opcode Fuzzy Hash: d5ebc77b595db5de5226c3b4ebe0c3f3c4cead42575d523c03a72f98bf23c088
Instruction Fuzzy Hash: 15F01D30000248DBDB319F16EC4D7A83BA8BB01336F288225E569590F5C7BA4595EF14

Function 00FCC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FCC432
CoCreateInstance.OLE32(00FF2D6C,00000000,00000001,00FF2BDC,?), ref: 00FCC44A

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

CoUninitialize.OLE32 ref: 00FCC6B7

Strings

.lnk, xrefs: 00FCC3C6, 00FCC3EE, 00FCC3F8

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 27c2d0d6a92ea3a5fa0e5d8855a6920fa49ceb16468f965e4e62514c84c68504
Instruction ID: b58400422859fecd641307bde77d8094c673d5f345b40f472464488a34d71c63
Opcode Fuzzy Hash: 27c2d0d6a92ea3a5fa0e5d8855a6920fa49ceb16468f965e4e62514c84c68504
Instruction Fuzzy Hash: B1A13AB1108205AFD700EF64CC91EABB7ECEF95354F00491CF1959B1A2DBB5EA09DB52

Function 00F72CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F80DB6: std::exception::exception.LIBCMT ref: 00F80DEC
Part of subcall function 00F80DB6: __CxxThrowException@8.LIBCMT ref: 00F80E01

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00F67A51: _memmove.LIBCMT ref: 00F67AAB

__swprintf.LIBCMT ref: 00F72ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F72D66

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 81b14abb543dd39366de9eb41088143f1d05cc50b0c973f868aa4d0fb10402df
Instruction ID: 4b9739faf78eb489369f0fd1353a158120296d609dc4ecc78a5ac88c753b82b1
Opcode Fuzzy Hash: 81b14abb543dd39366de9eb41088143f1d05cc50b0c973f868aa4d0fb10402df
Instruction Fuzzy Hash: 4D915B725083019FC714FF24CC85CAEB7A8EF95750F04491EF4969B2A1EA78ED44EB62

Function 00FCB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F64750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F64743,?,?,00F637AE,?), ref: 00F64770

CoInitialize.OLE32(00000000), ref: 00FCB9BB
CoCreateInstance.OLE32(00FF2D6C,00000000,00000001,00FF2BDC,?), ref: 00FCB9D4
CoUninitialize.OLE32 ref: 00FCB9F1

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

Strings

.lnk, xrefs: 00FCB99D, 00FCB9AB

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 17d0369c065ed41006635f608786455179ec7b715898a38c9bbeb785729eca24
Instruction ID: 69f66bb40a232cc4210f48b0898dd40f7d451a5bb5bb99b5440a59f870797352
Opcode Fuzzy Hash: 17d0369c065ed41006635f608786455179ec7b715898a38c9bbeb785729eca24
Instruction Fuzzy Hash: 4CA144756042069FCB00DF24C985E6ABBE5FF89324F04898CF8999B3A1CB35ED45DB91

Function 00F8501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F850AD

Part of subcall function 00F900F0: __87except.LIBCMT ref: 00F9012B

Strings

pow, xrefs: 00F85085, 00F850A2

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f168eef43cc3bda3dbdc14283209e0f73e2ba76d89d0d75bdaf43d60fb38dad2
Instruction ID: 84c7f32a2c7403accbcd9cc1682b3db94fe49821d16b0d0bcaf8edca01077a87
Opcode Fuzzy Hash: f168eef43cc3bda3dbdc14283209e0f73e2ba76d89d0d75bdaf43d60fb38dad2
Instruction Fuzzy Hash: B9514C61D0CA068BEF117724CD053BE7B949F41B20F208D59E4D5862A9EF398DD4FB86

Function 00F76192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F76248
_memmove.LIBCMT ref: 00F762E4
_memset.LIBCMT ref: 00F76308

Strings

ERCP, xrefs: 00F761B3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 0eed5a1e93fa3562ce4c37f3fe10f68493f81a00602b609c8aeb27cac0aa2bb9
Instruction ID: 983e49c81836650541bfc2830751ee3066d87f51c1c6f9389a50442152a653d2
Opcode Fuzzy Hash: 0eed5a1e93fa3562ce4c37f3fe10f68493f81a00602b609c8aeb27cac0aa2bb9
Instruction Fuzzy Hash: D751B071900B05DBDB64DF65C881BEBB7F4EF08314F20856EE94AD7281EB34AA44DB41

Function 00FB97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FC14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FB9296,?,?,00000034,00000800,?,00000034), ref: 00FC14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FB983F

Part of subcall function 00FC1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FB92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00FC14B1

Part of subcall function 00FC13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00FC1409
Part of subcall function 00FC13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FB925A,00000034,?,?,00001004,00000000,00000000), ref: 00FC1419
Part of subcall function 00FC13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FB925A,00000034,?,?,00001004,00000000,00000000), ref: 00FC142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FB98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FB98F9

Strings

@, xrefs: 00FB9911

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 30a1fb8f8cd29b8b965eafd8834a9900556f0bbbf85acea87f926e046f115815
Instruction ID: d6316a923885de044a0ecb0c5b1426c7c47f64af15d9b1056350200cd7d1c769
Opcode Fuzzy Hash: 30a1fb8f8cd29b8b965eafd8834a9900556f0bbbf85acea87f926e046f115815
Instruction Fuzzy Hash: 8C416F7690011DAFDB14DFA4CD82EDEBBB8EB06300F004059FA45B7181DA706E49DBA0

Function 00FE7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FEF910,00000000,?,?,?,?), ref: 00FE79DF
GetWindowLongW.USER32 ref: 00FE79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FE7A0C

Strings

SysTreeView32, xrefs: 00FE79B1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d1d44e35db7824122ce0629df6278a90e722e5b7311aa038b8169a25bc10f850
Instruction ID: 8c3749d30b07fcce801614a113547b075dd3d57445726ae5796a3825c5a9d018
Opcode Fuzzy Hash: d1d44e35db7824122ce0629df6278a90e722e5b7311aa038b8169a25bc10f850
Instruction Fuzzy Hash: 7A31FC3160424AABDB209E39CC41BEB77A9FF08334F244725F8B5A32E1D735E850AB50

Function 00FE73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FE7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FE7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FE7499

Strings

SysMonthCal32, xrefs: 00FE742C

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9117716d0eaae83f71ffbd54cb2b251acc83ba9cf758482dc37e7027593521eb
Instruction ID: 8f9f8d3d1d5c0ae70ceb6d2b52a20c0e4c111e38a72c33c40aaed745c37751bf
Opcode Fuzzy Hash: 9117716d0eaae83f71ffbd54cb2b251acc83ba9cf758482dc37e7027593521eb
Instruction Fuzzy Hash: 4121D132500258ABDF21DE65CC82FEA3B79FF48724F110214FE556B1D0DA75AC90EBA0

Function 00FE7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FE7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FE7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FE7C5F

Strings

msctls_updown32, xrefs: 00FE7BC4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5ad7f52f72119d66b1d72d7f45b84568a7a654722a22056bbafd4774bf0b8ed1
Instruction ID: d42d291753ce077f1b1b7728c975c8d3a3cd43a93467a6bda0f6ecd8673403e3
Opcode Fuzzy Hash: 5ad7f52f72119d66b1d72d7f45b84568a7a654722a22056bbafd4774bf0b8ed1
Instruction Fuzzy Hash: 99218EB1604249AFDB10EF29DCC1DA737ECEF4A364B240459F9119B361CB76EC01AB60

Function 00FE6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FE6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FE6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FE6D70

Strings

Listbox, xrefs: 00FE6D08

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: da5dcefc45a9cdecacda336b18d0db3b489bb147a5b6686d8322bd057d693acb
Instruction ID: 5d8dac94bcdff7b4dfe4db26ef5f16ea3009b7efbe6cdc9b5430a309dfd3de49
Opcode Fuzzy Hash: da5dcefc45a9cdecacda336b18d0db3b489bb147a5b6686d8322bd057d693acb
Instruction Fuzzy Hash: 2B21D73260015CBFDF218F55CC45FBB37BAEF997A4F518124F9449B190C6719C51A7A0

Function 00FE770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FE7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FE7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FE7794

Strings

msctls_trackbar32, xrefs: 00FE7749

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 924360b5776a69f653ee655c8f3cf2e38a22db22b5a8a566127e9a25fdc7c900
Instruction ID: a03429f921e9e27cf7580d58d169536e6cb1e009cb3cb4d4d2adb443d0ffeafd
Opcode Fuzzy Hash: 924360b5776a69f653ee655c8f3cf2e38a22db22b5a8a566127e9a25fdc7c900
Instruction Fuzzy Hash: 83113A72644349BFEF206F62CC41FD77768FF88B64F110128F64196090C672E811EB10

Function 00F64C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F64B83,?), ref: 00F64C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F64C56

Strings

kernel32.dll, xrefs: 00F64C3F
Wow64RevertWow64FsRedirection, xrefs: 00F64C50

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 370fc6846ed482419f761d52f33fd4628dd7c95b322150ab5420537089f59839
Instruction ID: f15c8f31dc760ce462aa34d1352631de5c5140f140b5fbbb7e69031013e745be
Opcode Fuzzy Hash: 370fc6846ed482419f761d52f33fd4628dd7c95b322150ab5420537089f59839
Instruction Fuzzy Hash: 8DD01730910717CFD724AF32D94860A76E5AF45365B11C83E94A6DE264E678E884EA50

Function 00F64C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F64BD0,?,00F64DEF,?,010252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F64C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F64C23

Strings

kernel32.dll, xrefs: 00F64C0C
Wow64DisableWow64FsRedirection, xrefs: 00F64C1D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 6baca8943725bfba4fb6a63aa581a254a70d25b251bf736279019419ebd1ccf3
Instruction ID: c1231f16a2a9102ff67e2fb0222485c1320f7af06a309d3b3dc3cec85ffc52cd
Opcode Fuzzy Hash: 6baca8943725bfba4fb6a63aa581a254a70d25b251bf736279019419ebd1ccf3
Instruction Fuzzy Hash: 69D01230911717CFD7206F71D948607B6D5EF49355B11CC3E9485DA260E6B4D484D651

Function 00FE0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00FE1039), ref: 00FE0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FE0E07

Strings

advapi32.dll, xrefs: 00FE0DF0
RegDeleteKeyExW, xrefs: 00FE0E01

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 3090d612949645c05282a3611832d2d6c16f2d3477454e017021102a29babf5f
Instruction ID: 6cddbe5ae7d81a3bc7cfbf293b84b211c051ca23d6fb31ac9009cec2fc8717d6
Opcode Fuzzy Hash: 3090d612949645c05282a3611832d2d6c16f2d3477454e017021102a29babf5f
Instruction Fuzzy Hash: BCD0177091076ACFD7209FB6C84869676E5AF04266F118C3E94C6EA120EAB8D8D0DB51

Function 00FD90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00FD8CF4,?,00FEF910), ref: 00FD90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FD9100

Strings

GetModuleHandleExW, xrefs: 00FD90FA
kernel32.dll, xrefs: 00FD90E9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: c1cfd41ac8ce3798f89fe37fd2c8a9b0161294cbd2fe0cdbf41846b05b05609e
Instruction ID: 4c5f9d1d3ff75bd409d27eae76b4ebe2872870adbf28eb5df851060ac6b15b8e
Opcode Fuzzy Hash: c1cfd41ac8ce3798f89fe37fd2c8a9b0161294cbd2fe0cdbf41846b05b05609e
Instruction Fuzzy Hash: 83D01734914717CFDB209FB2D85860676E5AF05365B16C83F948ADA660E6B8C884EA90

Function 00FA1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FA1718
__swprintf.LIBCMT ref: 00FA1749

Strings

WIN_XPe, xrefs: 00FA1788
%.3d, xrefs: 00FA1723

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 0a32de6640462183ed0792f9e18fc917f061d52c53c126e5555afbacb2daf1a4
Instruction ID: c9735d7ac0626f3b69756e6d923965cd1d96b8bd099bc21ca7817b555c927652
Opcode Fuzzy Hash: 0a32de6640462183ed0792f9e18fc917f061d52c53c126e5555afbacb2daf1a4
Instruction Fuzzy Hash: 2FD017B7844118EACB009A90DC88EF9777CBB0A701F152462F946E2040E2269B98FA21

Function 00FB717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae51d08387c71757dd391f41db00909a63a24b6be19927c1a341813d372ce31
Instruction ID: 6088a168a59e563c05e5fa8f67c88eded36db86cf163937efc002d7f5d71aad4
Opcode Fuzzy Hash: dae51d08387c71757dd391f41db00909a63a24b6be19927c1a341813d372ce31
Instruction Fuzzy Hash: 15C16C75A04216EFCB14DFA5C884AAEBBB5FF88314B148599E805EB251D730ED81EF90

Function 00FDE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00FDE0BE
CharLowerBuffW.USER32(?,?), ref: 00FDE101

Part of subcall function 00FDD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00FDD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00FDE301
_memmove.LIBCMT ref: 00FDE314

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 21b0fb0607262093ca94047a4ec1c0a775a1b495a5aa514cdbdfb5886c7f1807
Instruction ID: 0a4fa70e415231aab92ddebeb0402332d508c7f750aa32f51169edc2f69c901a
Opcode Fuzzy Hash: 21b0fb0607262093ca94047a4ec1c0a775a1b495a5aa514cdbdfb5886c7f1807
Instruction Fuzzy Hash: 4EC14971A08301DFC714EF28C880A6ABBE5FF89714F08896EF8999B351D735E945DB81

Function 00FD8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FD80C3
CoUninitialize.OLE32 ref: 00FD80CE

Part of subcall function 00FBD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FBD5D4

VariantInit.OLEAUT32(?), ref: 00FD80D9
VariantClear.OLEAUT32(?), ref: 00FD83AA

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 4199a16e82b7c0b66891d7faaba8e2f16b0a3a994323474d3700632973f4c2b5
Instruction ID: 7683a2ae198c496471c0fb2dc6223d6d0e27732f79c470fef740db8ae26c794b
Opcode Fuzzy Hash: 4199a16e82b7c0b66891d7faaba8e2f16b0a3a994323474d3700632973f4c2b5
Instruction Fuzzy Hash: 3AA135756087019FCB00DF64C881B2AB7E9FF89364F484449F99A9B3A1CB74ED05EB42

Function 00FB7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FF2C7C,?), ref: 00FB76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FF2C7C,?), ref: 00FB7702
CLSIDFromProgID.OLE32(?,?,00000000,00FEFB80,000000FF,?,00000000,00000800,00000000,?,00FF2C7C,?), ref: 00FB7727
_memcmp.LIBCMT ref: 00FB7748

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9b36626e694fc491471a7419688f781c7ad7cec9db95591d0c7a034fa434bfa7
Instruction ID: 79e851f23702974e3553cbbbb0b7d619178e1e3cef8a8c92f07ef676afeb1ae5
Opcode Fuzzy Hash: 9b36626e694fc491471a7419688f781c7ad7cec9db95591d0c7a034fa434bfa7
Instruction Fuzzy Hash: 09810B75A00209EFCB04DFA5C984EEEB7B9FF89315F204558E506AB250DB71AE06DF60

Function 00FB687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FB688E
SysAllocString.OLEAUT32(00000000), ref: 00FB6937
VariantCopy.OLEAUT32 ref: 00FB6966
VariantClear.OLEAUT32(?), ref: 00FB698D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 1a159c576b1614bec1d94f8c290f929b8724ff435145a57165c9579a675d16d6
Instruction ID: e046286710eac8c1a000b5ac96381c98fc81af507f43b68eb96b3fc1ca0c3f07
Opcode Fuzzy Hash: 1a159c576b1614bec1d94f8c290f929b8724ff435145a57165c9579a675d16d6
Instruction Fuzzy Hash: 2F51C4757043029ACF24EF66D891BBAB3E9AF45310F20C81FE586DB291DA7CD845AF01

Function 00FE97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00A2E1C8,?), ref: 00FE9863
ScreenToClient.USER32(00000002,00000002), ref: 00FE9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00FE9903

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 07ab650d83e832445c46482f5757b10ddeadf0ce0fcc886bdca11a5cabd4ca9d
Instruction ID: 623c2ea5d0ced3b74141a49ed57570da00541cf0f43afbfd8485c8f8986e4380
Opcode Fuzzy Hash: 07ab650d83e832445c46482f5757b10ddeadf0ce0fcc886bdca11a5cabd4ca9d
Instruction Fuzzy Hash: EB515134E04248EFCF20CF15C880AAE7BB5FF45360F548169F8659B2A1D7B1AE41DB60

Function 00FB9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FB9AD2
__itow.LIBCMT ref: 00FB9B03

Part of subcall function 00FB9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FB9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FB9B6C
__itow.LIBCMT ref: 00FB9BC3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 5dc50b2a635a33c90fc6f45806e2498429af9d48c9fb567133d5a46c82690eec
Instruction ID: 91ba71728490fce96555bf45cb56737447d7706670279b70b64e27adfcb342b3
Opcode Fuzzy Hash: 5dc50b2a635a33c90fc6f45806e2498429af9d48c9fb567133d5a46c82690eec
Instruction Fuzzy Hash: 6E419270A04308ABDF11EF55DC45BEE7BB9EF84724F004059FA05A7291DBB49A44EB61

Function 00FD69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00FD69D1
WSAGetLastError.WSOCK32(00000000), ref: 00FD69E1

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FD6A45
WSAGetLastError.WSOCK32(00000000), ref: 00FD6A51

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 35317f769d8218e10e75a318f1fb81c0dbb98e3bc41a995d8e760357123ea489
Instruction ID: b0a91549af3da63e20499b66bf85a1b8a5f1836455ba0e98ac482fabee49bd31
Opcode Fuzzy Hash: 35317f769d8218e10e75a318f1fb81c0dbb98e3bc41a995d8e760357123ea489
Instruction Fuzzy Hash: 4E419275640200AFEB60AF64CC86F2977A9DB14B54F44811CFA59DF3C2DAB89D01A751

Function 00FD641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00FEF910), ref: 00FD64A7
_strlen.LIBCMT ref: 00FD64D9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 13da6dfa4ac60f63366b0127112ad9509c87fcfe9e0b17c3ab30fcda6176fafd
Instruction ID: 80b776db8e4277a1fe58b170919ec88943e2fe389d0eb9ad98a92097081f7519
Opcode Fuzzy Hash: 13da6dfa4ac60f63366b0127112ad9509c87fcfe9e0b17c3ab30fcda6176fafd
Instruction Fuzzy Hash: 1E41B631904104ABCB14FBA4EC95FEEB7A9AF44310F18815AF815DB396DB38EE44EB50

Function 00FCB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FCB89E
GetLastError.KERNEL32(?,00000000), ref: 00FCB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FCB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FCB915

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8b81f00341a4f016ed015fa667d16368efcd3b03bf1ef3f61c7b0d10be29d43e
Instruction ID: 941c22c7432971179399a721b5d13b3d79bf28acf3d00d8f3a731330709a26dd
Opcode Fuzzy Hash: 8b81f00341a4f016ed015fa667d16368efcd3b03bf1ef3f61c7b0d10be29d43e
Instruction Fuzzy Hash: D4416C39A00511DFCB10EF64C985A59BBE5EF89320F088088ED4A9F362CB74FD01EB91

Function 00FE8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FE88DE

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a819f2f22400d0838dd4461cbc895d5ec0a77d282978e826619d696fa4186045
Instruction ID: 18c725479f4a9b341380fed9e39a68ebf33ef78ac5ae2c330c9fd50a0ea69080
Opcode Fuzzy Hash: a819f2f22400d0838dd4461cbc895d5ec0a77d282978e826619d696fa4186045
Instruction Fuzzy Hash: 32310830E40188AFEB30BE56DC45BBC37A5FB057A0F544012F959E61E2CE71DA42B752

Function 00FEAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FEAB60
GetWindowRect.USER32(?,?), ref: 00FEABD6
PtInRect.USER32(?,?,00FEC014), ref: 00FEABE6
MessageBeep.USER32(00000000), ref: 00FEAC57

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 569a8120dff141dabe7207e6942346c38c6ec43531358856e8e1628f1ef12704
Instruction ID: 3e0c6a5c398aeb17db56a3ee90cefb70eae61bab07431df0dd4319de51a156ea
Opcode Fuzzy Hash: 569a8120dff141dabe7207e6942346c38c6ec43531358856e8e1628f1ef12704
Instruction Fuzzy Hash: 0B418E30A00588DFCB21CF59D884BA97BF5FB89310F2480A9E855DF254C771F841EB92

Function 00F961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F961FB
__isleadbyte_l.LIBCMT ref: 00F96229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F96257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F9628D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 181108065d0b7cace2b26ba31ce33186e9889d39816ab40a9f41b9a2a990f5d4
Instruction ID: 5b10c1b1f7b60b61d45d644c0d8fbae7d01de71b58c32f57d7d01ab41ecdeb7e
Opcode Fuzzy Hash: 181108065d0b7cace2b26ba31ce33186e9889d39816ab40a9f41b9a2a990f5d4
Instruction Fuzzy Hash: FF319231A04246AFEF229F65CC44BAA7BA9FF41720F154129F864D71A1D731E990E750

Function 00FE4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FE4F02

Part of subcall function 00FC3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FC365B
Part of subcall function 00FC3641: GetCurrentThreadId.KERNEL32 ref: 00FC3662
Part of subcall function 00FC3641: AttachThreadInput.USER32(00000000,?,00FC5005), ref: 00FC3669

GetCaretPos.USER32(?), ref: 00FE4F13
ClientToScreen.USER32(00000000,?), ref: 00FE4F4E
GetForegroundWindow.USER32 ref: 00FE4F54

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: f9a56263ad42b62bdd44314b6d8bea5c44dd424063a1040bcba7ec70780172a4
Instruction ID: 9f663a1bc75dde32beb17107f41107e239a19c8a8f251af6fc8de1851b6f6a84
Opcode Fuzzy Hash: f9a56263ad42b62bdd44314b6d8bea5c44dd424063a1040bcba7ec70780172a4
Instruction Fuzzy Hash: 8C31FAB1D00108AFDB10EFB5CD85AEEB7FDEF98304B10406AE415E7241DA75AE459BA1

Function 00FC3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FC3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00FC3C88
Process32NextW.KERNEL32(00000000,?), ref: 00FC3CA8
CloseHandle.KERNEL32(00000000), ref: 00FC3D52

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9602eaf2fed1049f8d61c98b881f51e9761b028256cdf653342ae9bcc30cfd0c
Instruction ID: c28d64753e014af1601c04cd132a3dc3f4300bbb3a4350f77cf6cc66cdc91485
Opcode Fuzzy Hash: 9602eaf2fed1049f8d61c98b881f51e9761b028256cdf653342ae9bcc30cfd0c
Instruction Fuzzy Hash: C63191711083499FD300EF50CD81FAFBBE8AF95364F50482DF482861A1EB759A49EB92

Function 00FEC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

GetCursorPos.USER32(?), ref: 00FEC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F9B9AB,?,?,?,?,?), ref: 00FEC4E7
GetCursorPos.USER32(?), ref: 00FEC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F9B9AB,?,?,?), ref: 00FEC56E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7e9450ec2889ff6bebbc276444d5259117915128c064a62e4c3238e39bcb0f9a
Instruction ID: aec5e79c60b3078b21e9e22d880ff46fafb4a885574652ce4a3333e7c54e8fa3
Opcode Fuzzy Hash: 7e9450ec2889ff6bebbc276444d5259117915128c064a62e4c3238e39bcb0f9a
Instruction Fuzzy Hash: EE31C335500198AFCB25CF59C898EFE7BB5EB09320F484065F9059B261C735AD51EFE4

Function 00FB8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FB8121
Part of subcall function 00FB810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FB812B
Part of subcall function 00FB810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB813A
Part of subcall function 00FB810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB8141
Part of subcall function 00FB810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FB8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FB86A3
_memcmp.LIBCMT ref: 00FB86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FB86FC
HeapFree.KERNEL32(00000000), ref: 00FB8703

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 53cb361d3359a792633f0291a284c0796bfc8527709391211ded3d6dc3b39cbc
Instruction ID: f9f1f6d799eda0b280a7a59fd99793077141316dd3273214d322892e330b09bd
Opcode Fuzzy Hash: 53cb361d3359a792633f0291a284c0796bfc8527709391211ded3d6dc3b39cbc
Instruction Fuzzy Hash: 0F219D71E01108EFDB10DFA9C949BEEB7B9EF85354F158059E444AB241DB34AE06EF90

Function 00F8098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F809AE

Part of subcall function 00F65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FC7896,?,?,00000000), ref: 00F65A2C
Part of subcall function 00F65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FC7896,?,?,00000000,?,?), ref: 00F65A50

_fprintf.LIBCMT ref: 00F809E5
OutputDebugStringW.KERNEL32(?), ref: 00FB5DBB

Part of subcall function 00F84AAA: _flsall.LIBCMT ref: 00F84AC3

__setmode.LIBCMT ref: 00F80A1A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 52c7cc0d1a4db20b60078a05ad5c0cf5e626b249e733d86408548dc44f3c1d19
Instruction ID: ce47c1bd3d15853ed17c3b1e92ee58099f8e7bd7ff25d0163e995d8f777bbbcd
Opcode Fuzzy Hash: 52c7cc0d1a4db20b60078a05ad5c0cf5e626b249e733d86408548dc44f3c1d19
Instruction Fuzzy Hash: 05112732908246AFDB04B6B49C47AFEB7689F46320F640119F10567182EF7C684677A5

Function 00FD1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FD17A3

Part of subcall function 00FD182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FD184C
Part of subcall function 00FD182D: InternetCloseHandle.WININET(00000000), ref: 00FD18E9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b3c9d4c6ba26747a299d05153d6337dd197964d4107f2c161361679d91831486
Instruction ID: 974dad46fa0c590badb6968f69555cb5e3434f22605ee20530dde9b1641a20c4
Opcode Fuzzy Hash: b3c9d4c6ba26747a299d05153d6337dd197964d4107f2c161361679d91831486
Instruction Fuzzy Hash: 6421A172600605BFEB129F60DC41FBABBABFF89710F18402BFA1196751DB759811B7A0

Function 00FC3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FEFAC0), ref: 00FC3A64
GetLastError.KERNEL32 ref: 00FC3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FC3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FEFAC0), ref: 00FC3ADF

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8437214a7b3c2157dc89634036163d88c6cbfbabd7808b582f905469ee5043a7
Instruction ID: a4b6377da8d1f1a4b041fb316a6eab5cbd4b08159f4b90fe4634cea575932e76
Opcode Fuzzy Hash: 8437214a7b3c2157dc89634036163d88c6cbfbabd7808b582f905469ee5043a7
Instruction Fuzzy Hash: F521A6755083069FC300EF24C982D6A77E4AE593A4F108A2DF4D9C72A1D735DE59EB82

Function 00FBDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FBF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FBDCD3,?,?,?,00FBEAC6,00000000,000000EF,00000119,?,?), ref: 00FBF0CB
Part of subcall function 00FBF0BC: lstrcpyW.KERNEL32(00000000,?,?,00FBDCD3,?,?,?,00FBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FBF0F1
Part of subcall function 00FBF0BC: lstrcmpiW.KERNEL32(00000000,?,00FBDCD3,?,?,?,00FBEAC6,00000000,000000EF,00000119,?,?), ref: 00FBF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FBDCEC
lstrcpyW.KERNEL32(00000000,?,?,00FBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FBDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FBEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FBDD46

Strings

cdecl, xrefs: 00FBDD3D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 3754abcf9e79eaf9ff5c8ae5b5830b903495130320387a4f156c5a2abaae0aaf
Instruction ID: 03094ad4c3a9a81fa26a813ad5ad5ca97c332bcbdec050afea86b5fa4b629f0b
Opcode Fuzzy Hash: 3754abcf9e79eaf9ff5c8ae5b5830b903495130320387a4f156c5a2abaae0aaf
Instruction Fuzzy Hash: 8311D63A200309EFCB25AF35CC45DBA77A8FF49350B40402AF846CB261FB759844EB91

Function 00F950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F95101

Part of subcall function 00F8571C: __FF_MSGBANNER.LIBCMT ref: 00F85733
Part of subcall function 00F8571C: __NMSG_WRITE.LIBCMT ref: 00F8573A
Part of subcall function 00F8571C: RtlAllocateHeap.NTDLL(00A10000,00000000,00000001,00000000,?,?,?,00F80DD3,?), ref: 00F8575F

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9d08eebcfdee3a2950f060c203f381b0511949d061da14fd3f2ca7c2d777e1cb
Instruction ID: bb7e64f17bdbdba372a2261f990e85af8e59f69217387bb0502d09dff4419ea7
Opcode Fuzzy Hash: 9d08eebcfdee3a2950f060c203f381b0511949d061da14fd3f2ca7c2d777e1cb
Instruction Fuzzy Hash: 3E110672900A15AFEF333F70AC4579D3B98AF84BB1B204529F9449A160DF39CC81B790

Function 00F644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F644CF

Part of subcall function 00F6407C: _memset.LIBCMT ref: 00F640FC
Part of subcall function 00F6407C: _wcscpy.LIBCMT ref: 00F64150
Part of subcall function 00F6407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F64160

KillTimer.USER32(?,00000001,?,?), ref: 00F64524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F64533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F9D4B9

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 3b05e0e916e6a1ee12c3f11e6a9e68dda20a306626fd744bf0d63ca4671f8a80
Instruction ID: 88e6cea6d32721951eda1af9816a3e283424053c81fca6f05d59c0c61f088eeb
Opcode Fuzzy Hash: 3b05e0e916e6a1ee12c3f11e6a9e68dda20a306626fd744bf0d63ca4671f8a80
Instruction Fuzzy Hash: 7721C575904394AFFB72DB248C55BE7BBEC9B06314F14009EE69A9A181C3742E88EB51

Function 00FD6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FC7896,?,?,00000000), ref: 00F65A2C
Part of subcall function 00F65A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FC7896,?,?,00000000,?,?), ref: 00F65A50

gethostbyname.WSOCK32(?,?,?), ref: 00FD6399
WSAGetLastError.WSOCK32(00000000), ref: 00FD63A4
_memmove.LIBCMT ref: 00FD63D1
inet_ntoa.WSOCK32(?), ref: 00FD63DC

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4baae2451b63c0efba58fbcc1b5d7fa1b2fd2793fbb7bc37cf2cbdd24d01ea55
Instruction ID: c1f5ef53bf7bb588afb3c2eb652d18a91679e2806a489c12a3d6a7bff12ff2df
Opcode Fuzzy Hash: 4baae2451b63c0efba58fbcc1b5d7fa1b2fd2793fbb7bc37cf2cbdd24d01ea55
Instruction Fuzzy Hash: 18112171900109AFCB04FBA4DD86DEE77B9EF15310B544065F505F7261DB389E18EB61

Function 00FB8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FB8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FB8BA4

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: be117c7e9b464ae31e5afa18ad321c5fa937b96908975f9914fb0bf96e4a9f2a
Instruction ID: b80b846001710131e697021ef2e82259b25849a85a6ab86dd62302e552c761cd
Opcode Fuzzy Hash: be117c7e9b464ae31e5afa18ad321c5fa937b96908975f9914fb0bf96e4a9f2a
Instruction Fuzzy Hash: AE110A7A901218FFDB11DBA5CC85F9DBB78FB88750F204095E900B7250DA716E11EB94

Function 00F61290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F62612: GetWindowLongW.USER32(?,000000EB), ref: 00F62623

DefDlgProcW.USER32(?,00000020,?), ref: 00F612D8
GetClientRect.USER32(?,?), ref: 00F9B5FB
GetCursorPos.USER32(?), ref: 00F9B605
ScreenToClient.USER32(?,?), ref: 00F9B610

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 666f6e3187f005995bd31df7516b5c5bd3f3574a9d18632ef097412f83f4a6eb
Instruction ID: de4e921321d7aa3906560050ee1270b33398a3c6052c3f35d6bc439ca775c459
Opcode Fuzzy Hash: 666f6e3187f005995bd31df7516b5c5bd3f3574a9d18632ef097412f83f4a6eb
Instruction Fuzzy Hash: 28115536A00159ABCB10EFA8D8999FE77B8FB05300F440456FA01E7240C734BA55ABA5

Function 00FC1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FBFCED,?,00FC0D40,?,00008000), ref: 00FC115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FBFCED,?,00FC0D40,?,00008000), ref: 00FC1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FBFCED,?,00FC0D40,?,00008000), ref: 00FC118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00FBFCED,?,00FC0D40,?,00008000), ref: 00FC11C1

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6fc5807a730cec9028afc4997908b979d3ff4d176ca0407486666135f15dae5f
Instruction ID: 148620f606a2411dedf3c977c1f36ad109a1b092a68d99c4034164430dad24f0
Opcode Fuzzy Hash: 6fc5807a730cec9028afc4997908b979d3ff4d176ca0407486666135f15dae5f
Instruction Fuzzy Hash: 92118231C0051EDBCF009FA4D995BEEBB7CFF0A711F544059DA40B6282CB389564EB91

Function 00FBD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FBD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FBD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FBD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FBD897

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 7face72016eafbc67100826fccaa4b88c9f44387ab6e359b6b8c176e4c4c4822
Instruction ID: e5fc3b23aca976ebc6844d2bbd267b1e806077ca9eec6a5874d9df3cb0d67430
Opcode Fuzzy Hash: 7face72016eafbc67100826fccaa4b88c9f44387ab6e359b6b8c176e4c4c4822
Instruction Fuzzy Hash: 50116175606704DBE320CF52DC48FD3BBBCEB00B01F108569A516D6490E7B1E549AFA2

Function 00F96FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F96FDB

Part of subcall function 00F976C2: __fltout2.LIBCMT ref: 00F976EB

__cftog_l.LIBCMT ref: 00F97001
__cftoe_l.LIBCMT ref: 00F97033

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 10dad3c70f84cabc1013dfa31298d70cfcb634aa5c657541cb14e3cafae1f37b
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: F9014C7245824ABBDF166F84CC42CEE3F62BB18364F598415FE1858031D336D9B1BB81

Function 00FEB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FEB2E4
ScreenToClient.USER32(?,?), ref: 00FEB2FC
ScreenToClient.USER32(?,?), ref: 00FEB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FEB33B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 7a875328d049ce722970b6808a23ab71373bb33463b71ee111d35361a843a333
Instruction ID: 647d524b00b9ce411f4033a88e11fdac02b7534bc105f1f499ce9adc040cc588
Opcode Fuzzy Hash: 7a875328d049ce722970b6808a23ab71373bb33463b71ee111d35361a843a333
Instruction Fuzzy Hash: FE1143B9D0024DEFDB41CFA9D8849EEBBB9FB08310F108166E914E3220D735AA559F50

Function 00FEB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FEB644
_memset.LIBCMT ref: 00FEB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01026F20,01026F64), ref: 00FEB682
CloseHandle.KERNEL32 ref: 00FEB694

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: c6b815389dd82187d9766c032109427ef71bd55c846e9c810f712cf90cbde104
Instruction ID: a099e6507d0db1411103d17d52a0f2a84188c37bc9835ea091b0738d36fc661e
Opcode Fuzzy Hash: c6b815389dd82187d9766c032109427ef71bd55c846e9c810f712cf90cbde104
Instruction Fuzzy Hash: 1BF089B25403547FE6602B61AC45FBB3E9CEB04355F404021FE48D5195D77B5C0097B8

Function 00FC6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FC6BE6

Part of subcall function 00FC76C4: _memset.LIBCMT ref: 00FC76F9

_memmove.LIBCMT ref: 00FC6C09
_memset.LIBCMT ref: 00FC6C16
LeaveCriticalSection.KERNEL32(?), ref: 00FC6C26

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 35457ddfc996c290802e0d8824747491c90ebf0adde58c973b057cb9b473e2fc
Instruction ID: fe50d48fffc8300f6b03624b705bbf0e387a9b59aa2432d3f56809762e1f1f24
Opcode Fuzzy Hash: 35457ddfc996c290802e0d8824747491c90ebf0adde58c973b057cb9b473e2fc
Instruction Fuzzy Hash: 7AF05E3A200204ABCF416F55DC85E8ABF29EF45360F04C065FE085E227DB35E915EBB4

Function 00F62218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F62231
SetTextColor.GDI32(?,000000FF), ref: 00F6223B
SetBkMode.GDI32(?,00000001), ref: 00F62250
GetStockObject.GDI32(00000005), ref: 00F62258
GetWindowDC.USER32(?,00000000), ref: 00F9BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F9BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00F9BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00F9BEC2
GetPixel.GDI32(00000000,?,?), ref: 00F9BEE2
ReleaseDC.USER32(?,00000000), ref: 00F9BEED

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 3ad2cd3568147e055c4d09dafdd6fe73a27b662af7eea2b39ef901fa1e480d71
Instruction ID: 5bb19b0bd7da4d253727dd0908f8ef149d56ecaed850aab4084f44736ee7f907
Opcode Fuzzy Hash: 3ad2cd3568147e055c4d09dafdd6fe73a27b662af7eea2b39ef901fa1e480d71
Instruction Fuzzy Hash: D6E03031504288AAEF215FA4FC4D7D83B15EB55336F048366FA69880E187754584EB11

Function 00FB8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FB871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FB82E6), ref: 00FB8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FB82E6), ref: 00FB872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FB82E6), ref: 00FB8736

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 072a7fe79bef2351d236ec112870cb89f74e1b4b8dcf81842ed5dfa7d9f5ea35
Instruction ID: 5d81b0a006217cc9984825c8d135e08b146c01da6f5c8734723ee8fb66044bbe
Opcode Fuzzy Hash: 072a7fe79bef2351d236ec112870cb89f74e1b4b8dcf81842ed5dfa7d9f5ea35
Instruction Fuzzy Hash: FCE08636A122569BD7205FB16D4CB963BACEF907E5F258828B345CE040DA34844AEB50

Function 00FBB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FBB4BE

Strings

AutoIt3GUI, xrefs: 00FBB436
Container, xrefs: 00FBB43B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 9ef521781819a88491c124f1451c823bf72f34dd08226da2f15f9def063daa7f
Instruction ID: cc51a49e9d6a5fc2314b5daa2ca46406747e70cda436a6d56e68162ac1cd9684
Opcode Fuzzy Hash: 9ef521781819a88491c124f1451c823bf72f34dd08226da2f15f9def063daa7f
Instruction Fuzzy Hash: 77916A71600601AFDB64DF65C884BAABBE5FF49710F24846DF94ACB2A1DBB0E841DF50

Function 00FCAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7FC86: _wcscpy.LIBCMT ref: 00F7FCA9

Part of subcall function 00F69837: __itow.LIBCMT ref: 00F69862
Part of subcall function 00F69837: __swprintf.LIBCMT ref: 00F698AC

__wcsnicmp.LIBCMT ref: 00FCB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FCB0F6

Strings

LPT, xrefs: 00FCB027

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: a198756cb824f935c9a88fe1c400ec2547f66d5eb706d197f905775b203565b9
Instruction ID: 3445e5f8ce2b8492587d4c51dc0b1f5bba45d4bd3399a87a8d663cd4a5041ad7
Opcode Fuzzy Hash: a198756cb824f935c9a88fe1c400ec2547f66d5eb706d197f905775b203565b9
Instruction Fuzzy Hash: CC616E76E00216AFCB14DF94C993FAEB7B8EB08310F14406EF916AB251D774AE44EB51

Function 00F72957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F72968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F72981

Strings

@, xrefs: 00F72975

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 78a268f8b52062619bc464d9d3956a6d4e9822a272b15030a21a8b2222aa1f9f
Instruction ID: 868706ec6be733eef579d6244ec42a2de4fbb651a4710a61c06410ac722714d9
Opcode Fuzzy Hash: 78a268f8b52062619bc464d9d3956a6d4e9822a272b15030a21a8b2222aa1f9f
Instruction Fuzzy Hash: 2A5134724087449BD320AF60DC86BAFBBF8FB85344F81885DF2D8810A5DF758529DB66

Function 00FC9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F64F0B: __fread_nolock.LIBCMT ref: 00F64F29

_wcscmp.LIBCMT ref: 00FC9824
_wcscmp.LIBCMT ref: 00FC9837

Strings

FILE, xrefs: 00FC9770

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5398f71eb575948ae28d3c99be8e0655dc54a261c70ffbf3d5e6285ef83ae88d
Instruction ID: 0e4de7a4de64f706e8ac23d1ff3b293760914833bf8a61b46164eb5750937b47
Opcode Fuzzy Hash: 5398f71eb575948ae28d3c99be8e0655dc54a261c70ffbf3d5e6285ef83ae88d
Instruction Fuzzy Hash: CD41D971A0420ABADF20ABA4CC5AFEFB7BDDF85710F010469F904E7181D6B5AA049B61

Function 00FD258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FD259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FD25D4

Strings

|, xrefs: 00FD25A5

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: b2e77f4e48990c3b52bfe9a410c450a7f2d930fbe636f51740eef51a48feba4f
Instruction ID: 37274a2797d0ca177f9e3a60a18b110d8ca749d01cd2b2285d7e61ea0e37f0d0
Opcode Fuzzy Hash: b2e77f4e48990c3b52bfe9a410c450a7f2d930fbe636f51740eef51a48feba4f
Instruction Fuzzy Hash: AC312C71800219EBCF41EFA1CC85EEEBFB9FF18310F14005AF915A6265DB359955EBA0

Function 00FE7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FE7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FE7B76

Strings

', xrefs: 00FE7ACA

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: dfcbf58e6fed74f7ee95ea793a61430d4f0f43c9d13f3fb2842b5f541c2ee8ee
Instruction ID: 8fe53a752a8bf7b9c47df52a65a7975efd695902db4a63322612843fdc3ef5ef
Opcode Fuzzy Hash: dfcbf58e6fed74f7ee95ea793a61430d4f0f43c9d13f3fb2842b5f541c2ee8ee
Instruction Fuzzy Hash: 2D413A74A0434A9FDB14DF65C880BEABBB9FF08700F10016AE904EB395E770A941DF90

Function 00FE6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FE6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FE6B53

Strings

static, xrefs: 00FE6AB3

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 1ebdf5f376b03a96a81345658baf203997e5448147fd1a8a24bd2d1b912969af
Instruction ID: cf2b1610fff54c96efe59af30e87e16903491904f8cfafe46c49bb5374226a44
Opcode Fuzzy Hash: 1ebdf5f376b03a96a81345658baf203997e5448147fd1a8a24bd2d1b912969af
Instruction Fuzzy Hash: 1B31AF71600248AEDB109F65CC80BFB77B9FF98764F108629F9A5D7190DB35AC81E760

Function 00FC28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FC294C

Strings

0, xrefs: 00FC290A

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a2e043457c82920f0938309e29653bd64e16701c42f9a2649bc928bf81c0e703
Instruction ID: 887e2ed7a870d52b4727c450d2eb6c4334f9572db971490f3cf7a2fb18d039d7
Opcode Fuzzy Hash: a2e043457c82920f0938309e29653bd64e16701c42f9a2649bc928bf81c0e703
Instruction Fuzzy Hash: 3231C332A00306DBEBA4DE58CE86FEEBBB4EF45360F14001DE985A61A0D7B09944FB51

Function 00FD39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00FD3A66

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00FD3A58
, $, xrefs: 00FD3AA6

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: c5342d24eefb366c6d931e7e797260d420c0117dafad74041781d0f4e861ddef
Instruction ID: 3332e34adc3acaff090a9b10b058e9a150ada0a5a2bce32eab4b0feb2d0fd677
Opcode Fuzzy Hash: c5342d24eefb366c6d931e7e797260d420c0117dafad74041781d0f4e861ddef
Instruction Fuzzy Hash: CB219E35B00219ABCF10EF64CC82AAE77B9EF44700F04445AF545AB242DB3DEA45EB62

Function 00FE66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FE6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FE676C

Strings

Combobox, xrefs: 00FE672E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ea417ecf9b1c74983fd4d889e95f65fbbc10cc131fd2d8f6956ae12a75d496e9
Instruction ID: 0a7fe66a86027b39941be1576754307f7bbb62f45b4d8f789eb22a7b44ed0c7d
Opcode Fuzzy Hash: ea417ecf9b1c74983fd4d889e95f65fbbc10cc131fd2d8f6956ae12a75d496e9
Instruction Fuzzy Hash: D811B27160024CAFEF218F55CC80EAB3B6AEB583A8F100129F914DB290DA359C51A7A0

Function 00FE6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F61D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F61D73
Part of subcall function 00F61D35: GetStockObject.GDI32(00000011), ref: 00F61D87
Part of subcall function 00F61D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F61D91

GetWindowRect.USER32(00000000,?), ref: 00FE6C71
GetSysColor.USER32(00000012), ref: 00FE6C8B

Strings

static, xrefs: 00FE6C4E

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7b829930431646b1daf2244f3cc80f34a840471f1331aa3b243d69d4bc931e83
Instruction ID: 4f43a0cb5795329e2b910df31416f91ad3116e45cf855a897bbe5eb46d8ae3ea
Opcode Fuzzy Hash: 7b829930431646b1daf2244f3cc80f34a840471f1331aa3b243d69d4bc931e83
Instruction Fuzzy Hash: 20215672A10249AFDF04DFA9CC45AEA7BB8FB08355F144628F996D2250E735E850EB60

Function 00FE6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FE69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FE69B1

Strings

edit, xrefs: 00FE6986

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6dedd289811589e7c3f1de58f46ff8cc094e3ea4faf4c59654ab9093aaed9957
Instruction ID: adf122818ba3ca6ad09434a7dfaf9dc6c2597c904e1e5b126aa2a61176f58373
Opcode Fuzzy Hash: 6dedd289811589e7c3f1de58f46ff8cc094e3ea4faf4c59654ab9093aaed9957
Instruction Fuzzy Hash: 2C119D71500288ABEB108E659C80AEF3669EB253B4F104724F9A1D61D1C735DC50B760

Function 00FC29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FC2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FC2A41

Strings

0, xrefs: 00FC2A18

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9a22af351031c864b951beb52ca234f5c96d723fc707f6d5a52a0ec59f09264a
Instruction ID: 27b12fd936272025faf67254be8981df634c504a76fce27f45ad374583c0c329
Opcode Fuzzy Hash: 9a22af351031c864b951beb52ca234f5c96d723fc707f6d5a52a0ec59f09264a
Instruction Fuzzy Hash: 4911E932D0121AABCB70DF58DD46FEA77B8EB46320F144039E855E7250D778AD05E791

Function 00FD21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FD222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FD2255

Strings

<local>, xrefs: 00FD221D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 1ab932ee08c0164f9022404b8a745171627212b012b1fec5f7cdcfa6fc11c6db
Instruction ID: f64d8df39daeb22b37fb29615af733fb00a2269934115f99ddb8f95467bc094a
Opcode Fuzzy Hash: 1ab932ee08c0164f9022404b8a745171627212b012b1fec5f7cdcfa6fc11c6db
Instruction Fuzzy Hash: E011E071901265BAEB258F118C84FBBFBA9FF26362F14822BF90486200D3705984E6F0

Function 00FB8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FBAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FB8E73

Strings

ComboBox, xrefs: 00FB8E12
ListBox, xrefs: 00FB8E3D

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b4e189db3986670ef0d04492faeb1c595ee6da0356c81b33b3983ad3d5163427
Instruction ID: b87f65b6bfe95d6c209ee8a85e319942bb3ddc7c861f18983414283de40ccf11
Opcode Fuzzy Hash: b4e189db3986670ef0d04492faeb1c595ee6da0356c81b33b3983ad3d5163427
Instruction Fuzzy Hash: 3E012871A41218ABCB14FBE5CC419FE736CEF41360F000A19F871672D1DE39980CEA60

Function 00FB8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FBAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FB8D6B

Strings

ComboBox, xrefs: 00FB8D0A
ListBox, xrefs: 00FB8D35

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 699bbc1e331e9e33d83077cb39e2736e11e7f173677f724860034e98344457d1
Instruction ID: 646d1faeba43f8af229d901c1431d3ca6974780977144e8ca5261567108c3426
Opcode Fuzzy Hash: 699bbc1e331e9e33d83077cb39e2736e11e7f173677f724860034e98344457d1
Instruction Fuzzy Hash: 6C01F771B41108ABCB15EBA1CD92EFE73ACDF15350F10001AB84167291DE189E0CFA71

Function 00FB8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F67DE1: _memmove.LIBCMT ref: 00F67E22

Part of subcall function 00FBAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FBAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FB8DEE

Strings

ComboBox, xrefs: 00FB8D8F
ListBox, xrefs: 00FB8DBA

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9210fb8ea9c1c78e21c27c97d9dc45f45906056fe3646146af0d904671b53cc4
Instruction ID: 64eb0ae2a1645b4a025be2f70e4006a56ee03ed328f57eebe684fe9b8f9d6c92
Opcode Fuzzy Hash: 9210fb8ea9c1c78e21c27c97d9dc45f45906056fe3646146af0d904671b53cc4
Instruction Fuzzy Hash: BB01A271A41109A7DB11EBA5CD82AFE77AC9F25350F10041AB845B7292DE298E0DFA71

Function 00FC4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FC4F46
_wcscmp.LIBCMT ref: 00FC4F58

Strings

#32770, xrefs: 00FC4F52

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c2f5693e7ffc4d98119e8708d19f30263761d7ec0f65db6bfd58e9dd272e2e03
Instruction ID: be28af4bbb60c5f9432c6f1490044a25d05f8ca20f87d1400adfd780af64ac73
Opcode Fuzzy Hash: c2f5693e7ffc4d98119e8708d19f30263761d7ec0f65db6bfd58e9dd272e2e03
Instruction Fuzzy Hash: 2CE09232A002292AD720AA99AC4AFE7FBACEB45B70F01016BFD44D7051D575AB4587E0

Function 00F9B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F9B314: _memset.LIBCMT ref: 00F9B321

Part of subcall function 00F80940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F9B2F0,?,?,?,00F6100A), ref: 00F80945

IsDebuggerPresent.KERNEL32(?,?,?,00F6100A), ref: 00F9B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F6100A), ref: 00F9B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F9B2FE

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 80c33a8f12f7dd00a706fc8495b5f0933c264688b4368130d6212d9462328f22
Instruction ID: 97347e549d851aef2a8583e1ede7b8749b9943dc1a2b6c0ee2c2f4287a4e9330
Opcode Fuzzy Hash: 80c33a8f12f7dd00a706fc8495b5f0933c264688b4368130d6212d9462328f22
Instruction Fuzzy Hash: 98E092702007408FEB31DF28E9087427BE8AF00714F00896CE496CB381EBB8D808DBA1

Function 00FB7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FB7C82

Part of subcall function 00F83358: _doexit.LIBCMT ref: 00F83362

Strings

AutoIt, xrefs: 00FB7C76
Error allocating memory., xrefs: 00FB7C7B

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 9a1fd22cfbf509450371c531617cc7b2cacd2c9e93a3ad65267dced7b2a34a3c
Instruction ID: 1bae530511593e0c49c761942a574f14014931c6153a760573e700203a536805
Opcode Fuzzy Hash: 9a1fd22cfbf509450371c531617cc7b2cacd2c9e93a3ad65267dced7b2a34a3c
Instruction Fuzzy Hash: 13D05B323C435C37D11532A5AC07FDA7A484F05F56F040415FB145E5E34DD9958172E9

Function 00FA1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00FA1775

Part of subcall function 00FDBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00FA195E,?), ref: 00FDBFFE
Part of subcall function 00FDBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00FDC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FA196D

Strings

WIN_XPe, xrefs: 00FA1788

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: bed2de9f2223be02a43ad44640597b1fb522ac3b4e023190162271f47f9e4e0d
Instruction ID: 15ede1fd0a2c253fa72d5bffe05ae826fd946e1849d9b6af47a2f1fd5c979fec
Opcode Fuzzy Hash: bed2de9f2223be02a43ad44640597b1fb522ac3b4e023190162271f47f9e4e0d
Instruction Fuzzy Hash: 5FF039B180000CDFCB25DF90CA84BECBBF8BB08301F251095E442A6090C7354F88EF60

Function 00FE5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE59AE
PostMessageW.USER32(00000000), ref: 00FE59B5

Part of subcall function 00FC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FC52BC

Strings

Shell_TrayWnd, xrefs: 00FE59A7

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 52e649886e9a20a0219cf8c897c8da0a0c54728e5a255399d49533dba9d1935a
Instruction ID: eb3d86151bc4fec2ec55d25e7a59e9a52e4e1657485b061850f59f0ed6fb7a0b
Opcode Fuzzy Hash: 52e649886e9a20a0219cf8c897c8da0a0c54728e5a255399d49533dba9d1935a
Instruction Fuzzy Hash: 53D0C9313803557BE664AB709D8FFD67A54AB54B50F040829B246AE1E4C9E4A804D654

Function 00FE5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FE596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FE5981

Part of subcall function 00FC5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FC52BC

Strings

Shell_TrayWnd, xrefs: 00FE5967

Memory Dump Source

Source File: 00000000.00000002.2128452476.0000000000F61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000000.00000002.2128227422.0000000000F60000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000000FEF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128503678.0000000001014000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128550916.000000000101E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2128603791.0000000001027000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f60000_ZeAX5i7cGB.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cb9c5246614d162bbc4a86743247549ecbfc559f8b97fb5e5521a2409d3007bf
Instruction ID: 2d591cda2ad461a190fb62c2c69893a37b2c2095f277389c67f394ff22d99b36
Opcode Fuzzy Hash: cb9c5246614d162bbc4a86743247549ecbfc559f8b97fb5e5521a2409d3007bf
Instruction Fuzzy Hash: 43D0C931384355B7E664AB709D8FFD67A54AB50B50F040829B24AAE1E4C9E4A804D654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZeAX5i7cGB.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Ycdwx.exe.log

C:\Users\user\AppData\Local\Temp\aut961A.tmp

C:\Users\user\AppData\Local\Temp\tilths

C:\Users\user\AppData\Roaming\Ycdwx\Ycdwx.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
ZeAX5i7cGB.exe

Function 00F63B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F64E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00FC9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F63015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00F63041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F6708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F63A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F63633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F63766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00A54888 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F89AE6 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre