Edit tour

Windows Analysis Report
rlPy5vt1Dg.exe

Overview

General Information

Sample name:	rlPy5vt1Dg.exe renamed because original name is a hash value
Original sample name:	13e8755ebc6224ddf2a6e6cd3c24febcf079d904bbf0e36ac6e4a9f2acacf47d.exe
Analysis ID:	1588779
MD5:	b0b605a2f571cb868354cd6d01162a43
SHA1:	6494857c0fee2dfbccdd198315e2a612dbc1caf6
SHA256:	13e8755ebc6224ddf2a6e6cd3c24febcf079d904bbf0e36ac6e4a9f2acacf47d
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rlPy5vt1Dg.exe (PID: 1560 cmdline: "C:\Users\user\Desktop\rlPy5vt1Dg.exe" MD5: B0B605A2F571CB868354CD6D01162A43)

RegSvcs.exe (PID: 6504 cmdline: "C:\Users\user\Desktop\rlPy5vt1Dg.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7587183186:AAHUZrWZ7L176Rdbbx5hqpqFjUTtAoKapgw", "Telegram Chatid": "1366706404"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xee9f:$a1: get_encryptedPassword 0xf1c7:$a2: get_encryptedUsername 0xec3a:$a3: get_timePasswordChanged 0xed5b:$a4: get_passwordField 0xeeb5:$a5: set_encryptedPassword 0x10813:$a7: get_logins 0x104c4:$a8: GetOutlookPasswords 0x102b6:$a9: StartKeylogger 0x10763:$a10: KeyLoggerEventArgs 0x10313:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.3296876168.00000000026E6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf09f:$a1: get_encryptedPassword 0xf3c7:$a2: get_encryptedUsername 0xee3a:$a3: get_timePasswordChanged 0xef5b:$a4: get_passwordField 0xf0b5:$a5: set_encryptedPassword 0x10a13:$a7: get_logins 0x106c4:$a8: GetOutlookPasswords 0x104b6:$a9: StartKeylogger 0x10963:$a10: KeyLoggerEventArgs 0x10513:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14055:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13553:$a3: \Google\Chrome\User Data\Default\Login Data 0x13861:$a4: \Orbitum\User Data\Default\Login Data 0x14659:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: rlPy5vt1Dg.exe PID: 1560	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: rlPy5vt1Dg.exe PID: 1560	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rlPy5vt1Dg.exe PID: 1560	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: rlPy5vt1Dg.exe PID: 1560	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x23ecda:$a1: get_encryptedPassword 0x23eff3:$a2: get_encryptedUsername 0x23ea89:$a3: get_timePasswordChanged 0x23ebaa:$a4: get_passwordField 0x23ecf0:$a5: set_encryptedPassword 0x2405f5:$a7: get_logins 0x2402a6:$a8: GetOutlookPasswords 0x240098:$a9: StartKeylogger 0x240545:$a10: KeyLoggerEventArgs 0x2400f5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6504	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6504	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6504	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a11:$a1: get_encryptedPassword 0x7d2a:$a2: get_encryptedUsername 0x77c0:$a3: get_timePasswordChanged 0x78e1:$a4: get_passwordField 0x7a27:$a5: set_encryptedPassword 0x932c:$a7: get_logins 0x8fdd:$a8: GetOutlookPasswords 0x8dcf:$a9: StartKeylogger 0x927c:$a10: KeyLoggerEventArgs 0x8e2c:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.rlPy5vt1Dg.exe.1280000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.rlPy5vt1Dg.exe.1280000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rlPy5vt1Dg.exe.1280000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.rlPy5vt1Dg.exe.1280000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd29f:$a1: get_encryptedPassword 0xd5c7:$a2: get_encryptedUsername 0xd03a:$a3: get_timePasswordChanged 0xd15b:$a4: get_passwordField 0xd2b5:$a5: set_encryptedPassword 0xec13:$a7: get_logins 0xe8c4:$a8: GetOutlookPasswords 0xe6b6:$a9: StartKeylogger 0xeb63:$a10: KeyLoggerEventArgs 0xe713:$a11: KeyLoggerEventArgsEventHandler
0.2.rlPy5vt1Dg.exe.1280000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12255:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11753:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a61:$a4: \Orbitum\User Data\Default\Login Data 0x12859:$a5: \Kometa\User Data\Default\Login Data
0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf09f:$a1: get_encryptedPassword 0xf3c7:$a2: get_encryptedUsername 0xee3a:$a3: get_timePasswordChanged 0xef5b:$a4: get_passwordField 0xf0b5:$a5: set_encryptedPassword 0x10a13:$a7: get_logins 0x106c4:$a8: GetOutlookPasswords 0x104b6:$a9: StartKeylogger 0x10963:$a10: KeyLoggerEventArgs 0x10513:$a11: KeyLoggerEventArgsEventHandler
0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14055:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13553:$a3: \Google\Chrome\User Data\Default\Login Data 0x13861:$a4: \Orbitum\User Data\Default\Login Data 0x14659:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.3c0000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.3c0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.3c0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.3c0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf09f:$a1: get_encryptedPassword 0xf3c7:$a2: get_encryptedUsername 0xee3a:$a3: get_timePasswordChanged 0xef5b:$a4: get_passwordField 0xf0b5:$a5: set_encryptedPassword 0x10a13:$a7: get_logins 0x106c4:$a8: GetOutlookPasswords 0x104b6:$a9: StartKeylogger 0x10963:$a10: KeyLoggerEventArgs 0x10513:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.3c0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14055:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13553:$a3: \Google\Chrome\User Data\Default\Login Data 0x13861:$a4: \Orbitum\User Data\Default\Login Data 0x14659:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:27:02.881893+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3296876168.0000000002591000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7587183186:AAHUZrWZ7L176Rdbbx5hqpqFjUTtAoKapgw", "Telegram Chatid": "1366706404"}

Multi AV Scanner detection for submitted file

Source: rlPy5vt1Dg.exe	Virustotal: Detection: 69%			Perma Link
Source: rlPy5vt1Dg.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rlPy5vt1Dg.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: rlPy5vt1Dg.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: rlPy5vt1Dg.exe, 00000000.00000003.2066622069.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, rlPy5vt1Dg.exe, 00000000.00000003.2063535045.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rlPy5vt1Dg.exe, 00000000.00000003.2066622069.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, rlPy5vt1Dg.exe, 00000000.00000003.2063535045.0000000003E30000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F8445A
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8C6D1 FindFirstFileW,FindClose,	0_2_00F8C6D1
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F8C75C
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8EF95
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8F0F2
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8F3F3
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F837EF
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F83B12
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04A79731h	2_2_04A79480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04A79E5Ah	2_2_04A79A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04A79E5Ah	2_2_04A79D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 04A79E5Ah	2_2_04A79A30

Source: global traffic

TCP traffic: 192.168.2.5:65131 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.5:49705 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F922EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.00000000025FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000002.00000002.3296876168.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.3296876168.000000000262D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002591000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F94164

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F94164

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F93F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F93F66

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F8001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F8001C

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00FACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00FACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F23B3A
Source: rlPy5vt1Dg.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rlPy5vt1Dg.exe, 00000000.00000000.2055177700.0000000000FD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fe9bed75-a
Source: rlPy5vt1Dg.exe, 00000000.00000000.2055177700.0000000000FD4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_78c7f6ee-f
Source: rlPy5vt1Dg.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0699b51a-7
Source: rlPy5vt1Dg.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_83b2c842-7

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F8A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F8A1EF

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F78310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F78310

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F851BD

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F4D975	0_2_00F4D975
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F2FCE0	0_2_00F2FCE0
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F421C5	0_2_00F421C5
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F562D2	0_2_00F562D2
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00FA03DA	0_2_00FA03DA
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F5242E	0_2_00F5242E
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F425FA	0_2_00F425FA
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F366E1	0_2_00F366E1
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F2E6A0	0_2_00F2E6A0
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F7E616	0_2_00F7E616
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F5878F	0_2_00F5878F
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F88889	0_2_00F88889
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00FA0857	0_2_00FA0857
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F56844	0_2_00F56844
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F38808	0_2_00F38808
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F4CB21	0_2_00F4CB21
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F56DB6	0_2_00F56DB6
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F36F9E	0_2_00F36F9E
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F33030	0_2_00F33030
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F4F1D9	0_2_00F4F1D9
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F43187	0_2_00F43187
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F21287	0_2_00F21287
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F41484	0_2_00F41484
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F35520	0_2_00F35520
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F47696	0_2_00F47696
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F35760	0_2_00F35760
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F41978	0_2_00F41978
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F59AB5	0_2_00F59AB5
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00FA7DDB	0_2_00FA7DDB
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F4BDA6	0_2_00F4BDA6
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F41D90	0_2_00F41D90
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F33FE0	0_2_00F33FE0
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F2DF00	0_2_00F2DF00
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_014BD900	0_2_014BD900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04A7C530	2_2_04A7C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04A72DE0	2_2_04A72DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04A79480	2_2_04A79480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04A7C521	2_2_04A7C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04A7946F	2_2_04A7946F

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: String function: 00F27DE1 appears 35 times
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: String function: 00F48900 appears 42 times
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: String function: 00F40AE3 appears 70 times

Source: rlPy5vt1Dg.exe, 00000000.00000003.2065446549.0000000003DB3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rlPy5vt1Dg.exe
Source: rlPy5vt1Dg.exe, 00000000.00000003.2067017341.0000000003F5D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rlPy5vt1Dg.exe
Source: rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs rlPy5vt1Dg.exe

Source: rlPy5vt1Dg.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@2/2

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F8A06A GetLastError,FormatMessageW,

0_2_00F8A06A

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F781CB AdjustTokenPrivileges,CloseHandle,		0_2_00F781CB
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F787E1

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F8B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F8B3FB

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F9EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F9EE0D

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F983BB

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F24E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F24E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

File created: C:\Users\user\AppData\Local\Temp\aut242F.tmp

Jump to behavior

Source: rlPy5vt1Dg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3296876168.0000000002680000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3297594655.00000000035BD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.0000000002670000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.00000000026A3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.000000000268E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rlPy5vt1Dg.exe	Virustotal: Detection: 69%
Source: rlPy5vt1Dg.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\rlPy5vt1Dg.exe "C:\Users\user\Desktop\rlPy5vt1Dg.exe"
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rlPy5vt1Dg.exe"
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rlPy5vt1Dg.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rlPy5vt1Dg.exe

Static file information: File size 1150976 > 1048576

Source: rlPy5vt1Dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rlPy5vt1Dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rlPy5vt1Dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rlPy5vt1Dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rlPy5vt1Dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rlPy5vt1Dg.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rlPy5vt1Dg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: rlPy5vt1Dg.exe, 00000000.00000003.2066622069.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, rlPy5vt1Dg.exe, 00000000.00000003.2063535045.0000000003E30000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rlPy5vt1Dg.exe, 00000000.00000003.2066622069.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, rlPy5vt1Dg.exe, 00000000.00000003.2063535045.0000000003E30000.00000004.00001000.00020000.00000000.sdmp

Source: rlPy5vt1Dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rlPy5vt1Dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rlPy5vt1Dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rlPy5vt1Dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rlPy5vt1Dg.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F24B37 LoadLibraryA,GetProcAddress,

0_2_00F24B37

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F48945 push ecx; ret

0_2_00F48958

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F248D7
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00FA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00FA5376

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F43187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F43187

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

API/Special instruction interceptor: Address: 14BD524

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105433

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

API coverage: 4.4 %

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F8445A
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8C6D1 FindFirstFileW,FindClose,	0_2_00F8C6D1
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F8C75C
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8EF95
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F8F0F2
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8F3F3
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F837EF
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F83B12
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F8BCBC

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F249A0

Source: RegSvcs.exe, 00000002.00000002.3296423945.0000000000948000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	API call chain: ExitProcess graph end node			graph_0-104483
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	API call chain: ExitProcess graph end node			graph_0-104264

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F93F09 BlockInput,

0_2_00F93F09

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F23B3A

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F55A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F55A7C

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F24B37 LoadLibraryA,GetProcAddress,

0_2_00F24B37

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_014BC160 mov eax, dword ptr fs:[00000030h]	0_2_014BC160
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_014BD7F0 mov eax, dword ptr fs:[00000030h]	0_2_014BD7F0
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_014BD790 mov eax, dword ptr fs:[00000030h]	0_2_014BD790

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00F780A9

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F4A155
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F4A124 SetUnhandledExceptionFilter,		0_2_00F4A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 52E008

Jump to behavior

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F787B1 LogonUserW,

0_2_00F787B1

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F23B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F23B3A

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F248D7

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F84C7F mouse_event,

0_2_00F84C7F

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rlPy5vt1Dg.exe"

Jump to behavior

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F77CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F77CAF

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F7874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F7874B

Source: rlPy5vt1Dg.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: rlPy5vt1Dg.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F4862B cpuid

0_2_00F4862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F54E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F54E87

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F61E06 GetUserNameW,

0_2_00F61E06

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F53F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F53F3A

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe

Code function: 0_2_00F249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: rlPy5vt1Dg.exe	Binary or memory string: WIN_81
Source: rlPy5vt1Dg.exe	Binary or memory string: WIN_XP
Source: rlPy5vt1Dg.exe	Binary or memory string: WIN_XPe
Source: rlPy5vt1Dg.exe	Binary or memory string: WIN_VISTA
Source: rlPy5vt1Dg.exe	Binary or memory string: WIN_7
Source: rlPy5vt1Dg.exe	Binary or memory string: WIN_8
Source: rlPy5vt1Dg.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3296876168.00000000026E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rlPy5vt1Dg.exe.1280000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rlPy5vt1Dg.exe PID: 1560, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6504, type: MEMORYSTR

Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F96283
Source: C:\Users\user\Desktop\rlPy5vt1Dg.exe	Code function: 0_2_00F96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F96747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rlPy5vt1Dg.exe	69%	Virustotal		Browse
rlPy5vt1Dg.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
rlPy5vt1Dg.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.48.1	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000002.00000002.3296876168.000000000262D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3296876168.000000000262D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.00000000025FE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3296876168.0000000002591000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	rlPy5vt1Dg.exe, 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3296876168.0000000002610000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588779
Start date and time:	2025-01-11 05:26:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rlPy5vt1Dg.exe renamed because original name is a hash value
Original Sample Name:	13e8755ebc6224ddf2a6e6cd3c24febcf079d904bbf0e36ac6e4a9f2acacf47d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 6504 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/vq3j/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.axis138ae.shop/j2vs/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
132.226.247.73	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
reallyfreegeoip.org	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	C6Abn5cBei.exe	Get hash	malicious	FormBook	Browse	172.67.145.234
	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	ZcshRk2lgh.exe	Get hash	malicious	FormBook	Browse	104.21.15.100
	ydJaT4b5N8.exe	Get hash	malicious	FormBook	Browse	104.21.48.1
	leUmNO9XPu.exe	Get hash	malicious	HawkEye, MailPassView	Browse	104.19.223.79
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
UTMEMUS	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	uVpytXGpQz.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	wZ6VEnOkie.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	prlsqnzspl.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MBOaS3GRtF.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	fpIGwanLZi.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	4NG0guPiKA.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.48.1
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	njVvgA8pEB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.48.1

Process:	C:\Users\user\Desktop\rlPy5vt1Dg.exe
File Type:	data
Category:	dropped
Size (bytes):	65732
Entropy (8bit):	7.91351068291412
Encrypted:	false
SSDEEP:	1536:IPJ3UZWYthvmvbuWpKpLWYeA25oMpVmqBvADDUz:IPhUZWYDhG4k6M7BvG4z
MD5:	C1E422D8FC48A602A5B92CE1BC48704F
SHA1:	56028B9EF2E5DF28E31F03C0D38E04559F92A467
SHA-256:	C013CA2ABA72DFB81AAFFD103D8C754AAA21F093129DB30AF4CB651AB3DE3D25
SHA-512:	1679A1CDDFC9D14348152F7D2C79B16312FCDACC050795597E6EFB1447635C3398A1B8ABF9A0548B39E8AE31836D2ADD31B008EFA9A81F67A376B4F6A2330507
Malicious:	false
Reputation:	low
Preview:	EA06..j....t...1....V.kS.R(4:t.oT..@.J..kS....b.#...J,..H.}iX8.>.}.Z.R...+#.I...}R/7.W...SP..'......._.V..c...t+(.&cQ:.V.4.Q.X.....[Z\.M..ht...1..;.;9..hv..#c0.."..... ..30...@&u...f4...Q)..5:s'.Ld .MnkS..]......9.."=j.W.0..............b..{.....R..E.l.O....(.P.3.:\|.oV.D.@..~q%...L.4.D...p."oJ.w."....7!..%..t.v."...Z\.....&~.5"......s.......&.:."...Na.i...DDf.:...C.`@?..uG..4..'..#..F.L.....Z......2.."A..K .!>.D,............Rf..U...h.!$.f$......../....y.R(v. .1..$.....G.Ph....;.....Z.F.ph.D..+1.W85.\.5..htM.....C(5m...F.V..`.Fe....p..w.U..j...3..v..:w...f4..^MV..,.:.:gC..).j]V.1..)V..:s=.D....r.5..&.Z.:{..F.sJ...O.T..T. ..cv.EX..Q.T{L.sE.Of3...iK..m....#w..o....wS.S(r.0.A....(..F.D(t.......,...f.8..ht...U...[....d...&H.R.."Z\|..f.b......Ro1.F......A..7..f.....u;tB.C.Nc.i..V..@.......U&3.UR.(.MjtU.}d.....=.:.....`.....?@...U.....&...H@.....A.R({..oT...2....Q.M`@".w.1..(u@&B.E..@.I.....O .....<............l.t.t..@".T.......... ..66.UZ.J..p.jE/.

C:\Users\user\AppData\Local\Temp\harrowment

Download File

Process:	C:\Users\user\Desktop\rlPy5vt1Dg.exe
File Type:	data
Category:	dropped
Size (bytes):	92672
Entropy (8bit):	6.864796296894398
Encrypted:	false
SSDEEP:	1536:2/nDMY0JU7i3SsCkq+Wz6sTljrrVcVQxuYa5lZkWPJJWR+XsEPa7Ep4yDteUWHi2:2/nDMNU7ijCkqzjj2VQ9a5lZBzW+sAp2
MD5:	FFE610E293F2EA7FD28000999E57AB31
SHA1:	436A1C4F37D33BC772AD208C7C0454E7A0E9C8FE
SHA-256:	FFFDE0727E9E7CAC95FA6A9B5A94E853C78A915A03C3F6935A74F549EAEDB6C0
SHA-512:	C65E4972BEDF2AF149DCBB532BC4DD42C77D1E281055041E5D3684A20BC41CAC4E4129C73A795CDF7872FDAAA3BF51DC95965055D25F73050601E2E6C1799267
Malicious:	false
Reputation:	low
Preview:	...N:7T15JVA..5S.HACN97Tq1JVAUK5SFHACN97T11JVAUK5SFHACN97T11.VAUE.HH.J...U}.k.)<8.#4'&1/T.7P_$95u)Ps4=/c'W..~bj;.1..^KBeCN97T11..AU.4PF...97T11JVA.K7RMI.CNY6T19JVAUK5.9IACn97T.0JVA.K5sFHAAN93T11JVAUM5SFHACN9.U11HVAUK5SDH!.N9'T1!JVAU[5SVHACN97D11JVAUK5SFH=<O9xT11J.@U.0SFHACN97T11JVAUK5SF.@CB97T11JVAUK5SFHACN97T11JVAUK5SFHACN97T11JVAUK5SFHACN9.T19JVAUK5SFHACF.7Ty1JVAUK5SFHAm:\O 11J..TK5sFHA#O97V11JVAUK5SFHACN.7TQ.8%36K5S.MACN.6T17JVA7J5SFHACN97T11J.AU..!#$. N9;T11J.@UK7SFH)BN97T11JVAUK5S.HA.N97T11JVAUK5SFHA.187T11J.AUK7SCH..N9..11IVAU.5S@.CN.7T11JVAUK5SFHACN97T11JVAUK5SFHACN97T11JVAUK...G..PD..1JVAUK4QELGKF97T11JVA+K5S.HAC.97T.1JVdUK5>FHAgN9711J(AUKQSFH3CN9VT11.VAU$5SF&ACNG7T1/H~^UK?y`HCkn97^1..%`UK?.GHAG=.7T;.HVAQ8.SFB.@N93'.1J\.QK5W5mACD.2T15`.AV.#UFHZ,v97^12.CGUK.y`HCkw97^1.lVB.^3SFSkaN;.]11N\|.&V5S@`.CN3C]11H.KUK1yXJi.N9=~.OYVAQ`5yd6UCN=.T..4CAUO.Slj?UN93.1.h(VUK1xFbGi,9E.=1:U.4K5Un.ACD.wT17J\|{U5;SFLC,.97^..pVi.K5UF`.CN?7~.14eAUO.T8{ACJ.!*.1JR.S35S@;.CN3...1JRi.K5YFb.Cf`7T71b.AUM

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.547114436938151
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rlPy5vt1Dg.exe
File size:	1'150'976 bytes
MD5:	b0b605a2f571cb868354cd6d01162a43
SHA1:	6494857c0fee2dfbccdd198315e2a612dbc1caf6
SHA256:	13e8755ebc6224ddf2a6e6cd3c24febcf079d904bbf0e36ac6e4a9f2acacf47d
SHA512:	dcd9b58bff891e347d546e8615225bd9e56d16e4ad210e3b15a524dcc9c80d6aef4acf16ae0a14cafa9073caa042e974ecb990c9586c11afa228601712511219
SSDEEP:	24576:3u6J33O0c+JY5UZ+XC0kGso6Fan54FFVILQw/vhVau/VWY:Ru0c++OCvkGs9Fa54FzA/JV/4Y
TLSH:	EF359E12B3DD8360CF665373BF2A6B052EBB7C650530F85B1E983D78AB721A1122D653
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	07c2450525111514

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674CECE8 [Sun Dec 1 23:10:32 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F22087E339Ah
jmp 00007F22087D6164h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F22087D62EAh
cmp edi, eax
jc 00007F22087D664Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F22087D62E9h
rep movsb
jmp 00007F22087D65FCh
cmp ecx, 00000080h
jc 00007F22087D64B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F22087D62F0h
bt dword ptr [004BE324h], 01h
jc 00007F22087D67C0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F22087D648Dh
test edi, 00000003h
jne 00007F22087D649Eh
test esi, 00000003h
jne 00007F22087D647Dh
bt edi, 02h
jnc 00007F22087D62EFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F22087D62F3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F22087D6345h
bt esi, 03h
jnc 00007F22087D6398h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x50744	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x118000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x50744	0x50800	ab3326178e720fc3320fd5ab2d84b5c0	False	0.4779636548913043	data	5.485909270491624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x118000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x2ec28	Device independent bitmap graphic, 181 x 512 x 32, image size 185344, resolution 5905 x 5905 px/m	English	Great Britain	0.14020926444175263
RT_MENU	0xf63f8	0x50	data	English	Great Britain	0.9
RT_STRING	0xf6448	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xf69dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xf7068	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xf74f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xf7af4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xf8150	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xf85b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xf8710	0x1eb15	data			1.0003659011907697
RT_GROUP_ICON	0x117228	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11723c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x117250	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x117264	0x14	data	English	Great Britain	1.25
RT_VERSION	0x117278	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x117354	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:27:02.881893+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:27:01.920644999 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:27:01.925575972 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:27:01.925661087 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:27:01.926121950 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:27:01.931047916 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:27:02.620012045 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:27:02.624514103 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:27:02.629385948 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:27:02.836947918 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:27:02.881892920 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:27:02.979996920 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:02.980043888 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:02.980112076 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:02.986867905 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:02.986886024 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.476691961 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.476773977 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:03.482919931 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:03.482930899 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.483270884 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.533116102 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:03.575329065 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.644409895 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.644567013 CET	443	49705	104.21.48.1	192.168.2.5
Jan 11, 2025 05:27:03.644649029 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:03.651575089 CET	49705	443	192.168.2.5	104.21.48.1
Jan 11, 2025 05:27:19.880028963 CET	65131	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:27:19.884926081 CET	53	65131	1.1.1.1	192.168.2.5
Jan 11, 2025 05:27:19.885020971 CET	65131	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:27:19.889847040 CET	53	65131	1.1.1.1	192.168.2.5
Jan 11, 2025 05:27:20.326524973 CET	65131	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:27:20.331731081 CET	53	65131	1.1.1.1	192.168.2.5
Jan 11, 2025 05:27:20.331841946 CET	65131	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:28:07.836904049 CET	80	49704	132.226.247.73	192.168.2.5
Jan 11, 2025 05:28:07.837033987 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:28:42.866373062 CET	49704	80	192.168.2.5	132.226.247.73
Jan 11, 2025 05:28:42.871371031 CET	80	49704	132.226.247.73	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:27:01.905987024 CET	59292	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:27:01.913273096 CET	53	59292	1.1.1.1	192.168.2.5
Jan 11, 2025 05:27:02.968831062 CET	56264	53	192.168.2.5	1.1.1.1
Jan 11, 2025 05:27:02.978987932 CET	53	56264	1.1.1.1	192.168.2.5
Jan 11, 2025 05:27:19.873740911 CET	53	59374	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:27:01.905987024 CET	192.168.2.5	1.1.1.1	0x3525	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.968831062 CET	192.168.2.5	1.1.1.1	0x4570	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:27:01.913273096 CET	1.1.1.1	192.168.2.5	0x3525	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:27:01.913273096 CET	1.1.1.1	192.168.2.5	0x3525	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:01.913273096 CET	1.1.1.1	192.168.2.5	0x3525	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:01.913273096 CET	1.1.1.1	192.168.2.5	0x3525	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:01.913273096 CET	1.1.1.1	192.168.2.5	0x3525	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:01.913273096 CET	1.1.1.1	192.168.2.5	0x3525	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:27:02.978987932 CET	1.1.1.1	192.168.2.5	0x4570	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	132.226.247.73	80	6504	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:27:01.926121950 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 05:27:02.620012045 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:27:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 05:27:02.624514103 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 05:27:02.836947918 CET	273	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:27:02 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	104.21.48.1	443	6504	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 04:27:03 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 04:27:03 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 04:27:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1884412 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nXo2VgJCNI55yLO1mCY4CIh80MJcAK84U8L6SGcbW8ZM1HFwOtxYsI678WURMg4002%2Fn6E7W6umo%2FfrRTkt4zerjSsJEViCUVaJbFK43R3CeNtXAmVO8Evgsh1F%2Bm8pDJ2aeSWBM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900226f37b3743be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1542&rtt_var=595&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1811414&cwnd=226&unsent_bytes=0&cid=20f0be39478b7663&ts=183&x=0"
2025-01-11 04:27:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	23:26:59
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\rlPy5vt1Dg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rlPy5vt1Dg.exe"
Imagebase:	0xf20000
File size:	1'150'976 bytes
MD5 hash:	B0B605A2F571CB868354CD6D01162A43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2069248949.0000000001280000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:27:00
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rlPy5vt1Dg.exe"
Imagebase:	0x2f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.3295737617.00000000003C2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3296876168.00000000026E6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	172

Executed Functions

Function 00F23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F23B68
IsDebuggerPresent.KERNEL32 ref: 00F23B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FE52F8,00FE52E0,?,?), ref: 00F23BEB

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Part of subcall function 00F3092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F23C14,00FE52F8,?,?,?), ref: 00F3096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F23C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00FD7770,00000010), ref: 00F5D281
SetCurrentDirectoryW.KERNEL32(?,00FE52F8,?,?,?), ref: 00F5D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FD4260,00FE52F8,?,?,?), ref: 00F5D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F5D346

Part of subcall function 00F23A46: GetSysColorBrush.USER32(0000000F), ref: 00F23A50
Part of subcall function 00F23A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F23A5F
Part of subcall function 00F23A46: LoadIconW.USER32(00000063), ref: 00F23A76
Part of subcall function 00F23A46: LoadIconW.USER32(000000A4), ref: 00F23A88
Part of subcall function 00F23A46: LoadIconW.USER32(000000A2), ref: 00F23A9A
Part of subcall function 00F23A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F23AC0
Part of subcall function 00F23A46: RegisterClassExW.USER32(?), ref: 00F23B16

Part of subcall function 00F239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F23A03
Part of subcall function 00F239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F23A24
Part of subcall function 00F239D5: ShowWindow.USER32(00000000,?,?), ref: 00F23A38
Part of subcall function 00F239D5: ShowWindow.USER32(00000000,?,?), ref: 00F23A41

Part of subcall function 00F2434A: _memset.LIBCMT ref: 00F24370
Part of subcall function 00F2434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F24415

Strings

This is a third-party compiled AutoIt script., xrefs: 00F5D279
runas, xrefs: 00F5D33A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 5cfa2d455ae0448bbc4ae4299449176d5194732c73c7c79c5df7e9ab7b409b48
Instruction ID: 7268924045bfaa19d4a59ca6bed0db8874595c227ad474a493835aaa0abfdc50
Opcode Fuzzy Hash: 5cfa2d455ae0448bbc4ae4299449176d5194732c73c7c79c5df7e9ab7b409b48
Instruction Fuzzy Hash: 67513971D0826CAECF11FBF4FC45AED7B79AF45B14F004065F511AA1A2CA789605FB21

Function 00F249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F249CD

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

GetCurrentProcess.KERNEL32(?,00FAFAEC,00000000,00000000,?), ref: 00F24A9A
IsWow64Process.KERNEL32(00000000), ref: 00F24AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F24AE7
FreeLibrary.KERNEL32(00000000), ref: 00F24AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F24B23
GetSystemInfo.KERNEL32(00000000), ref: 00F24B2F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8bee4d4e1d0f44227015887f603de61eb5f983c6936e4b85c1f542e2e440d653
Instruction ID: 78aff291b308dce128b93a31cb72a938260cb0e3674d8b068568c98016fc2ebd
Opcode Fuzzy Hash: 8bee4d4e1d0f44227015887f603de61eb5f983c6936e4b85c1f542e2e440d653
Instruction Fuzzy Hash: 5B91063198A7D0DEC731DB78A4502AAFFF4AF2A311B0449ADD0CB83A01D264F50CEB59

Function 00F24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F24D8E,?,?,00000000,00000000), ref: 00F24E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F24D8E,?,?,00000000,00000000), ref: 00F24EB0
LoadResource.KERNEL32(?,00000000,?,?,00F24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F24E2F), ref: 00F5D937
SizeofResource.KERNEL32(?,00000000,?,?,00F24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F24E2F), ref: 00F5D94C
LockResource.KERNEL32(00F24D8E,?,?,00F24D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F24E2F,00000000), ref: 00F5D95F

Strings

SCRIPT, xrefs: 00F24EA6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: bbe88b14d822582d6fd98f902a1545bdb3aed690b18c0fc9f205a28331271a75
Instruction ID: 31c61e8cb2b32800c880dbb7e097db5a0037cefbfc16e4178916f64b96884276
Opcode Fuzzy Hash: bbe88b14d822582d6fd98f902a1545bdb3aed690b18c0fc9f205a28331271a75
Instruction Fuzzy Hash: B8115EB5641704BFE7218BA5EC48F677BBAFBC6B11F104268F4058A250DBA1EC04AA60

Function 00F2FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 835179a1b30dafd4680d96b187b59eea67bb0aa0c536d349eb330edb88323329
Instruction ID: e70e1550e442a7b2ec70be62140cad93824a02dafa89895dede967170d130aad
Opcode Fuzzy Hash: 835179a1b30dafd4680d96b187b59eea67bb0aa0c536d349eb330edb88323329
Instruction Fuzzy Hash: CF928E71A083418FD724DF14C490B2ABBF1BF85324F14896DE89A8B352DB75EC45EB92

Function 00F8445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F5E398), ref: 00F8446A
FindFirstFileW.KERNELBASE(?,?), ref: 00F8447B
FindClose.KERNEL32(00000000), ref: 00F8448B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 23d8fa105ebd6f6b07fe925250af65e21e8e130cf2394acffb6475253ec5f39f
Instruction ID: 74b5928d2591ce3ae7f2b2f578d5766c6ebbebd3a8c55674cd71f845bab2cb7d
Opcode Fuzzy Hash: 23d8fa105ebd6f6b07fe925250af65e21e8e130cf2394acffb6475253ec5f39f
Instruction Fuzzy Hash: 64E0D873810505674210BB78EC0D5E97B9C9E06335F100715FC36C10E0E7B46D04B695

Function 00F309D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F30A5B
timeGetTime.WINMM ref: 00F30D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F30E53
Sleep.KERNEL32(0000000A), ref: 00F30E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00F30EFA
DestroyWindow.USER32 ref: 00F30F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F30F20
Sleep.KERNEL32(0000000A,?,?), ref: 00F64E83
TranslateMessage.USER32(?), ref: 00F65C60
DispatchMessageW.USER32(?), ref: 00F65C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F65C82

Strings

@GUI_CTRLID, xrefs: 00F64F3A
@TRAY_ID, xrefs: 00F6578F
@COM_EVENTOBJ, xrefs: 00F654F0
@GUI_CTRLHANDLE, xrefs: 00F64FE4
@GUI_WINHANDLE, xrefs: 00F64F8F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 6eb4a6f9d26358ce58eae11821d86b5af45f49931934511e50cb114d5b25d66c
Instruction ID: a669ab38f91045ae92e25e122a2b40622bbbb464e75356220a5ea95840a9716f
Opcode Fuzzy Hash: 6eb4a6f9d26358ce58eae11821d86b5af45f49931934511e50cb114d5b25d66c
Instruction Fuzzy Hash: 63B20470A08741DFD724DF24C894BAAB7E0BF85724F14491EF4899B2A1CB75E884FB52

Function 00F89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F88F5F: __time64.LIBCMT ref: 00F88F69

Part of subcall function 00F24EE5: _fseek.LIBCMT ref: 00F24EFD

__wsplitpath.LIBCMT ref: 00F89234

Part of subcall function 00F440FB: __wsplitpath_helper.LIBCMT ref: 00F4413B

_wcscpy.LIBCMT ref: 00F89247
_wcscat.LIBCMT ref: 00F8925A
__wsplitpath.LIBCMT ref: 00F8927F
_wcscat.LIBCMT ref: 00F89295
_wcscat.LIBCMT ref: 00F892A8

Part of subcall function 00F88FA5: _memmove.LIBCMT ref: 00F88FDE
Part of subcall function 00F88FA5: _memmove.LIBCMT ref: 00F88FED

_wcscmp.LIBCMT ref: 00F891EF

Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89824
Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F89452
_wcsncpy.LIBCMT ref: 00F894C5
DeleteFileW.KERNEL32(?,?), ref: 00F894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F89511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F89522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F89534

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 27f19dc103809ca4b45c0186d24e26ff91032b2bfd4106563d16e6d408070305
Instruction ID: b109fbda7f0564dba50e542d915746ffaf735ee068482c2d2ce509508903f706
Opcode Fuzzy Hash: 27f19dc103809ca4b45c0186d24e26ff91032b2bfd4106563d16e6d408070305
Instruction Fuzzy Hash: A5C15FB1D04119AADF21EF94CC81AEEBBBDEF45310F0440A6F609E7141EB749A449F65

Function 00F23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F23074
RegisterClassExW.USER32(00000030), ref: 00F2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F230AF
InitCommonControlsEx.COMCTL32(?), ref: 00F230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F230DC
LoadIconW.USER32(000000A9), ref: 00F230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F23101

Strings

TaskbarCreated, xrefs: 00F230A4
0, xrefs: 00F23056
AutoIt v3 GUI, xrefs: 00F23090
+, xrefs: 00F2305D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 30c550b2a377cbb9af1a2a6372783cb807671fb248c07cdd3ea34b0cacf62dd2
Instruction ID: f28aaf30dd3bf911240aa3191eb4a6cbb29aa39263b93e6497ac165e8d58e7ab
Opcode Fuzzy Hash: 30c550b2a377cbb9af1a2a6372783cb807671fb248c07cdd3ea34b0cacf62dd2
Instruction Fuzzy Hash: 223129B18413499FDB10CFE4D885A99BBF0FB0A714F14452EE580EA2A0D3B50549DF51

Function 00F23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F23074
RegisterClassExW.USER32(00000030), ref: 00F2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F230AF
InitCommonControlsEx.COMCTL32(?), ref: 00F230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F230DC
LoadIconW.USER32(000000A9), ref: 00F230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F23101

Strings

TaskbarCreated, xrefs: 00F230A4
0, xrefs: 00F23056
AutoIt v3 GUI, xrefs: 00F23090
+, xrefs: 00F2305D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d6930044428889f58b7e2f646563281c433c4e0e38296a2b01a6c1827db936cf
Instruction ID: 3a8966bf26676e157e3d900fd9912feac8cb96941e60960bf6fe13841ff0c204
Opcode Fuzzy Hash: d6930044428889f58b7e2f646563281c433c4e0e38296a2b01a6c1827db936cf
Instruction Fuzzy Hash: 3621C8B1D1125CAFDB10DFD4EC89B9DBBF4FB09704F00812AF611AA2A0D7B14548AF95

Function 00F2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F24706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FE52F8,?,00F237AE,?), ref: 00F24724

Part of subcall function 00F4050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F27165), ref: 00F4052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F5E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F5E909
RegCloseKey.ADVAPI32(?), ref: 00F5E947
_wcscat.LIBCMT ref: 00F5E9A0

Strings

\, xrefs: 00F5E9C3
Include, xrefs: 00F5E8BF, 00F5E900
\Include\, xrefs: 00F27165
Software\AutoIt v3\AutoIt, xrefs: 00F2719E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 26282f24b6799944c43f0a4051cb1d9256cb127f1c84cc26ee5c4cb27a7c27e3
Instruction ID: 8f018cf05af6cb5924aeeac25a62749f801253b8c115f5db7652ae53650ea265
Opcode Fuzzy Hash: 26282f24b6799944c43f0a4051cb1d9256cb127f1c84cc26ee5c4cb27a7c27e3
Instruction Fuzzy Hash: 4871CF719083599EC704EF25EC8199BBBE8FF94390B40052EF644CB1B0DB349948EB92

Function 00F23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F23A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F23A5F
LoadIconW.USER32(00000063), ref: 00F23A76
LoadIconW.USER32(000000A4), ref: 00F23A88
LoadIconW.USER32(000000A2), ref: 00F23A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F23AC0
RegisterClassExW.USER32(?), ref: 00F23B16

Part of subcall function 00F23041: GetSysColorBrush.USER32(0000000F), ref: 00F23074
Part of subcall function 00F23041: RegisterClassExW.USER32(00000030), ref: 00F2309E
Part of subcall function 00F23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F230AF
Part of subcall function 00F23041: InitCommonControlsEx.COMCTL32(?), ref: 00F230CC
Part of subcall function 00F23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F230DC
Part of subcall function 00F23041: LoadIconW.USER32(000000A9), ref: 00F230F2
Part of subcall function 00F23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F23101

Strings

0, xrefs: 00F23AF4
#, xrefs: 00F23AFB
AutoIt v3, xrefs: 00F23B05

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2735347111a16339b9b3222d695b98d446f202d9b1f6b6e5afa18bc99e79e7d
Instruction ID: 9f34a08de38b83adb21c1e8473b502782d657991be622684a91162131b9ed454
Opcode Fuzzy Hash: e2735347111a16339b9b3222d695b98d446f202d9b1f6b6e5afa18bc99e79e7d
Instruction Fuzzy Hash: 72214DB1D0135CAFEB10DFA4EC89B9D7BB4FB09B19F000129E600AE2A1D3B55544AF95

Function 00F23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F236D2
KillTimer.USER32(?,00000001), ref: 00F236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F2372A
CreatePopupMenu.USER32 ref: 00F2373E
PostQuitMessage.USER32(00000000), ref: 00F2374D

Strings

TaskbarCreated, xrefs: 00F23725

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 9539697c3454a779e651d3a8c27765792a273b53f66889e95c9587bc42ec6bf6
Instruction ID: 8ca9cd4e02c476a894fce541cd3a2d38d4c9d4b501cfd8a89feec49588189943
Opcode Fuzzy Hash: 9539697c3454a779e651d3a8c27765792a273b53f66889e95c9587bc42ec6bf6
Instruction Fuzzy Hash: BD417AF260455DBBDF246FA4FC49F793B58EB01715F100125FA02CA2B2CA6D9E09B761

Function 00F23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00F237FB
/AutoIt3ExecuteLine, xrefs: 00F238A7
/ErrorStdOut, xrefs: 00F2387D
/AutoIt3OutputDebug, xrefs: 00F23892
/AutoIt3ExecuteScript, xrefs: 00F238BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F237AE
CMDLINE, xrefs: 00F23822

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 20e553f54f1689a8e95d0ad692e7120d946649d4cede0f3fcc01eb77e0e5731e
Instruction ID: a008ce2e4f4df65e8824aa0100851cfc8d4f3f63b6893aa91319640c020accca
Opcode Fuzzy Hash: 20e553f54f1689a8e95d0ad692e7120d946649d4cede0f3fcc01eb77e0e5731e
Instruction Fuzzy Hash: 4BA16FB2D0062D9ADF04EBE0EC91AEEB779BF15710F440429F515B7191DF78AA08EB60

Function 014BC8E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 014BC9B1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 014BCBD7

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 3ccfde97b3c96ffb57f5707ea99d208210a0665e619b790ea23efeb5efd343fb
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: ECA11870E04209EBDB14CFA4D8D4BEEBBB5BF48304F20815AE601BB290D7759A41DFA4

Function 00F239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F23A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F23A24
ShowWindow.USER32(00000000,?,?), ref: 00F23A38
ShowWindow.USER32(00000000,?,?), ref: 00F23A41

Strings

edit, xrefs: 00F23A1E
AutoIt v3, xrefs: 00F239FB, 00F23A00, 00F23A01

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 654942755ef675d4dbfac3aad0e1c3499163482c1eda2b478a355bbece41b7f1
Instruction ID: 10dc9837debf63646ad7827a2c02767445bc3d045bed1513612a6a52d518d34e
Opcode Fuzzy Hash: 654942755ef675d4dbfac3aad0e1c3499163482c1eda2b478a355bbece41b7f1
Instruction Fuzzy Hash: 99F03AB06012D87EEB3057A3AC88E7B3E7DD7C7F54B00002ABB00AA171C2610840EAB0

Function 014BC6A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 014BC590: Sleep.KERNELBASE(000001F4), ref: 014BC5A1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014BC7CE

Strings

HACN97T11JVAUK5SF, xrefs: 014BC831, 014BC834

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateFileSleep
String ID: HACN97T11JVAUK5SF
API String ID: 2694422964-2574855451
Opcode ID: 83cd640a8387c2ec609d00d5720fcde1b58f9dd964d35ce60311b18abb7795dc
Instruction ID: a195bd57673ebe3fffbfbac4e386eedf600af28b979c6a5e927af11b7271862d
Opcode Fuzzy Hash: 83cd640a8387c2ec609d00d5720fcde1b58f9dd964d35ce60311b18abb7795dc
Instruction Fuzzy Hash: 06519230D04258DBEF11DBB4C894BEEBB79AF18300F004199E649BB2D1D7B95B45CBA5

Function 00F2407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F5D3D7

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

_memset.LIBCMT ref: 00F240FC
_wcscpy.LIBCMT ref: 00F24150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F24160

Strings

Line: , xrefs: 00F5D400

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: e81e9cc80306d2237b6bb39758899e0ed819188778526a832e8c84c3f3844b27
Instruction ID: 60e105ad8c737f1b8fba964b9d8c3ec6085884669c59fd5dcd1a229c6380a0ae
Opcode Fuzzy Hash: e81e9cc80306d2237b6bb39758899e0ed819188778526a832e8c84c3f3844b27
Instruction Fuzzy Hash: 4931F371408354AFD721EB60EC46FDB77E8AF44714F10451EF6858A0A1EB78A648E793

Function 00F4541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F4547B
_memcpy_s.LIBCMT ref: 00F454ED
__read_nolock.LIBCMT ref: 00F4554B
__filbuf.LIBCMT ref: 00F4556E
_memset.LIBCMT ref: 00F455B2

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 36b9030249516e7753f96c6d53ded7254f40c430b08644668573469e4b8e72ba
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 2151D971E00B059BDB24EEA5DC4067E7FB2AF40B35F288729FC259A2D2D7749D50AB40

Function 00F2686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00F24DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24E0F

_free.LIBCMT ref: 00F5E263
_free.LIBCMT ref: 00F5E2AA

Part of subcall function 00F26A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F26BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F5E039
Bad directive syntax error, xrefs: 00F5E292

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 07f0ac47d5fdbd9de6f785430f49bbf521b2c86986bb31fa2fc8695c235f8889
Instruction ID: d8bba779fe42d544a0e02b9587850c96d2b534fd77b12b324b1b13ecc003af16
Opcode Fuzzy Hash: 07f0ac47d5fdbd9de6f785430f49bbf521b2c86986bb31fa2fc8695c235f8889
Instruction Fuzzy Hash: 1E917171D042299FCF08EFA4DC419EDB7B4FF19310F14442AF915AB2A1DB78AA19EB50

Function 00F235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F235A1,SwapMouseButtons,00000004,?), ref: 00F235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F235A1,SwapMouseButtons,00000004,?,?,?,?,00F22754), ref: 00F235F5
RegCloseKey.KERNELBASE(00000000,?,?,00F235A1,SwapMouseButtons,00000004,?,?,?,?,00F22754), ref: 00F23617

Strings

Control Panel\Mouse, xrefs: 00F235D2

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 70641f0e8ec752213c37f14ffcbfadf0087686f12714f85280a3ad350fb6ed86
Instruction ID: 1b7708b71c86be629124d0dfb966f7065feec0f436cadfdd488c7cf8db3115b7
Opcode Fuzzy Hash: 70641f0e8ec752213c37f14ffcbfadf0087686f12714f85280a3ad350fb6ed86
Instruction Fuzzy Hash: F9115EB1910218BFDB208FA4EC40EAFBBBCEF05750F018469F805D7210D2719F44A760

Function 014BB590 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014BBDBD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014BBDE1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014BBE03

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
Instruction ID: 39b771d7af811d39edc2aa97cd9e7ebaad4fa4555b68c5133132cd89d4174882
Opcode Fuzzy Hash: ec40cea32e34b77dc66852b254e16eb814eeb5cb53dbe13a3b9b961a1e41453f
Instruction Fuzzy Hash: F862F070A14258DBEB24CFA4C890BDEB775EF58300F1091A9D20DEB3A4E7759E81CB59

Function 00F8955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F24EE5: _fseek.LIBCMT ref: 00F24EFD

Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89824
Part of subcall function 00F89734: _wcscmp.LIBCMT ref: 00F89837

_free.LIBCMT ref: 00F896A2
_free.LIBCMT ref: 00F896A9
_free.LIBCMT ref: 00F89714

Part of subcall function 00F42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F49A24), ref: 00F42D69
Part of subcall function 00F42D55: GetLastError.KERNEL32(00000000,?,00F49A24), ref: 00F42D7B

_free.LIBCMT ref: 00F8971C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction ID: 05ae458246f1e73cd22ef7d20675e96b93dbefc8a746c37e61cbe8170d566134
Opcode Fuzzy Hash: 6cef8eb787e4e551deb87a41cfcc5f328edab007a71f9a3129ff1eb0514b26a6
Instruction Fuzzy Hash: 66515FB1D04218AFDF249F64DC81AEEBBB9EF48310F1404AEF609A7241DB755A80DF58

Function 00F4470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F447A0
__flush.LIBCMT ref: 00F447C0
__write.LIBCMT ref: 00F447F3
__flsbuf.LIBCMT ref: 00F44821

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction ID: c135e471234d94a450564b615919a1a71b7c869286d77b695a9102c8779dfbc3
Opcode Fuzzy Hash: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction Fuzzy Hash: 0741A275E007469BDB188F69C880BAE7FA5AF41374B24853DEC15E7680EB74ED42AB40

Function 00F27285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5EA39
GetOpenFileNameW.COMDLG32(?), ref: 00F5EA83

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

Part of subcall function 00F40791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F407B0

Strings

X, xrefs: 00F5EA51

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: ad1577035cd697239f959acce13d216b61013a647f60c26479064e473bb9c4e7
Instruction ID: 08790c760c06beaf18bbb9c46ca8051d7483a0a873fe5c287904980b79ba9200
Opcode Fuzzy Hash: ad1577035cd697239f959acce13d216b61013a647f60c26479064e473bb9c4e7
Instruction Fuzzy Hash: FE21F331A002589BCB01DF94DC45BEE7BF9AF49311F00401AE908EB241DBB8598DAFA1

Function 00F88D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F88DAC
__fread_nolock.LIBCMT ref: 00F88DC1

Strings

EA06, xrefs: 00F88DF3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: c3fb460435d9dcb54da087ebcc1f13d5900604332bb950123dc7350df5d38bdf
Instruction ID: 1fd03f48ca8247819a79851309bd0e14e7523b375a699df3e0d8d272044787b4
Opcode Fuzzy Hash: c3fb460435d9dcb54da087ebcc1f13d5900604332bb950123dc7350df5d38bdf
Instruction Fuzzy Hash: DF01F972C042187FDB18DBA8CC16EFE7BF8DB11711F00419BF552D2281E878E6049760

Function 00F898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F8990F

Strings

aut, xrefs: 00F89909

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f40821baddb8f70b9322987b279ef45d6f58609321e8e0dba30f1db063f1f066
Instruction ID: 1da4206ef980fcce9b92928d7158e3e3dce41676e3c85015a5ab9b9796bda10d
Opcode Fuzzy Hash: f40821baddb8f70b9322987b279ef45d6f58609321e8e0dba30f1db063f1f066
Instruction Fuzzy Hash: 4ED05EB958030DABDB509BE0DC0EFDA777CE704701F0002B1BA94951A1EAB09599AB91

Function 00F9CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc3cbb8c9ceaea407ced62866595cc85e93dbba587ffbbb57757b8cc0e49b1a
Instruction ID: 908a2f5276013c8cd5bc457f03d678d37383cb67656e83156f2d725beb4983fa
Opcode Fuzzy Hash: 9fc3cbb8c9ceaea407ced62866595cc85e93dbba587ffbbb57757b8cc0e49b1a
Instruction Fuzzy Hash: 2BF17B71A083009FDB14DF28C880A6ABBE5FF89314F54892EF8998B351D734E945DF82

Function 00F2F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F40162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F40193
Part of subcall function 00F40162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F4019B
Part of subcall function 00F40162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F401A6
Part of subcall function 00F40162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F401B1
Part of subcall function 00F40162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F401B9
Part of subcall function 00F40162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F401C1

Part of subcall function 00F360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F2F930), ref: 00F36154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F2F9CD
OleInitialize.OLE32(00000000), ref: 00F2FA4A
CloseHandle.KERNEL32(00000000), ref: 00F645C8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4266ea91a236228e73531dc0567a11329ad916952b191c2ced551c5fc7a9b618
Instruction ID: 534b792b82cae8f78eb389ded095ba1df609634a186f55a420c0558920f0241a
Opcode Fuzzy Hash: 4266ea91a236228e73531dc0567a11329ad916952b191c2ced551c5fc7a9b618
Instruction Fuzzy Hash: 1A81A2B0901BCDCEC784DF69ADA06597BE6FB48B0E754812A9119CF2B2E7744484BF11

Function 00F2434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F24370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F24415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F24432

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: d451d11c13b85a452e9ce5d1d77a93073b448e81a7cceb08d362366da40f73a0
Instruction ID: 9844d76353c89e044947ff76894a231e8a56d72f42c5697bb3b197f19b6ae583
Opcode Fuzzy Hash: d451d11c13b85a452e9ce5d1d77a93073b448e81a7cceb08d362366da40f73a0
Instruction Fuzzy Hash: F531A7B0904711CFD721DF74E88469BBBF8FB48718F00092EFA9A86251D7B57944EB52

Function 00F4571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F45733

Part of subcall function 00F4A16B: __NMSG_WRITE.LIBCMT ref: 00F4A192
Part of subcall function 00F4A16B: __NMSG_WRITE.LIBCMT ref: 00F4A19C

__NMSG_WRITE.LIBCMT ref: 00F4573A

Part of subcall function 00F4A1C8: GetModuleFileNameW.KERNEL32(00000000,00FE33BA,00000104,?,00000001,00000000), ref: 00F4A25A
Part of subcall function 00F4A1C8: ___crtMessageBoxW.LIBCMT ref: 00F4A308

Part of subcall function 00F4309F: ___crtCorExitProcess.LIBCMT ref: 00F430A5
Part of subcall function 00F4309F: ExitProcess.KERNEL32 ref: 00F430AE

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

RtlAllocateHeap.NTDLL(012E0000,00000000,00000001,00000000,?,?,?,00F40DD3,?), ref: 00F4575F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: a64271dc4cc41c4c3ec70ed97dac42bfe6fa6b6b11ed1113777ea121a684fa9a
Instruction ID: 655a654b0c05fbf1e73956f859bc35ae908e92c1c7072652239928ace4d1b64a
Opcode Fuzzy Hash: a64271dc4cc41c4c3ec70ed97dac42bfe6fa6b6b11ed1113777ea121a684fa9a
Instruction Fuzzy Hash: 6F019236640A0ADFE6103B78AC8AB6E7F589F82B71F100535FD559B183DE789C017A61

Function 00F898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F89548,?,?,?,?,?,00000004), ref: 00F898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F89548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F898D1
CloseHandle.KERNEL32(00000000,?,00F89548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F898D8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1639f25513139322ea92babe708f29023efa2f9f36beabe8549b1ecffd4d1547
Instruction ID: 3c31b88b1cd179190f4e795f64cf859e77ab4c48519dedafbe3c4f6bd94d6f4e
Opcode Fuzzy Hash: 1639f25513139322ea92babe708f29023efa2f9f36beabe8549b1ecffd4d1547
Instruction Fuzzy Hash: 13E08632240218BBDB312B94EC09FDA7B19AB07770F144120FB546D0E087B11515A798

Function 00F88D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F88D1B

Part of subcall function 00F42D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F49A24), ref: 00F42D69
Part of subcall function 00F42D55: GetLastError.KERNEL32(00000000,?,00F49A24), ref: 00F42D7B

_free.LIBCMT ref: 00F88D2C
_free.LIBCMT ref: 00F88D3E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction ID: 4928b61a7d792f2532eef0a07ccd600483eec09604c0cd5c9e284f84c824c777
Opcode Fuzzy Hash: e92dce40d9500f9ac2a34e83b90a716ef22a9282606ba49fbfd8bfa905bb999e
Instruction Fuzzy Hash: 48E012A2E0160146DB64B578AD40AD367EC4F583E2F94092DBC0DD7186DE68F883A224

Function 00F2A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F5FC01

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 73855bad1fc56bd842dd33e9ead37c79466424a958f9b8b9bdb229f5bf9049c9
Instruction ID: 3911720595b6af67cd31563688410df1fc2ed80e2c122aca3db6a518deaaf9fd
Opcode Fuzzy Hash: 73855bad1fc56bd842dd33e9ead37c79466424a958f9b8b9bdb229f5bf9049c9
Instruction Fuzzy Hash: 66225B71908311DFC724DF14D894B2ABBE1BF84310F14896DE99A8B362DB75EC45EB82

Function 00F24C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F24CBA

Strings

EA06, xrefs: 00F5D8CC

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 357a2f38279908f03fa3822d552b9585093c439552443cc05ed67114d23f30b2
Instruction ID: 57af9b8545bb9544c6d462654a2b29b78b697766759b478eecb306acd248c776
Opcode Fuzzy Hash: 357a2f38279908f03fa3822d552b9585093c439552443cc05ed67114d23f30b2
Instruction Fuzzy Hash: 69417C32E0417857DF229B64FC517BE7FA29B45310FA84464EC82DB287D6B4BD44B3A1

Function 00F27A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F27AAB
_memmove.LIBCMT ref: 00F27B16

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 99667663b8ad7a74e5e7199a85da0aee27da4d3972e271b4aec32a94f7e39c73
Instruction ID: b9aa283ec74f9502e3f4fe0f0890a782e53e97004b9f6f8186bb4b45ceacfe1b
Opcode Fuzzy Hash: 99667663b8ad7a74e5e7199a85da0aee27da4d3972e271b4aec32a94f7e39c73
Instruction Fuzzy Hash: 5331C9B2604616AFC704DF68D8D1E69B3A5FF483207148629E919CB391DB34E950DB90

Function 00F247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F24834

Part of subcall function 00F4336C: __lock.LIBCMT ref: 00F43372
Part of subcall function 00F4336C: DecodePointer.KERNEL32(00000001,?,00F24849,00F77C74), ref: 00F4337E
Part of subcall function 00F4336C: EncodePointer.KERNEL32(?,?,00F24849,00F77C74), ref: 00F43389

Part of subcall function 00F248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F24915
Part of subcall function 00F248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F2492A

Part of subcall function 00F23B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F23B68
Part of subcall function 00F23B3A: IsDebuggerPresent.KERNEL32 ref: 00F23B7A
Part of subcall function 00F23B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FE52F8,00FE52E0,?,?), ref: 00F23BEB
Part of subcall function 00F23B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F23C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F24874

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 1fc4ba7dfc19653d0d97283410d1f2077312b12f11f9a904abf3cc9dc55d1dba
Instruction ID: 40f5c4dee90cbb87c4d8c098409e9a24cb501f2ad04f6dd4106519810c0acef3
Opcode Fuzzy Hash: 1fc4ba7dfc19653d0d97283410d1f2077312b12f11f9a904abf3cc9dc55d1dba
Instruction Fuzzy Hash: 7F11DF718093999FC700EF68EC8594ABFE8EF99B54F10451EF5408B2B1DBB49508EB82

Function 00F40DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F4571C: __FF_MSGBANNER.LIBCMT ref: 00F45733
Part of subcall function 00F4571C: __NMSG_WRITE.LIBCMT ref: 00F4573A
Part of subcall function 00F4571C: RtlAllocateHeap.NTDLL(012E0000,00000000,00000001,00000000,?,?,?,00F40DD3,?), ref: 00F4575F

std::exception::exception.LIBCMT ref: 00F40DEC
__CxxThrowException@8.LIBCMT ref: 00F40E01

Part of subcall function 00F4859B: RaiseException.KERNEL32(?,?,?,00FD9E78,00000000,?,?,?,?,00F40E06,?,00FD9E78,?,00000001), ref: 00F485F0

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: f740e9f96c7240e37e90ab80e384f52e14db2ba021a21c39fbf736f1d7a4fae2
Instruction ID: 931d50d8ad15a28c167495ebdaa94005c3f4b95c6e260bae332b49877d9b811d
Opcode Fuzzy Hash: f740e9f96c7240e37e90ab80e384f52e14db2ba021a21c39fbf736f1d7a4fae2
Instruction Fuzzy Hash: FFF0C83190431E66CB10FAA9EC019DF7FBC9F05361F10082AFE0496292DFB49A55F6D1

Function 00F455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F4562C
__lock_file.LIBCMT ref: 00F4564D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 832750978e4e4f1c3b2583dd04314d53ce4d36b1a53249b6ddb5c5c11e909272
Instruction ID: 8a9b23c57f114af0c659d81e8fbf3be73f91600c3067ccfe56a4e17c186cd92d
Opcode Fuzzy Hash: 832750978e4e4f1c3b2583dd04314d53ce4d36b1a53249b6ddb5c5c11e909272
Instruction Fuzzy Hash: A901F771C01A08EBCF12BFA48C0649E7F71AF92B61F454115FC141B192DB398A52FF92

Function 00F453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

__lock_file.LIBCMT ref: 00F453EB

Part of subcall function 00F46C11: __lock.LIBCMT ref: 00F46C34

__fclose_nolock.LIBCMT ref: 00F453F6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ca3597e26b3233154a58c3d35f04f3137a31f66b2a8e371e1fe8b48bab06a838
Instruction ID: 97ae9fcf4d7e8ad9a1c9ca2e0074af1326a3ac7efb423b7977ca65bdaa79d78b
Opcode Fuzzy Hash: ca3597e26b3233154a58c3d35f04f3137a31f66b2a8e371e1fe8b48bab06a838
Instruction Fuzzy Hash: 3CF09631C01A049BDB11BF659C057BD7EA16F41BB5F248105AC64AB1C2CBBC8946BB52

Function 014BB58D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 014BBDBD
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 014BBDE1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 014BBE03

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: bd04922264e4ca096724f0b5efff152ac6b949d3d9421c011091ba96851a03e7
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 2212CF24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00F40C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F40CB7

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 31721ba04f4a8413c91dbf0e88335dd1e56b6faa20f76c1c9751526bee5e985b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2D31C071A00106DBD718DF58D4C4A69FBB6FB99310B6486A5EA0ACB351DA31EDC1EBC0

Function 00F5FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F5FCB7

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 2ce0e16224713884c0dc460f63e61c34009e30c81766d87ec1b1d29891787b8c
Instruction ID: c076d583ac90f65ab9b44ad081f5b9e4160f5968849c991c99be48c4a65a531d
Opcode Fuzzy Hash: 2ce0e16224713884c0dc460f63e61c34009e30c81766d87ec1b1d29891787b8c
Instruction Fuzzy Hash: 304138749083518FDB24DF24C444B1ABBE0BF45314F0988ACE9998B362C735EC49DF52

Function 00F406FE Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F407B0

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 559d1f91e123afc507136790e432a266fd288b1e888a10c125c3054f77926b7a
Instruction ID: d94cbd5393499c822466e1d4538ac683231dd58725c0dbf8160a3c85d74f6037
Opcode Fuzzy Hash: 559d1f91e123afc507136790e432a266fd288b1e888a10c125c3054f77926b7a
Instruction Fuzzy Hash: D5113B7E0063019FC322AB75DC42AD6BBD4FF81710B06809EFC4547812CB705D66EB91

Function 00F24DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F24BEF

Part of subcall function 00F4525B: __wfsopen.LIBCMT ref: 00F45266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24E0F

Part of subcall function 00F24B6A: FreeLibrary.KERNEL32(00000000), ref: 00F24BA4

Part of subcall function 00F24C70: _memmove.LIBCMT ref: 00F24CBA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: a0a4a1be3a355404276e52e0acbfc38d6797c3a8d244183aef8b89825ebe5731
Instruction ID: c19bcf08a823c9ed10121d815dd4a0a241fd8a0dc73f32bbc6469becd92148f5
Opcode Fuzzy Hash: a0a4a1be3a355404276e52e0acbfc38d6797c3a8d244183aef8b89825ebe5731
Instruction Fuzzy Hash: 40110A32600616ABDF20FF70DC16FAD77A8AF84710F108429F941AB181DBF9AA04BB51

Function 00F5FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F5FD91

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 105c3b3796b4211de5409a79f66e1d47091fd1625e5296f8080a72f89039666e
Instruction ID: 20ab8bf0c669aa7c11cc567739bd38668e03415d24442e52439ad12d691f2f2a
Opcode Fuzzy Hash: 105c3b3796b4211de5409a79f66e1d47091fd1625e5296f8080a72f89039666e
Instruction Fuzzy Hash: 892125B4908311DFCB14DF64D844B1ABBE1BF88314F05896CF98A5B722D735E819EB92

Function 00F44863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F448A6

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 2a17bd2e95f006d0f3616854aa722eca517283bc04a2f87b9eceed7dd6e9d0c5
Instruction ID: e33532d8d3c068948f9faf5184cb1e0062640dfea8ecb22df209b6c7c8a35989
Opcode Fuzzy Hash: 2a17bd2e95f006d0f3616854aa722eca517283bc04a2f87b9eceed7dd6e9d0c5
Instruction Fuzzy Hash: D0F0AF31D01609ABDF11AFA48C067EE3EA1AF01366F158414BC24AA192CBBC9952FB52

Function 00F24E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24E7E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 58b557bf9a706a3219cd5135c25dbea86904ed46dcdf8a69a553eaa7afa947b3
Instruction ID: 74aef5c00bc3348cf4eeba9147c24a858232c1365f6897c9b80afdb7b5bb8df4
Opcode Fuzzy Hash: 58b557bf9a706a3219cd5135c25dbea86904ed46dcdf8a69a553eaa7afa947b3
Instruction Fuzzy Hash: 98F03071501B21CFDB349F64E494812BBE1BF14339311893EE1D682610C7B1A844EF40

Function 00F40791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F407B0

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 96c06bb91f9bd58ade712dee0fd84f769648f9c3ad415205112c1fbe195743fd
Instruction ID: 7b27c3d274b2727d5dde519bd046d4e87115396847c4e5414eb387cc7cbee273
Opcode Fuzzy Hash: 96c06bb91f9bd58ade712dee0fd84f769648f9c3ad415205112c1fbe195743fd
Instruction Fuzzy Hash: 84E07D329012281BC720E2989C05FEA73DCEFC83A1F0401B5FC0CC7208D964AC8086D0

Function 00F88E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F88EC1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 40ee7a6068690eba4e95c852b192073c3011d6924d9a1df2c22ec2afcc623c49
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D6E092B0504B045BD7389A24D800BE377E1AB05314F04081DF6AA93242EB6278429759

Function 00F4525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F45266

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: fca3b726430174ceb7858023a365da14cbe7ba74c518cc41b0d703133ccc82ea
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 0DB0927644020C77CE012A82EC02A493F199B42B64F408021FF0C18162A6B7A664AA89

Function 014BC590 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 014BC5A1

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3077c4e415dbaa5585c852f8bd18e6ba7c32f505c132c42c295cac48326db69c
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 60E0BF7494010DDFDB00EFA4D6496AE7FB4EF04301F100165FD0192281D6309E508A62

Non-executed Functions

Function 00FACABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FACB95
GetWindowLongW.USER32(?,000000F0), ref: 00FACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FACC00
SendMessageW.USER32 ref: 00FACC29
_wcsncpy.LIBCMT ref: 00FACC95
GetKeyState.USER32(00000011), ref: 00FACCB6
GetKeyState.USER32(00000009), ref: 00FACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FACCD9
GetKeyState.USER32(00000010), ref: 00FACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FACD0C
SendMessageW.USER32 ref: 00FACD33
SendMessageW.USER32(?,00001030,?,00FAB348), ref: 00FACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FACE60
SetCapture.USER32(?), ref: 00FACE69
ClientToScreen.USER32(?,?), ref: 00FACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FACEF5
ReleaseCapture.USER32 ref: 00FACF00
GetCursorPos.USER32(?), ref: 00FACF3A
ScreenToClient.USER32(?,?), ref: 00FACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FACFA3
SendMessageW.USER32 ref: 00FACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FAD00E
SendMessageW.USER32 ref: 00FAD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FAD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FAD06D
GetCursorPos.USER32(?), ref: 00FAD08D
ScreenToClient.USER32(?,?), ref: 00FAD09A
GetParent.USER32(?), ref: 00FAD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FAD123
SendMessageW.USER32 ref: 00FAD154
ClientToScreen.USER32(?,?), ref: 00FAD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FAD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FAD20C
SendMessageW.USER32 ref: 00FAD22F
ClientToScreen.USER32(?,?), ref: 00FAD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FAD2B5

Part of subcall function 00F225DB: GetWindowLongW.USER32(?,000000EB), ref: 00F225EC

GetWindowLongW.USER32(?,000000F0), ref: 00FAD351

Strings

F, xrefs: 00FAD235
@GUI_DRAGID, xrefs: 00FACE9C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 69a60de2381d280ce36eca0f6d1116268847807c434d5677b2611304e7d4966e
Instruction ID: 83078ff80939538f611852d639b98d916169360468ea144ceb7015ee6cb23f39
Opcode Fuzzy Hash: 69a60de2381d280ce36eca0f6d1116268847807c434d5677b2611304e7d4966e
Instruction Fuzzy Hash: 5942D0B4504384AFDB24CF64C884BAABBE5FF8A760F140519F5958B2B1C731E944FBA1

Function 00F36F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F371C3
_memset.LIBCMT ref: 00F37539
_memmove.LIBCMT ref: 00F376AC

Strings

Q\E, xrefs: 00F37FCB
\b(?=\w), xrefs: 00F73769
DEFINE, xrefs: 00F72103
[:>:]], xrefs: 00F37492
\b(?<=\w), xrefs: 00F73773
[:<:]], xrefs: 00F37479

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 65845905be90c04d79c252b141d7973722e1fc628403bc076a8481f68b6f6d96
Instruction ID: a66675e8a8122841c4c60e19d23b284d053b5c7b29fc4adb1820bbdff14f9693
Opcode Fuzzy Hash: 65845905be90c04d79c252b141d7973722e1fc628403bc076a8481f68b6f6d96
Instruction Fuzzy Hash: F493A471E04319DBDB24DF58C881BADB7B1FF48320F24816BE949AB281E7749D81EB51

Function 00F248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5D665
IsIconic.USER32(?), ref: 00F5D66E
ShowWindow.USER32(?,00000009), ref: 00F5D67B
SetForegroundWindow.USER32(?), ref: 00F5D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5D69B
GetCurrentThreadId.KERNEL32 ref: 00F5D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F5D6CF
SetForegroundWindow.USER32(?), ref: 00F5D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D6E7
keybd_event.USER32(00000012,00000000), ref: 00F5D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D6FC
keybd_event.USER32(00000012,00000000), ref: 00F5D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D70A
keybd_event.USER32(00000012,00000000), ref: 00F5D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5D719
keybd_event.USER32(00000012,00000000), ref: 00F5D71E
SetForegroundWindow.USER32(?), ref: 00F5D721
AttachThreadInput.USER32(?,?,00000000), ref: 00F5D748

Strings

Shell_TrayWnd, xrefs: 00F5D660

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a948a22bdb63b8be771604aaf951bd86ca068211ae0cb770d963c0265fd5cab2
Instruction ID: bc132b1747c165955f94700f27a809fa8fcf983327569466891bb80d2ef8a409
Opcode Fuzzy Hash: a948a22bdb63b8be771604aaf951bd86ca068211ae0cb770d963c0265fd5cab2
Instruction Fuzzy Hash: 0F3180B1A4131CBFEB306BA19C49F7F3E6CEB45B61F144025FA04EA1D1C6B05905BAA1

Function 00F78310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7882B
Part of subcall function 00F787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F78858
Part of subcall function 00F787E1: GetLastError.KERNEL32 ref: 00F78865

_memset.LIBCMT ref: 00F78353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F783A5
CloseHandle.KERNEL32(?), ref: 00F783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F783CD
GetProcessWindowStation.USER32 ref: 00F783E6
SetProcessWindowStation.USER32(00000000), ref: 00F783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F7840A

Part of subcall function 00F781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F78309), ref: 00F781E0
Part of subcall function 00F781CB: CloseHandle.KERNEL32(?,?,00F78309), ref: 00F781F2

Strings

, xrefs: 00F78362
default, xrefs: 00F78405
winsta0, xrefs: 00F783C8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 97f7c9cac596a7eb546febfc5668ff715b17445f54442223fc3be9e1c596fe31
Instruction ID: b22c9e5b73916deed2d5c683400ffc471b1c981d41f01ac5adc2319716966a9a
Opcode Fuzzy Hash: 97f7c9cac596a7eb546febfc5668ff715b17445f54442223fc3be9e1c596fe31
Instruction Fuzzy Hash: B28191B1C4020DAFDF11DFA4CC49AEE7B79EF04364F18806AF818A6261DB358E15EB11

Function 00F8C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F8C78D
FindClose.KERNEL32(00000000), ref: 00F8C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F8C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F8C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F8C844
__swprintf.LIBCMT ref: 00F8C890
__swprintf.LIBCMT ref: 00F8C8D3

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

__swprintf.LIBCMT ref: 00F8C927

Part of subcall function 00F43698: __woutput_l.LIBCMT ref: 00F436F1

__swprintf.LIBCMT ref: 00F8C975

Part of subcall function 00F43698: __flsbuf.LIBCMT ref: 00F43713
Part of subcall function 00F43698: __flsbuf.LIBCMT ref: 00F4372B

__swprintf.LIBCMT ref: 00F8C9C4
__swprintf.LIBCMT ref: 00F8CA13
__swprintf.LIBCMT ref: 00F8CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00F8C88A
%4d, xrefs: 00F8C8CD
%02d, xrefs: 00F8C91B, 00F8C925, 00F8C973, 00F8C9C2, 00F8CA11, 00F8CA60

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 278821226e7dd89082e8348eb781b82d49e93edcef9d3ef7ad493369e68f0bc6
Instruction ID: 60fec12469dabfbc21b0e864ca454ca4bb1a501fdab8d47e283e31e1eb3e94a1
Opcode Fuzzy Hash: 278821226e7dd89082e8348eb781b82d49e93edcef9d3ef7ad493369e68f0bc6
Instruction Fuzzy Hash: 8DA12BB2408315ABC704EFA4DC86DAFB7ECBF95700F400929F58587191EB78DA48DB62

Function 00F8EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F8EFB6
_wcscmp.LIBCMT ref: 00F8EFCB
_wcscmp.LIBCMT ref: 00F8EFE2
GetFileAttributesW.KERNEL32(?), ref: 00F8EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00F8F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00F8F026
FindClose.KERNEL32(00000000), ref: 00F8F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00F8F04D
_wcscmp.LIBCMT ref: 00F8F074
_wcscmp.LIBCMT ref: 00F8F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8F09D
SetCurrentDirectoryW.KERNEL32(00FD8920), ref: 00F8F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8F0C5
FindClose.KERNEL32(00000000), ref: 00F8F0D2
FindClose.KERNEL32(00000000), ref: 00F8F0E4

Strings

*.*, xrefs: 00F8F048

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: acfa6ab76ac80dbeaa6f79845d7d29391bf2316026503adbef4068d604623c45
Instruction ID: 6ee319be5fffb52015b28890b0017ff1dfa02476a60d40864a7f5ee7d56b64f7
Opcode Fuzzy Hash: acfa6ab76ac80dbeaa6f79845d7d29391bf2316026503adbef4068d604623c45
Instruction Fuzzy Hash: 5731E27290020D6EDB14ABA4DC48BEE77EC9F49360F140276E841E21A1DB70DA88EB61

Function 00FA0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00FAF910,00000000,?,00000000,?,?), ref: 00FA09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00FA0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00FA0A92
RegCloseKey.ADVAPI32(?), ref: 00FA0DB2
RegCloseKey.ADVAPI32(00000000), ref: 00FA0DBF

Strings

REG_DWORD, xrefs: 00FA0C83
REG_SZ, xrefs: 00FA0AD0
REG_BINARY, xrefs: 00FA0D4D
REG_QWORD, xrefs: 00FA0D00
REG_MULTI_SZ, xrefs: 00FA0B7A
REG_EXPAND_SZ, xrefs: 00FA0A2F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: fba78db17afcb990f24417cffc6e4dab4c4045a0a8c4e0b8f69cd7feae761682
Instruction ID: a74a0b6c75f24dec4adf2550e0bdfb61331f84172ab444a818abdec7b4fba347
Opcode Fuzzy Hash: fba78db17afcb990f24417cffc6e4dab4c4045a0a8c4e0b8f69cd7feae761682
Instruction Fuzzy Hash: CE0280756046119FCB14EF14D841E6AB7E5FF8A320F08846CF8899B362DB78ED45EB81

Function 00F8F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F8F113
_wcscmp.LIBCMT ref: 00F8F128
_wcscmp.LIBCMT ref: 00F8F13F

Part of subcall function 00F84385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F843A0

FindNextFileW.KERNEL32(00000000,?), ref: 00F8F16E
FindClose.KERNEL32(00000000), ref: 00F8F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00F8F195
_wcscmp.LIBCMT ref: 00F8F1BC
_wcscmp.LIBCMT ref: 00F8F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8F1E5
SetCurrentDirectoryW.KERNEL32(00FD8920), ref: 00F8F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8F20D
FindClose.KERNEL32(00000000), ref: 00F8F21A
FindClose.KERNEL32(00000000), ref: 00F8F22C

Strings

*.*, xrefs: 00F8F190

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5d5188e52c5e97c7e4fc1e40bd9730bea98f28cc7d85a746a510e8d8e506676c
Instruction ID: 1f8946d12b70cb4c50bb079f2ae78c0864673860ca9497be603c3bf0173d450b
Opcode Fuzzy Hash: 5d5188e52c5e97c7e4fc1e40bd9730bea98f28cc7d85a746a510e8d8e506676c
Instruction Fuzzy Hash: 0631E77690021E6EDF10BBA4EC59BEE77AC9F45370F140171E800E61A0DB30DE89EB65

Function 00F8A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F8A20F
__swprintf.LIBCMT ref: 00F8A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F8A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F8A293
_memset.LIBCMT ref: 00F8A2B2
_wcsncpy.LIBCMT ref: 00F8A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F8A323
CloseHandle.KERNEL32(00000000), ref: 00F8A32E
RemoveDirectoryW.KERNEL32(?), ref: 00F8A337
CloseHandle.KERNEL32(00000000), ref: 00F8A341

Strings

\??\%s, xrefs: 00F8A22B
\, xrefs: 00F8A247
:, xrefs: 00F8A252

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a4c0ca40a08546dc1b64a7bbba0f51a4ffe1ec6ffb6847c31e034da786e9a635
Instruction ID: bd842af9427f43700e0da1b6cc3f96f4dcb62bd59935e06bfbd2e4a45340c753
Opcode Fuzzy Hash: a4c0ca40a08546dc1b64a7bbba0f51a4ffe1ec6ffb6847c31e034da786e9a635
Instruction Fuzzy Hash: 2F31C5B1900209ABEB21DFA0DC49FEB37BCEF89750F1041B6FA09D6160EB7597449B25

Function 00F77CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F78202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F7821E
Part of subcall function 00F78202: GetLastError.KERNEL32(?,00F77CE2,?,?,?), ref: 00F78228
Part of subcall function 00F78202: GetProcessHeap.KERNEL32(00000008,?,?,00F77CE2,?,?,?), ref: 00F78237
Part of subcall function 00F78202: HeapAlloc.KERNEL32(00000000,?,00F77CE2,?,?,?), ref: 00F7823E
Part of subcall function 00F78202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F78255

Part of subcall function 00F7829F: GetProcessHeap.KERNEL32(00000008,00F77CF8,00000000,00000000,?,00F77CF8,?), ref: 00F782AB
Part of subcall function 00F7829F: HeapAlloc.KERNEL32(00000000,?,00F77CF8,?), ref: 00F782B2
Part of subcall function 00F7829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F77CF8,?), ref: 00F782C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F77D13
_memset.LIBCMT ref: 00F77D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F77D47
GetLengthSid.ADVAPI32(?), ref: 00F77D58
GetAce.ADVAPI32(?,00000000,?), ref: 00F77D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F77DB1
GetLengthSid.ADVAPI32(?), ref: 00F77DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F77DDD
HeapAlloc.KERNEL32(00000000), ref: 00F77DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F77E05
CopySid.ADVAPI32(00000000), ref: 00F77E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F77E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F77E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F77E77

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 76b2520324400d1b081eff8b062129e6b306a1444ac057bb4c6e5ad2d9c91ca6
Instruction ID: c295b94ed745e517a12fb88a733fe0be1e3923d7cc06324ac0d980476269e488
Opcode Fuzzy Hash: 76b2520324400d1b081eff8b062129e6b306a1444ac057bb4c6e5ad2d9c91ca6
Instruction Fuzzy Hash: 26616D71900209AFDF10DFA0DC44AEEBB79FF05310F04C16AF819AB291DB359A15EB61

Function 00F366E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

UCP), xrefs: 00F7110D
LF), xrefs: 00F712A4
BSR_ANYCRLF), xrefs: 00F7131E
LIMIT_RECURSION=, xrefs: 00F711FC
UTF16), xrefs: 00F710CF
ANY), xrefs: 00F712DE
BSR_UNICODE), xrefs: 00F71338
CR), xrefs: 00F71287
NO_AUTO_POSSESS), xrefs: 00F7112E
CRLF), xrefs: 00F712C1
ANYCRLF), xrefs: 00F712FB
LIMIT_MATCH=, xrefs: 00F71170
NO_START_OPT), xrefs: 00F7114F
UTF), xrefs: 00F710FA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 2682425fb2d8b3e145c6fc6064691a6879c8ef2dfd8580c355902ea9dcccaef8
Instruction ID: 56b84d628fc48fa74b194127e9236b4b2347c78e4e4daec40138b0ccca2b9188
Opcode Fuzzy Hash: 2682425fb2d8b3e145c6fc6064691a6879c8ef2dfd8580c355902ea9dcccaef8
Instruction Fuzzy Hash: A7726171E00219DBDF24CF58C8807AEB7B5FF48720F24C16AE849EB291DB749945EB91

Function 00F8001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F80097
SetKeyboardState.USER32(?), ref: 00F80102
GetAsyncKeyState.USER32(000000A0), ref: 00F80122
GetKeyState.USER32(000000A0), ref: 00F80139
GetAsyncKeyState.USER32(000000A1), ref: 00F80168
GetKeyState.USER32(000000A1), ref: 00F80179
GetAsyncKeyState.USER32(00000011), ref: 00F801A5
GetKeyState.USER32(00000011), ref: 00F801B3
GetAsyncKeyState.USER32(00000012), ref: 00F801DC
GetKeyState.USER32(00000012), ref: 00F801EA
GetAsyncKeyState.USER32(0000005B), ref: 00F80213
GetKeyState.USER32(0000005B), ref: 00F80221

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4b2d1fc1c04607bf6c510b10124ee169458c035b0e7137864bc33c6f1780cde0
Instruction ID: fe87d7e031d8639df942ccc3d8dddcbbdeab0faac9bfbd506e90393ba4486172
Opcode Fuzzy Hash: 4b2d1fc1c04607bf6c510b10124ee169458c035b0e7137864bc33c6f1780cde0
Instruction Fuzzy Hash: 8A51EE20E047881DFB75FBA088557EABFB49F023A0F88459DD5C15A1C3DEA49B8CE761

Function 00FA03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA04AC

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FA054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FA05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00FA0822
RegCloseKey.ADVAPI32(00000000), ref: 00FA082F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 69a942f7e0b181e9f67da43ad77b58b6205179212ca6b622f6a9c1043187428c
Instruction ID: 8661a4d7ff9a50ec8a18d8af56cfdcbdf585c8fca131845610eb21b0fcd71b8f
Opcode Fuzzy Hash: 69a942f7e0b181e9f67da43ad77b58b6205179212ca6b622f6a9c1043187428c
Instruction Fuzzy Hash: 1BE17E71604214AFCB14DF24DC85E6ABBE4FF8A314F04856DF84ADB261DA34EC05DB92

Function 00F983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

CoInitialize.OLE32 ref: 00F98403
CoUninitialize.OLE32 ref: 00F9840E
CoCreateInstance.OLE32(?,00000000,00000017,00FB2BEC,?), ref: 00F9846E
IIDFromString.OLE32(?,?), ref: 00F984E1
VariantInit.OLEAUT32(?), ref: 00F9857B
VariantClear.OLEAUT32(?), ref: 00F985DC

Strings

Failed to create object, xrefs: 00F98479, 00F9852F
NULL Pointer assignment, xrefs: 00F984B3
Invalid parameter, xrefs: 00F984FA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 3e9f3bf7b4625dbb8fa8ef64afa89bab81a5635dc566f29a806431d802994437
Instruction ID: 95796a2143633e00e18e266b8d6edfe73f9759f2880c1bc09756a8a06aa10dca
Opcode Fuzzy Hash: 3e9f3bf7b4625dbb8fa8ef64afa89bab81a5635dc566f29a806431d802994437
Instruction Fuzzy Hash: E26125716083129FEB10DF24C844F5EB7E4AF4A7A4F04441DF9859B291CB74ED4AEB92

Function 00F94164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F9418B
EmptyClipboard.USER32 ref: 00F94191
GlobalAlloc.KERNEL32(00000002,?), ref: 00F941A6
CloseClipboard.USER32 ref: 00F94245

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: b7d1085e2a51d433451025f06725d470eb8bedd613b95f8838dd3f6f480d15b7
Instruction ID: 57b4108e4eeba433a9747610e2efcc48f47176486f334d8103664dc2eae6867e
Opcode Fuzzy Hash: b7d1085e2a51d433451025f06725d470eb8bedd613b95f8838dd3f6f480d15b7
Instruction Fuzzy Hash: 3F21D1756006149FEB11AFA0EC09F6D7BA8FF55720F14802AF946DB2A1CB74AC42EB44

Function 00F837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

Part of subcall function 00F84A31: GetFileAttributesW.KERNEL32(?,00F8370B), ref: 00F84A32

FindFirstFileW.KERNEL32(?,?), ref: 00F838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F8394B
MoveFileW.KERNEL32(?,?), ref: 00F8395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F8397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F839B9

Strings

\*.*, xrefs: 00F8384E, 00F83857, 00F8386C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ec4c3ab8fdd3dfd87654535f8912b6fe0f4a0396221fa3f2af126ae09a7aa16b
Instruction ID: ec8d5f85b45945a92fa2a71ba4676fda641483996e5b44aab6bcb7e012f0e67a
Opcode Fuzzy Hash: ec4c3ab8fdd3dfd87654535f8912b6fe0f4a0396221fa3f2af126ae09a7aa16b
Instruction Fuzzy Hash: F651903180515DAACF05FBA0ED929EDB779AF11310F600069E402B71A1EF796F0DEB61

Function 00F8F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F8F440
Sleep.KERNEL32(0000000A), ref: 00F8F470
_wcscmp.LIBCMT ref: 00F8F484
_wcscmp.LIBCMT ref: 00F8F49F
FindNextFileW.KERNEL32(?,?), ref: 00F8F53D
FindClose.KERNEL32(00000000), ref: 00F8F553

Strings

*.*, xrefs: 00F8F425

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d29239ab2b4abc430c2c7123944440f43456ebedfe1377b2a105abba20d71cf5
Instruction ID: e0793d0f67e1d8e7b582705adbd3864f0c78f10d86066d5682a3fc2edef50713
Opcode Fuzzy Hash: d29239ab2b4abc430c2c7123944440f43456ebedfe1377b2a105abba20d71cf5
Instruction Fuzzy Hash: A5417E71D0021A9FCF14EFA4DC45AEEBBB4FF05320F14446AE815A7191DB349A89EB50

Function 00F35760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F358A5
_memmove.LIBCMT ref: 00F358F5
_memmove.LIBCMT ref: 00F3595B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 5294fde9242763d660c946ae8554907cfc9bb9ee2ab4a27205e354efa69c5341
Instruction ID: 279a4cd9304e542fe8dbff8b234f1e1058c2b6c3072353f2021a6382d107b55e
Opcode Fuzzy Hash: 5294fde9242763d660c946ae8554907cfc9bb9ee2ab4a27205e354efa69c5341
Instruction Fuzzy Hash: 5812AE70E00619DFCF04DFA4D981AAEB7F5FF88310F10852AE806A7250EB39A915EB51

Function 00F83B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

Part of subcall function 00F84A31: GetFileAttributesW.KERNEL32(?,00F8370B), ref: 00F84A32

FindFirstFileW.KERNEL32(?,?), ref: 00F83B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F83BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F83BEA
FindClose.KERNEL32(00000000), ref: 00F83C01
FindClose.KERNEL32(00000000), ref: 00F83C0A

Strings

\*.*, xrefs: 00F83B5B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 09afd596098fb3366349b624311542488962b84f8a110655982f21f8fb758aaa
Instruction ID: c64fe2b74daa3c34a1a299c3a6744a9bd59c630378d3efb35c7553de7b1898e2
Opcode Fuzzy Hash: 09afd596098fb3366349b624311542488962b84f8a110655982f21f8fb758aaa
Instruction Fuzzy Hash: EA317C710083959BC700FF64EC919EFB7E8AE92710F44092DF4D5961A1EB24DA0DEB62

Function 00F851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7882B
Part of subcall function 00F787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F78858
Part of subcall function 00F787E1: GetLastError.KERNEL32 ref: 00F78865

ExitWindowsEx.USER32(?,00000000), ref: 00F851F9

Strings

SeShutdownPrivilege, xrefs: 00F851C9
@, xrefs: 00F851EC
, xrefs: 00F851E7

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 7e9b284406a2cd7f42ec1df3233df70ddee3823171d22e4b575a5050ba7185d8
Instruction ID: cf4c40b1b1d9aeed8633505282044dbeccbbe1d5fbb56a9809b66cb35cab6c07
Opcode Fuzzy Hash: 7e9b284406a2cd7f42ec1df3233df70ddee3823171d22e4b575a5050ba7185d8
Instruction Fuzzy Hash: 94017B32B916156BFB2872689C8BFFB7258EB05F90F240461F803E60D2DE501C05B390

Function 00F96283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00F962DC
WSAGetLastError.WSOCK32(00000000), ref: 00F962EB
bind.WSOCK32(00000000,?,00000010), ref: 00F96307
listen.WSOCK32(00000000,00000005), ref: 00F96316
WSAGetLastError.WSOCK32(00000000), ref: 00F96330
closesocket.WSOCK32(00000000), ref: 00F96344

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 83b03de094a2209663d5c5a24d48fbd6fef4d2510904f71611cefc511edb99a4
Instruction ID: 373a4ad4df688be1ff84eccf335ee0d487a632875a61a27431b6893b9f5d8669
Opcode Fuzzy Hash: 83b03de094a2209663d5c5a24d48fbd6fef4d2510904f71611cefc511edb99a4
Instruction Fuzzy Hash: 4921DB71600214AFDF10AFA4DC85E6EB7A8EF49720F188169E816EB3D1CB74AD05EB51

Function 00F35520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

_memmove.LIBCMT ref: 00F70258
_memmove.LIBCMT ref: 00F7036D
_memmove.LIBCMT ref: 00F70414

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e66054c146e82472b878585fc92ad3f38f7c411c525491ad84bdd6f107e0caf2
Instruction ID: 9b5169ad92ea7070e583757dca3a731821c8e7ba83929860d531edc8ee5ccf36
Opcode Fuzzy Hash: e66054c146e82472b878585fc92ad3f38f7c411c525491ad84bdd6f107e0caf2
Instruction Fuzzy Hash: 3E02B0B1E00209DBCF04DF64D981AAEBBB5EF84310F54C06AE80ADB255EF35D954EB91

Function 00F21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F219FA
GetSysColor.USER32(0000000F), ref: 00F21A4E
SetBkColor.GDI32(?,00000000), ref: 00F21A61

Part of subcall function 00F21290: DefDlgProcW.USER32(?,00000020,?), ref: 00F212D8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 52e2fc4fdaebfd24b7c65bc65c084427b3d3aea0fd87cb8c077ce9075f25031b
Instruction ID: b843ac8ffadef114fc8f528d2e17b49df55cea69e5cd6c3edb8709b8c8985776
Opcode Fuzzy Hash: 52e2fc4fdaebfd24b7c65bc65c084427b3d3aea0fd87cb8c077ce9075f25031b
Instruction Fuzzy Hash: B3A1AFB2502579BEE7389B286C44F7F355CFF62362B140119FA02D5192CB2E9D01FAB9

Function 00F8BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F8BCE6
_wcscmp.LIBCMT ref: 00F8BD16
_wcscmp.LIBCMT ref: 00F8BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00F8BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F8BD6C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: b93aee0050e1916d11f4590e71e9d4e27dae599eb0706cd5c91a25117028171d
Instruction ID: df4b9a8eed5ba242f2f53b0be4bf47b00983e31bcec0dfc305fe6f84368b84f7
Opcode Fuzzy Hash: b93aee0050e1916d11f4590e71e9d4e27dae599eb0706cd5c91a25117028171d
Instruction Fuzzy Hash: 3E51A076A04702AFC714EF68D890EDAB7E4EF49320F04461DE9568B3A1DB34ED05EB91

Function 00F96747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97D8B: inet_addr.WSOCK32(00000000), ref: 00F97DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 00F9679E
WSAGetLastError.WSOCK32(00000000), ref: 00F967C7
bind.WSOCK32(00000000,?,00000010), ref: 00F96800
WSAGetLastError.WSOCK32(00000000), ref: 00F9680D
closesocket.WSOCK32(00000000), ref: 00F96821

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 4b61939dac6fc9721685a798e3ed3960845f463d9a6d3003ce19dc49baede24e
Instruction ID: 3f1ba5061cb0eb9198e8071e7f34a831b694e11102f8c8824c9d8426a5f88ed7
Opcode Fuzzy Hash: 4b61939dac6fc9721685a798e3ed3960845f463d9a6d3003ce19dc49baede24e
Instruction Fuzzy Hash: 7841E575A00224AFEB10BF649C86F7E77A8DF05754F44845CF915AB3C2CA789D01A791

Function 00FA5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00FA53C5
IsWindowEnabled.USER32 ref: 00FA53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00FA53E0
IsIconic.USER32 ref: 00FA53EE
IsZoomed.USER32 ref: 00FA53FC

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e400c1719eb26ddf84d0fc137a5e120f6aec7273c4acb4e5540e215507aae324
Instruction ID: c4ca0d6a94a7026567d5e5e16731d5fbd315de283b27989d4fa6744ed2cda2fc
Opcode Fuzzy Hash: e400c1719eb26ddf84d0fc137a5e120f6aec7273c4acb4e5540e215507aae324
Instruction Fuzzy Hash: 1D1127B2B00A256FDF205F66DC44B6E7B9DFF86BA1B444038F845D7241CBB4DC01A6A0

Function 00F780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F780F6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 888de06b6de3beb5a78099284189a681d4a63a740281d7e0d33d0714531bb119
Instruction ID: 445e9324317b1d1a9f7cac6b9d0da6e0266497e467b6db3a8fc1745bd83e852f
Opcode Fuzzy Hash: 888de06b6de3beb5a78099284189a681d4a63a740281d7e0d33d0714531bb119
Instruction Fuzzy Hash: 16F06271240308AFEB100FA5EC8DE673BACEF4A7A5B404026F949CA150CBA19C46EA61

Function 00F24B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F24AD0), ref: 00F24B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F24B57

Strings

GetNativeSystemInfo, xrefs: 00F24B51
kernel32.dll, xrefs: 00F24B40

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6b46dc9997c96479b77d2b7f429eb5a79c0663bd5c5497dd076d8dcfabe631a3
Instruction ID: db4497f2dc6be9650829d4a2afbe8599a34488979be3a4f1d12e60e204290f78
Opcode Fuzzy Hash: 6b46dc9997c96479b77d2b7f429eb5a79c0663bd5c5497dd076d8dcfabe631a3
Instruction Fuzzy Hash: CED02BB4E10327CFC7209FB1EC18B0272E4AF82390B10C83ED4C2CA150D7B0E484EA24

Function 00F33030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: c07a1c435ddf569acadfbce602dbfb3a3ffb5deae12665138ab89c2141f5dc42
Instruction ID: 6abd226df5d5a0cec386ec2b2e67c9094653dc43c7910486290f3df8cb4891af
Opcode Fuzzy Hash: c07a1c435ddf569acadfbce602dbfb3a3ffb5deae12665138ab89c2141f5dc42
Instruction Fuzzy Hash: AD22BE72A083109FC724DF24D881B6FB7E4BF84720F14492DF89A97291DB75E944EB92

Function 00F9EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F9EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00F9EE4B

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Process32NextW.KERNEL32(00000000,?), ref: 00F9EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F9EF1A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 4a333aafc36e342039511a0c67db26c8b0b68828140a413718d26463439eb139
Instruction ID: da23091962ed2c9583ace763e9f842101a837a44dfc68524abce32a1d6767e35
Opcode Fuzzy Hash: 4a333aafc36e342039511a0c67db26c8b0b68828140a413718d26463439eb139
Instruction Fuzzy Hash: 9951AF71508315AFD710EF20DC82EABB7E8EF95710F40482DF595972A2EB74E908DB92

Function 00F7E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F7E628

Strings

(, xrefs: 00F7E66E
|, xrefs: 00F7E658

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 400525cab9a65a043656e4d49d3917da8b338fbefa502eb9b165f12dfaa4f328
Instruction ID: 650161fca60246141556b53e098da69c98b1c72cf069390959cc7a9d84b00eaf
Opcode Fuzzy Hash: 400525cab9a65a043656e4d49d3917da8b338fbefa502eb9b165f12dfaa4f328
Instruction Fuzzy Hash: 20321575A007059FD728CF19C481A6AB7F1FF48320B15C4AFE99ADB3A1EB70A941DB41

Function 00F922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F9180A,00000000), ref: 00F923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F92418

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: b6722c5149f33c2567eda350fb3172b5eff429eb157ee79658902e6f9d75a079
Instruction ID: 3391c8f0adbb050ad8de4b8f9b8aa74aa710a79caa0e65d183e738fcb15178ff
Opcode Fuzzy Hash: b6722c5149f33c2567eda350fb3172b5eff429eb157ee79658902e6f9d75a079
Instruction Fuzzy Hash: 3D41D372904209FFFF60DE99DC81FBBB7BCEB40724F10402AFA45A6141DA759E41BA60

Function 00F8B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F8B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F8B4B2

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3432b51d1bb88b7ab2661c898fa5f57cbc991c458c949c93f1d09da666b843c3
Instruction ID: a49555a3b03f1eb840da8cd46a826b59dedc55b822de1c16e11e4ade56da0c9b
Opcode Fuzzy Hash: 3432b51d1bb88b7ab2661c898fa5f57cbc991c458c949c93f1d09da666b843c3
Instruction Fuzzy Hash: 1A21A175A00118EFCB00EFA5EC81AEDBBB8FF49310F1480AAE905EB361CB359915DB50

Function 00F787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F78858
GetLastError.KERNEL32 ref: 00F78865

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 04811c7424fd90614f9d965d5d77c2fca87430f339123a9e307b0936156e64fa
Instruction ID: 3af6b87ccd1fd56771b706c06c3e5ad667c5210ce7ba3ab78fa3d60b0a3480db
Opcode Fuzzy Hash: 04811c7424fd90614f9d965d5d77c2fca87430f339123a9e307b0936156e64fa
Instruction Fuzzy Hash: AA119DB2814204AFE718DFA4DC89D2BBBB8EB05350B20C52EE45987201EE30AC059B61

Function 00F7874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F78774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F7878B
FreeSid.ADVAPI32(?), ref: 00F7879B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b0cb2cb67e6e5c9a0898ecf271971554faac007f9689f3c1c4b94440115367ac
Instruction ID: db791f2f7af8fc3e59bceeaa7c45b01b88344d23c37a81e26c73eb43ee982429
Opcode Fuzzy Hash: b0cb2cb67e6e5c9a0898ecf271971554faac007f9689f3c1c4b94440115367ac
Instruction Fuzzy Hash: 43F04F7595130CBFDF04DFF4DC89AAEB7BCEF08311F108469A501E6181E6715A089B50

Function 00F84C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F84CB3

Strings

DOWN, xrefs: 00F84C98

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: eab23cf47b921a8af90ed7a4f807b9d2d23e4b8e1bd847d7008308dc1555026c
Instruction ID: 90d913ca6ca3704e70b4a37eaad0c108d67ea32ff201e76aa084ba190a3ba5ae
Opcode Fuzzy Hash: eab23cf47b921a8af90ed7a4f807b9d2d23e4b8e1bd847d7008308dc1555026c
Instruction Fuzzy Hash: 73E046665997223DA9482918BC07EF72A8C8B13331B550216FC10E55C1EE94BC8236B9

Function 00F8C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F8C6FB
FindClose.KERNEL32(00000000), ref: 00F8C72B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: ef771f65ef5c88eb0028425af1d3f9c03a900715f09c3f539469e7e7d7174ed1
Instruction ID: 4889df333f1d185553aa24f3effc3dc8f784dd68b207ae420b93f6346f08db87
Opcode Fuzzy Hash: ef771f65ef5c88eb0028425af1d3f9c03a900715f09c3f539469e7e7d7174ed1
Instruction Fuzzy Hash: 8F118E726046049FDB10EF29DC45A6AF7E8EF85324F04851EF8AACB290DB74AC05DB91

Function 00F8A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F99468,?,00FAFB84,?), ref: 00F8A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F99468,?,00FAFB84,?), ref: 00F8A0A9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a332bf6a7591f80724618dc42b4c8e39d64d4f0889cabd8ca268c492ba4b036a
Instruction ID: 5c58dfe13c99532ca052c401b5cd07ac30b3a5bc31d8ba5b805a9e5799855ef6
Opcode Fuzzy Hash: a332bf6a7591f80724618dc42b4c8e39d64d4f0889cabd8ca268c492ba4b036a
Instruction Fuzzy Hash: 1AF0E23610422DABDB20AFA4CC49FEA736CFF09362F004166F908D6180D630A904DBA1

Function 00F781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F78309), ref: 00F781E0
CloseHandle.KERNEL32(?,?,00F78309), ref: 00F781F2

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 967e9ccb9bc4396b781a200fac44c13cd8bda3f529f00e581ecbacb5dd95c7a8
Instruction ID: c18903d4ce0201495effc92cb3ff67f633b760b4276d58e546201233fc7d7578
Opcode Fuzzy Hash: 967e9ccb9bc4396b781a200fac44c13cd8bda3f529f00e581ecbacb5dd95c7a8
Instruction Fuzzy Hash: 57E0EC76010611AFEB252B61EC09D777BEEEF04361714C92DF9A684470DB76ACA1EB10

Function 00F4A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F48D57,?,?,?,00000001), ref: 00F4A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F4A163

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fa74ac5cc1ea0c61e317eb2ce11f9446103b56a4e3c3914b004e2acb3b72b1a0
Instruction ID: 643fa0f9b326218c407c3d6f0842ff21c94da5a8835f60af4fe11f689f181ce6
Opcode Fuzzy Hash: fa74ac5cc1ea0c61e317eb2ce11f9446103b56a4e3c3914b004e2acb3b72b1a0
Instruction Fuzzy Hash: 76B0927505430CABCF002BD1EC59B883F68EB46AA2F404020F60D88060CBA25454AA91

Function 00F2E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F63E62

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 104cd593526454ed278dbd387c8859c7c821bd45078c86420a5858d9af3350bb
Instruction ID: 883dcb24275a881c7a78c773414d1ece71a9869c87d4f8fedacca77af6a4856b
Opcode Fuzzy Hash: 104cd593526454ed278dbd387c8859c7c821bd45078c86420a5858d9af3350bb
Instruction Fuzzy Hash: 46A28C75E00229CFCB24CF54E880AAAB7B1FF59320F748069E915AB351D775ED42EB90

Function 00F4F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37151cef7fd2fe39ad7e5f140dcb289fe048f547f964478f90990aff33c87b01
Instruction ID: 16c30021069663d222251002db04c3b5f6c0e68f9d3b210a9fe3783a681dc566
Opcode Fuzzy Hash: 37151cef7fd2fe39ad7e5f140dcb289fe048f547f964478f90990aff33c87b01
Instruction Fuzzy Hash: 3032F322D29F054DDB239634DCA2335A648AFF73D4F15D737EC1AB59AAEB28C4836500

Function 00F5242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 262a18bc9e9986582f89867f3a29354ec16422deceed94033acc75674612620a
Instruction ID: ff2832aa45e30c7cd395f38759e1a920b39f5bb25c31a00d7e74249c580a6b79
Opcode Fuzzy Hash: 262a18bc9e9986582f89867f3a29354ec16422deceed94033acc75674612620a
Instruction Fuzzy Hash: 21B10230E2AF444DD32396398871336BA9CAFBB2D5F55D71BFC2670D22EB2285836541

Function 00F88889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F8889B

Part of subcall function 00F4520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F88F6E,00000000,?,?,?,?,00F8911F,00000000,?), ref: 00F45213
Part of subcall function 00F4520A: __aulldiv.LIBCMT ref: 00F45233

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: c6cbb490d38ff04b652fbf91749a9561b05f3900b97a4a8e3adc370a8ac7bc0d
Instruction ID: 52f55ed3aee2054a2d73d2702fc1f12dc5f69f797dd43b53e5b9b785ac0b441c
Opcode Fuzzy Hash: c6cbb490d38ff04b652fbf91749a9561b05f3900b97a4a8e3adc370a8ac7bc0d
Instruction Fuzzy Hash: F421B432A356148BC729CF25D881A92B3E1EFA5321B688E6CD1F5CF2D0CB74B905DB54

Function 00F787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F78389), ref: 00F787D1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 86e095a651ff71abbf44ca03665f6390f638aa3467b8ef7a661bbb79112fe874
Instruction ID: 4f91b27d977764da0f1c24cc08dacaa73b1002abf02f7cd186ba5dd5785196b8
Opcode Fuzzy Hash: 86e095a651ff71abbf44ca03665f6390f638aa3467b8ef7a661bbb79112fe874
Instruction Fuzzy Hash: 41D05E322A050EABEF018EA4DC01EAE3B69EB04B01F40C111FE15C50A1C775D835AB60

Function 00F4A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F4A12A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7cb2c4d247dfffaa79dde1946eeeb76003b2bfa205871bc937836e0ff40ee971
Instruction ID: 55719b4cf4560e1f0d296f8555da48c5ef775f3a9481120a3c7a938d082283f0
Opcode Fuzzy Hash: 7cb2c4d247dfffaa79dde1946eeeb76003b2bfa205871bc937836e0ff40ee971
Instruction Fuzzy Hash: CDA0113000020CAB8F002B82EC08888BFACEA022A0B008020F80C880228B32A820AA80

Function 00F38808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8575dff8759557118a6eca048f912c28048ace92fe2acb9120953f6f77449a4
Instruction ID: 08780a3171d5816ba8d0f80d46de1668c9ae270c6dfec58212795ae1fc325e5c
Opcode Fuzzy Hash: e8575dff8759557118a6eca048f912c28048ace92fe2acb9120953f6f77449a4
Instruction Fuzzy Hash: 32224831D0434ADBCF288A24C49477C77A1BB01BB4F24806BF54ACB592DBBC9D92F652

Function 00F421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 65de15032a1a9519c43cf0bddade5d2834f8d49b91f699cbbd0ffc5eb0844cb8
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 35C19672A050930ADF6D8639843413EFEB16EA27B135A077DECB3CB1D5EE10C965E620

Function 00F425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: c9aa65240430b80156cb60e0b542f35ce6da220c03519136d979de4fcdaab076
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 3EC19473A0519309DF6D463A843413EBEA16EA27F135A077DECB2DB1D4EE20C964F620

Function 00F41978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 457cfbbacbb604626c25d754bd6ad713e3f773ad209cc29662764ae619798618
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 3CC17272A4519309DF2D4639C47417EBFA16EA27B131A076DDCB2CB2D4FE20C9A5E620

Function 014BD900 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 39869e703c733146be10dace423075f3a1200b200a59c21754d0b4692de635ab
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: B041D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 014BD7F0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: db4fe7fce76f32296d7902b911ba8414bdaaba28fe4d0c193336a98d88bb9a30
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 3D018078E00109EFCB44DF98C5909AEF7B5FF88214B20859AE819A7311D730AE52DB90

Function 014BD790 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: eaceb7b467bd923a7f6d7cc99817b966fbee846c205fd7609586bb1fe807f429
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 86018078E00109EFCB48DF98C5909AEF7B5FB88214B2085DAD809A7711D730AE41DB90

Function 014BC160 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070050477.00000000014BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 014BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_14ba000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00F97806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F9785B
DeleteObject.GDI32(00000000), ref: 00F9786D
DestroyWindow.USER32 ref: 00F9787B
GetDesktopWindow.USER32 ref: 00F97895
GetWindowRect.USER32(00000000), ref: 00F9789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97A35
GetClientRect.USER32(00000000,?), ref: 00F97A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F97A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97ABB
GlobalLock.KERNEL32(00000000), ref: 00F97AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97AD3
GlobalUnlock.KERNEL32(00000000), ref: 00F97ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97AE3
GlobalFree.KERNEL32(00000000), ref: 00F97AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00FB2CAC,00000000), ref: 00F97B16
GlobalFree.KERNEL32(00000000), ref: 00F97B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F97B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F97B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F97D7A

Strings

static, xrefs: 00F97A75, 00F97BCC
AutoIt v3, xrefs: 00F97A2D
DISPLAY, xrefs: 00F97BDD
, xrefs: 00F97D00

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 1921982947d263551c8cd1f6c851e9e3dcc19e5073519ce6a65366672779f8f8
Instruction ID: 84a2c6d214e2af3c5a65001ed0567f06228a14c717bf16a33c5b89a23d2998ba
Opcode Fuzzy Hash: 1921982947d263551c8cd1f6c851e9e3dcc19e5073519ce6a65366672779f8f8
Instruction Fuzzy Hash: 27027BB1910219EFDF14DFA4DC89EAE7BB9EF49310F148158F905AB2A1C774AD01EB60

Function 00FA356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00FAF910), ref: 00FA3627
IsWindowVisible.USER32(?), ref: 00FA364B

Strings

EDITPASTE, xrefs: 00FA395F
HIDEDROPDOWN, xrefs: 00FA3700
ISENABLED, xrefs: 00FA366B
GETSELECTED, xrefs: 00FA38A3
FINDSTRING, xrefs: 00FA3776
TABRIGHT, xrefs: 00FA369D
GETCURRENTSELECTION, xrefs: 00FA37E3
SENDCOMMANDID, xrefs: 00FA39DA
DELSTRING, xrefs: 00FA3749
CURRENTTAB, xrefs: 00FA36BD
SELECTSTRING, xrefs: 00FA3806
SETCURRENTSELECTION, xrefs: 00FA37B6
CHECK, xrefs: 00FA386D
ADDSTRING, xrefs: 00FA3716
SHOWDROPDOWN, xrefs: 00FA36E0
TABLEFT, xrefs: 00FA3687
ISCHECKED, xrefs: 00FA3839
ISVISIBLE, xrefs: 00FA3637
UNCHECK, xrefs: 00FA3883
GETLINECOUNT, xrefs: 00FA38C6
GETLINE, xrefs: 00FA399B
GETCURRENTCOL, xrefs: 00FA3928
GETCURRENTLINE, xrefs: 00FA38ED

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 25e7e7ce5d809bac47964652419a6cefe899da99458c5b467accc759a073cdeb
Instruction ID: ea9ec73f8d311fa8f38daf53102ec9bbe8acff2d5938dd8134a075671aa89ae7
Opcode Fuzzy Hash: 25e7e7ce5d809bac47964652419a6cefe899da99458c5b467accc759a073cdeb
Instruction Fuzzy Hash: 1CD1B6712083119BCB04EF10C855A6E7BA2AF96354F184459F8865B3A3CF79DE0AFB81

Function 00FAA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00FAA630
GetSysColorBrush.USER32(0000000F), ref: 00FAA661
GetSysColor.USER32(0000000F), ref: 00FAA66D
SetBkColor.GDI32(?,000000FF), ref: 00FAA687
SelectObject.GDI32(?,00000000), ref: 00FAA696
InflateRect.USER32(?,000000FF,000000FF), ref: 00FAA6C1
GetSysColor.USER32(00000010), ref: 00FAA6C9
CreateSolidBrush.GDI32(00000000), ref: 00FAA6D0
FrameRect.USER32(?,?,00000000), ref: 00FAA6DF
DeleteObject.GDI32(00000000), ref: 00FAA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00FAA731
FillRect.USER32(?,?,00000000), ref: 00FAA763
GetWindowLongW.USER32(?,000000F0), ref: 00FAA78E

Part of subcall function 00FAA8CA: GetSysColor.USER32(00000012), ref: 00FAA903
Part of subcall function 00FAA8CA: SetTextColor.GDI32(?,?), ref: 00FAA907
Part of subcall function 00FAA8CA: GetSysColorBrush.USER32(0000000F), ref: 00FAA91D
Part of subcall function 00FAA8CA: GetSysColor.USER32(0000000F), ref: 00FAA928
Part of subcall function 00FAA8CA: GetSysColor.USER32(00000011), ref: 00FAA945
Part of subcall function 00FAA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FAA953
Part of subcall function 00FAA8CA: SelectObject.GDI32(?,00000000), ref: 00FAA964
Part of subcall function 00FAA8CA: SetBkColor.GDI32(?,00000000), ref: 00FAA96D
Part of subcall function 00FAA8CA: SelectObject.GDI32(?,?), ref: 00FAA97A
Part of subcall function 00FAA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00FAA999
Part of subcall function 00FAA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FAA9B0
Part of subcall function 00FAA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00FAA9C5
Part of subcall function 00FAA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FAA9ED

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: fca442c7ac3949af6b2d13ca50d4ea7296ba5c78da4bb6bef0632f4f028cd9f4
Instruction ID: c60bd833bebb39ae19b997f863758997283a8b71423779d4b7988e3509c25423
Opcode Fuzzy Hash: fca442c7ac3949af6b2d13ca50d4ea7296ba5c78da4bb6bef0632f4f028cd9f4
Instruction Fuzzy Hash: 279181B2408305EFC7109FA4DC08A5B7BA9FF4A331F144B29F962DA1A0D735D948EB52

Function 00F22C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F22CA2
DeleteObject.GDI32(00000000), ref: 00F22CE8
DeleteObject.GDI32(00000000), ref: 00F22CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F22CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F22D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F5C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F5C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F5C89D

Part of subcall function 00F21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F22036,?,00000000,?,?,?,?,00F216CB,00000000,?), ref: 00F21B9A

SendMessageW.USER32(?,00001053), ref: 00F5C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F5C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F5C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F5C912

Strings

0, xrefs: 00F5C731

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 7df8996cdf8de4195f3ff3ee5683587db4c71de74ecdd83426ba58c975a2b85d
Instruction ID: 81836462ab0a29ca11cbe3df6672acc61a0b3a751910964ccd616447a4424acc
Opcode Fuzzy Hash: 7df8996cdf8de4195f3ff3ee5683587db4c71de74ecdd83426ba58c975a2b85d
Instruction Fuzzy Hash: 5C129130904311EFDB14CF24D884B69B7E1FF09322F584569FA96DB662C731E84AEB91

Function 00F974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F9759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F97633
GetClientRect.USER32(00000000,?), ref: 00F9763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F97683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F97692
GetStockObject.GDI32(00000011), ref: 00F976A2
SelectObject.GDI32(00000000,00000000), ref: 00F976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F976BF
DeleteDC.GDI32(00000000), ref: 00F976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F9770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F97746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F9775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F9776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F9779B
GetStockObject.GDI32(00000011), ref: 00F977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F977BB

Strings

static, xrefs: 00F9767D, 00F97795
AutoIt v3, xrefs: 00F9762B
DISPLAY, xrefs: 00F97688
msctls_progress32, xrefs: 00F9773C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 560ebf8fbde9b42c1ea098e836bb8705e727144cd325543f5bb93b92a306650f
Instruction ID: 0c8fec539a6ea76939c96a86b1b2d04a9fc3ac05f7e7acc383c86dc22b73dba7
Opcode Fuzzy Hash: 560ebf8fbde9b42c1ea098e836bb8705e727144cd325543f5bb93b92a306650f
Instruction Fuzzy Hash: 20A190B1A00619BFEB14DBA4DC4AFAE7BB9EF09714F044114FA15AB2E0C774AD04DB64

Function 00F8AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8AD1E
GetDriveTypeW.KERNEL32(?,00FAFAC0,?,\\.\,00FAF910), ref: 00F8ADFB
SetErrorMode.KERNEL32(00000000,00FAFAC0,?,\\.\,00FAF910), ref: 00F8AF59

Strings

CDROM, xrefs: 00F8AE2F
PhysicalDrive, xrefs: 00F8ADA7
Fixed, xrefs: 00F8AE43
SSA, xrefs: 00F8AEE2
Unknown, xrefs: 00F8AE1B, 00F8AEBF
Fibre, xrefs: 00F8AEE9
Removable, xrefs: 00F8AE4D
\\.\, xrefs: 00F8AD70
1394, xrefs: 00F8AEDB
ATAPI, xrefs: 00F8AECD
SCSI, xrefs: 00F8AEC6
RAID, xrefs: 00F8AEF7
USB, xrefs: 00F8AEF0
Virtual, xrefs: 00F8AF21
SAS, xrefs: 00F8AF05
MMC, xrefs: 00F8AF1A
iSCSI, xrefs: 00F8AEFE
FileBackedVirtual, xrefs: 00F8AF28
Network, xrefs: 00F8AE39
SATA, xrefs: 00F8AF0C
SSD, xrefs: 00F8AE86
ATA, xrefs: 00F8AED4
RAMDisk, xrefs: 00F8AE25

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 024c55109d2250d4d1e972ecadc897afd342ade09e193735012944970c53961a
Instruction ID: be9e884fe95d271a98655cd5573ec9b94175d85900309331fffe7f44b5edcc40
Opcode Fuzzy Hash: 024c55109d2250d4d1e972ecadc897afd342ade09e193735012944970c53961a
Instruction Fuzzy Hash: E451C2B1A48209AB9B00FB10CD82DFD73A2EB48750B284457E507AB394DAB4DD02FB43

Function 00F268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F26931
__wcsnicmp.LIBCMT ref: 00F26949
__wcsnicmp.LIBCMT ref: 00F26961
__wcsnicmp.LIBCMT ref: 00F26979
__wcsnicmp.LIBCMT ref: 00F26991
__wcsnicmp.LIBCMT ref: 00F269A9
__wcsnicmp.LIBCMT ref: 00F269C1
__wcsnicmp.LIBCMT ref: 00F269D5
__wcsnicmp.LIBCMT ref: 00F26A16
__wcsnicmp.LIBCMT ref: 00F26A2A
__wcsnicmp.LIBCMT ref: 00F26A3E
__wcsnicmp.LIBCMT ref: 00F26A52

Strings

Unterminated group of comments, xrefs: 00F5E403
Cannot parse #include, xrefs: 00F5E3F0
#include-once, xrefs: 00F2698B
#comments-start, xrefs: 00F269BB, 00F26A10
#requireadmin, xrefs: 00F2695B
#ce, xrefs: 00F26A4C
#cs, xrefs: 00F269CF, 00F26A24
#include, xrefs: 00F269A3
#OnAutoItStartRegister, xrefs: 00F26973
#notrayicon, xrefs: 00F26943
#comments-end, xrefs: 00F26A38
Bad directive syntax error, xrefs: 00F5E31A
#pragma compile, xrefs: 00F2692B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 42edae256e6074fda75ec975f35d3c4982d51b34b4a267f426995d6ec6eb9bf3
Instruction ID: f80beb729e74e6cdc3d8b507b29c352316f2e9ebce336ee9b15d726cbd364c05
Opcode Fuzzy Hash: 42edae256e6074fda75ec975f35d3c4982d51b34b4a267f426995d6ec6eb9bf3
Instruction Fuzzy Hash: B9813BB1A002156ACB15AF60FC83FAF3B68AF05710F044025FD45EB192EB79DE49F661

Function 00FA9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00FA9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00FA9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00FA9BA7

Strings

0, xrefs: 00FA9BE4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 50f27171c8532b8ebb0314ccd53d96b75778c12c1c5dcfbf128f734cf46293df
Instruction ID: 73c99848287ee4d0a6d985341a2ef4fc169c3b66d03e054d3511e5cd3df01c25
Opcode Fuzzy Hash: 50f27171c8532b8ebb0314ccd53d96b75778c12c1c5dcfbf128f734cf46293df
Instruction Fuzzy Hash: 4002E2B1508301AFDB25CF14CC88BAABBE5FF86324F04852DF995DA2A1C7B4D944EB51

Function 00FAA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FAA903
SetTextColor.GDI32(?,?), ref: 00FAA907
GetSysColorBrush.USER32(0000000F), ref: 00FAA91D
GetSysColor.USER32(0000000F), ref: 00FAA928
CreateSolidBrush.GDI32(?), ref: 00FAA92D
GetSysColor.USER32(00000011), ref: 00FAA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FAA953
SelectObject.GDI32(?,00000000), ref: 00FAA964
SetBkColor.GDI32(?,00000000), ref: 00FAA96D
SelectObject.GDI32(?,?), ref: 00FAA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00FAA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FAA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FAA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FAA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FAAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00FAAA32
DrawFocusRect.USER32(?,?), ref: 00FAAA3D
GetSysColor.USER32(00000011), ref: 00FAAA4B
SetTextColor.GDI32(?,00000000), ref: 00FAAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FAAA67
SelectObject.GDI32(?,00FAA5FA), ref: 00FAAA7E
DeleteObject.GDI32(?), ref: 00FAAA89
SelectObject.GDI32(?,?), ref: 00FAAA8F
DeleteObject.GDI32(?), ref: 00FAAA94
SetTextColor.GDI32(?,?), ref: 00FAAA9A
SetBkColor.GDI32(?,?), ref: 00FAAAA4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: d5128d156af5227a85375acce71de718d42700f261bade840196bd68c2fbfb84
Instruction ID: 5b836c60ab90bed90ab0dd22c45adf9c4660dbd66c77e16cabc86dbc53eb14b2
Opcode Fuzzy Hash: d5128d156af5227a85375acce71de718d42700f261bade840196bd68c2fbfb84
Instruction Fuzzy Hash: A1513DB1D00208FFDB119FA4DC48EAE7BB9EF0A320F154625F911AB2A1D7759944EF90

Function 00FA89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FA8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA8AD2
CharNextW.USER32(0000014E), ref: 00FA8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FA8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FA8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00FA8B86
SetWindowTextW.USER32(?,0000014E), ref: 00FA8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00FA8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA8C1F
_memset.LIBCMT ref: 00FA8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00FA8C8D
_memset.LIBCMT ref: 00FA8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FA8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00FA8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00FA8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00FA8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FA8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FA8EB4
DrawMenuBar.USER32(?), ref: 00FA8EC3
SetWindowTextW.USER32(?,0000014E), ref: 00FA8EEB

Strings

0, xrefs: 00FA8E55

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 991029f81e9232dee7afa6d2671f9d7ef6cbc5d9930253a8bc94569d1e70defe
Instruction ID: 09098b20235f20c0e9c7358f0e00a9c7286ddb28aa39974320ffe38468da4a2c
Opcode Fuzzy Hash: 991029f81e9232dee7afa6d2671f9d7ef6cbc5d9930253a8bc94569d1e70defe
Instruction Fuzzy Hash: D0E183B1900209AFDF20DF50CC84EEE7B79EF06760F148156F915AB290DBB49A85EF60

Function 00FA488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00FA49CA
GetDesktopWindow.USER32 ref: 00FA49DF
GetWindowRect.USER32(00000000), ref: 00FA49E6
GetWindowLongW.USER32(?,000000F0), ref: 00FA4A48
DestroyWindow.USER32(?), ref: 00FA4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00FA4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00FA4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00FA4B09
IsWindowVisible.USER32(?), ref: 00FA4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00FA4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00FA4B58
GetWindowRect.USER32(?,?), ref: 00FA4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00FA4B96
GetMonitorInfoW.USER32(00000000,?), ref: 00FA4BB0
CopyRect.USER32(?,?), ref: 00FA4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00FA4C32

Strings

0, xrefs: 00FA4975
tooltips_class32, xrefs: 00FA4A96
(, xrefs: 00FA4BA3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0d094906ddc8408b4b0d0e8ac24adc51d2287392611e0af17c5ce748c3461bb8
Instruction ID: 9298115bcfd8a8d465860a99c17ba82731f77fd1cf08b7d8c30752aada8b9096
Opcode Fuzzy Hash: 0d094906ddc8408b4b0d0e8ac24adc51d2287392611e0af17c5ce748c3461bb8
Instruction Fuzzy Hash: 76B18BB1608350AFDB04DF64D844B6BBBE4BF8A314F00891CF5999B2A1D7B4EC05EB95

Function 00F8449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F844D2
_wcscpy.LIBCMT ref: 00F84500
_wcscmp.LIBCMT ref: 00F8450B
_wcscat.LIBCMT ref: 00F84521
_wcsstr.LIBCMT ref: 00F8452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F84548
_wcscat.LIBCMT ref: 00F84591
_wcscat.LIBCMT ref: 00F84598
_wcsncpy.LIBCMT ref: 00F845C3

Strings

StringFileInfo\, xrefs: 00F8451B
%u.%u.%u.%u, xrefs: 00F84626
04090000, xrefs: 00F8457E
\VarFileInfo\Translation, xrefs: 00F84540
DefaultLangCodepage, xrefs: 00F845AB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 59e01f5a23b634550e8278369985114817eeed4002315416d0e75441790d139e
Instruction ID: cd61e46c692194ceb95fa8c35843f0c75edf6fb3fd2d39ba6c9835c08edbab34
Opcode Fuzzy Hash: 59e01f5a23b634550e8278369985114817eeed4002315416d0e75441790d139e
Instruction Fuzzy Hash: 3241B872A002057BD710BAB48C47EFF7B7CDF42720F04046AFD05E6182EA38EA11B6A5

Function 00F227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F228BC
GetSystemMetrics.USER32(00000007), ref: 00F228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F228EF
GetSystemMetrics.USER32(00000008), ref: 00F228F7
GetSystemMetrics.USER32(00000004), ref: 00F2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F22990
GetClientRect.USER32(00000000,000000FF), ref: 00F229AE
GetStockObject.GDI32(00000011), ref: 00F229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F229D5

Part of subcall function 00F22344: GetCursorPos.USER32(?), ref: 00F22357
Part of subcall function 00F22344: ScreenToClient.USER32(00FE57B0,?), ref: 00F22374
Part of subcall function 00F22344: GetAsyncKeyState.USER32(00000001), ref: 00F22399
Part of subcall function 00F22344: GetAsyncKeyState.USER32(00000002), ref: 00F223A7

SetTimer.USER32(00000000,00000000,00000028,00F21256), ref: 00F229FC

Strings

AutoIt v3 GUI, xrefs: 00F22974

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 72a0f6aa2c31650b3909c0ae2141da3a40018510ff8d7b1372e377f95957c269
Instruction ID: 5e4273cf77f9aff3a76aa96eadc884be397d59d8d7d1ceb1f442375c585fb5d7
Opcode Fuzzy Hash: 72a0f6aa2c31650b3909c0ae2141da3a40018510ff8d7b1372e377f95957c269
Instruction Fuzzy Hash: 26B19071A0021AEFDB14DFA8DC85BAD7BB4FB08715F104229FA16EB290DB74D854EB50

Function 00F7A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F7A47A
__swprintf.LIBCMT ref: 00F7A51B
_wcscmp.LIBCMT ref: 00F7A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F7A583
_wcscmp.LIBCMT ref: 00F7A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00F7A5F6
GetDlgCtrlID.USER32(?), ref: 00F7A648
GetWindowRect.USER32(?,?), ref: 00F7A67E
GetParent.USER32(?), ref: 00F7A69C
ScreenToClient.USER32(00000000), ref: 00F7A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00F7A71D
_wcscmp.LIBCMT ref: 00F7A731
GetWindowTextW.USER32(?,?,00000400), ref: 00F7A757
_wcscmp.LIBCMT ref: 00F7A76B

Part of subcall function 00F4362C: _iswctype.LIBCMT ref: 00F43634

Strings

%s%u, xrefs: 00F7A515

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: cf81fe767297b27c9eef1d70a6bf20f49a3ed1638e01fbe7e0b41025006b28cb
Instruction ID: b6d6881223808541a1f6767dcb5e01105774954676b6a2a3166a780f12d5d426
Opcode Fuzzy Hash: cf81fe767297b27c9eef1d70a6bf20f49a3ed1638e01fbe7e0b41025006b28cb
Instruction Fuzzy Hash: 30A1D371604206ABC718DF64C884FAEB7E8FF84320F05862AF99DC6150D734E956EB93

Function 00F7AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F7AF18
_wcscmp.LIBCMT ref: 00F7AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F7AF51
CharUpperBuffW.USER32(?,00000000), ref: 00F7AF6E
_wcscmp.LIBCMT ref: 00F7AF8C
_wcsstr.LIBCMT ref: 00F7AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F7AFD5
_wcscmp.LIBCMT ref: 00F7AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F7B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F7B055
_wcscmp.LIBCMT ref: 00F7B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00F7B08D
GetWindowRect.USER32(00000004,?), ref: 00F7B0F6

Strings

@, xrefs: 00F7AEF9
ThumbnailClass, xrefs: 00F7AFE0, 00F7B060

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 0ed70b3e95fd36fb2fb1fca1485e91f02f972eff31739c3385d30c0c0e65d50b
Instruction ID: 6ed7cf83e1ddad1ff50ef7a97db34d547671de90b1417f347b948679d2f3c9d6
Opcode Fuzzy Hash: 0ed70b3e95fd36fb2fb1fca1485e91f02f972eff31739c3385d30c0c0e65d50b
Instruction Fuzzy Hash: B681B1715083099BDB04DF10C885FAA7BE8EF85724F04C46AFD898A096DB34DD49EB62

Function 00F7ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F7AC33

Strings

LAST, xrefs: 00F7ABF8
[ALL, xrefs: 00F7ACD9
[CLASS:, xrefs: 00F7AC83
[REGEXPTITLE:, xrefs: 00F7AC5B
REGEXP=, xrefs: 00F7AC48
[HANDLE:, xrefs: 00F7AC3F
[LAST, xrefs: 00F7ACE0
ALL, xrefs: 00F7ACC7
ACTIVE, xrefs: 00F7AC0E
CLASSNAME=, xrefs: 00F7AC70
HANDLE=, xrefs: 00F7AC2C
[ACTIVE, xrefs: 00F7AC20

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: bdba824e0814a3d9f2870a3fb4a638a32a1a80f7f056aa7cf5790b147616f44c
Instruction ID: 4c8fb23ce46ba3696631fa769917dbf49af87a40bd667800e3c4c26d073a7e24
Opcode Fuzzy Hash: bdba824e0814a3d9f2870a3fb4a638a32a1a80f7f056aa7cf5790b147616f44c
Instruction Fuzzy Hash: 5C31D031948319BADB11FA60ED03EAE7765AB10720F64402AF805791E5FA69EF04B653

Function 00F94FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F95013
LoadCursorW.USER32(00000000,00007F00), ref: 00F9501E
LoadCursorW.USER32(00000000,00007F03), ref: 00F95029
LoadCursorW.USER32(00000000,00007F8B), ref: 00F95034
LoadCursorW.USER32(00000000,00007F01), ref: 00F9503F
LoadCursorW.USER32(00000000,00007F81), ref: 00F9504A
LoadCursorW.USER32(00000000,00007F88), ref: 00F95055
LoadCursorW.USER32(00000000,00007F80), ref: 00F95060
LoadCursorW.USER32(00000000,00007F86), ref: 00F9506B
LoadCursorW.USER32(00000000,00007F83), ref: 00F95076
LoadCursorW.USER32(00000000,00007F85), ref: 00F95081
LoadCursorW.USER32(00000000,00007F82), ref: 00F9508C
LoadCursorW.USER32(00000000,00007F84), ref: 00F95097
LoadCursorW.USER32(00000000,00007F04), ref: 00F950A2
LoadCursorW.USER32(00000000,00007F02), ref: 00F950AD
LoadCursorW.USER32(00000000,00007F89), ref: 00F950B8
GetCursorInfo.USER32(?), ref: 00F950C8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 770d74529191e0d3f0b7cc591d97d8cb248d9899f3078056eabdd47173413097
Instruction ID: ddf025af31afebcce869ed98940e7b1b215da9ea47a2e90ed5586621efe7b69a
Opcode Fuzzy Hash: 770d74529191e0d3f0b7cc591d97d8cb248d9899f3078056eabdd47173413097
Instruction Fuzzy Hash: 7E3115B1D0831E6ADF119FB68C8999FBFE8FF04750F50452AE50CE7280DA78A5049F91

Function 00FAA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FAA259
DestroyWindow.USER32(?,?), ref: 00FAA2D3

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FAA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FAA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FAA382
DestroyWindow.USER32(00000000), ref: 00FAA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F20000,00000000), ref: 00FAA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FAA3F4
GetDesktopWindow.USER32 ref: 00FAA40D
GetWindowRect.USER32(00000000), ref: 00FAA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FAA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FAA444

Part of subcall function 00F225DB: GetWindowLongW.USER32(?,000000EB), ref: 00F225EC

Strings

0, xrefs: 00FAA26F
tooltips_class32, xrefs: 00FAA346, 00FAA3D4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 224dce6202061203cd9b44d7c3de864bfe23119d4534ab6b72f7c8eb139b1e4b
Instruction ID: 625f57886465376db6b4968e9d29bea74edbe3561d1b0dfb6205e01f6546b709
Opcode Fuzzy Hash: 224dce6202061203cd9b44d7c3de864bfe23119d4534ab6b72f7c8eb139b1e4b
Instruction Fuzzy Hash: EB71BEB1540344AFD720DF28CC48F6A77E6FB8A714F04451DF9858B2A0C775E90AEB52

Function 00FAC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DragQueryPoint.SHELL32(?,?), ref: 00FAC627

Part of subcall function 00FAAB37: ClientToScreen.USER32(?,?), ref: 00FAAB60
Part of subcall function 00FAAB37: GetWindowRect.USER32(?,?), ref: 00FAABD6
Part of subcall function 00FAAB37: PtInRect.USER32(?,?,00FAC014), ref: 00FAABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00FAC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FAC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FAC6BE
_wcscat.LIBCMT ref: 00FAC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FAC705
SendMessageW.USER32(?,000000B0,?,?), ref: 00FAC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FAC735
SendMessageW.USER32(?,000000B1,?,?), ref: 00FAC757
DragFinish.SHELL32(?), ref: 00FAC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FAC851

Strings

@GUI_DRAGFILE, xrefs: 00FAC800
@GUI_DRAGID, xrefs: 00FAC7C9
@GUI_DROPID, xrefs: 00FAC77E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: acaa07479b31e7af8845c7cbc0b7c5177ca98ebf060379da8fce62a1af47a4c5
Instruction ID: 414b1509445d62960dffbf34e1dca431ffa011e478f07ae50b6a68ba8425644f
Opcode Fuzzy Hash: acaa07479b31e7af8845c7cbc0b7c5177ca98ebf060379da8fce62a1af47a4c5
Instruction Fuzzy Hash: 5961A071108304AFC701EF64DC85D9FBBE8EF89750F04092EF595962A1DB70A949EB92

Function 00FA4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FA4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA446F

Strings

GETSELECTED, xrefs: 00FA457F
EXISTS, xrefs: 00FA44D8
EXPAND, xrefs: 00FA4521
GETTEXT, xrefs: 00FA45C2
ISCHECKED, xrefs: 00FA45F2
GETTOTALCOUNT, xrefs: 00FA4456
UNCHECK, xrefs: 00FA464B
CHECK, xrefs: 00FA448F
GETITEMCOUNT, xrefs: 00FA4551
SELECT, xrefs: 00FA4620
COLLAPSE, xrefs: 00FA44B5

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: b2fbf53f49a9523b2fff4cfb8a77b03351c426b4f0639a3f911fcb3a2ba00de6
Instruction ID: 0d6c0dd3962f2b2597d8b09c1b44c8a14a0cd75796f90ea2e508eab7e553cbca
Opcode Fuzzy Hash: b2fbf53f49a9523b2fff4cfb8a77b03351c426b4f0639a3f911fcb3a2ba00de6
Instruction Fuzzy Hash: 699182716047119FCB04EF10C851A6EB7A1AF96350F48846DFC965B3A2CBB8FD09EB91

Function 00FAB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FAB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FA91C2), ref: 00FAB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FAB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FAB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FAB9C3
FreeLibrary.KERNEL32(?), ref: 00FAB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FAB9DF
DestroyIcon.USER32(?,?,?,?,?,00FA91C2), ref: 00FAB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FABA17

Part of subcall function 00F42EFD: __wcsicmp_l.LIBCMT ref: 00F42F86

Strings

.exe, xrefs: 00FAB84A
.dll, xrefs: 00FAB86D
.icl, xrefs: 00FAB82A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 61f21eb9bf84252cbb118b094fb86039ec530163c1858cdd8d9684ac15bdd422
Instruction ID: 0c76b94b5ba203fa1df19ee58292e2abfce62d102fb68049732e06997cf687d1
Opcode Fuzzy Hash: 61f21eb9bf84252cbb118b094fb86039ec530163c1858cdd8d9684ac15bdd422
Instruction Fuzzy Hash: 6C61F1B1900219BAEB14DF64CC41FBE7BACEF0A721F104116FD15DA1D2DB789A90E7A0

Function 00F8A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

CharLowerBuffW.USER32(?,?), ref: 00F8A3CB
GetDriveTypeW.KERNEL32 ref: 00F8A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8A4C5

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Strings

closed, xrefs: 00F8A3DF, 00F8A3E8
open, xrefs: 00F8A3F2
open , xrefs: 00F8A427
close cd wait, xrefs: 00F8A4B0
wait, xrefs: 00F8A482
set cd door , xrefs: 00F8A466
type cdaudio alias cd wait, xrefs: 00F8A443
close, xrefs: 00F8A3D1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: d8f138040bdd515ababe6e43f625a2086947bc12e516270ddf1c4974ebab5937
Instruction ID: 53805285490749cc4a71eb3c17c64b8a1ea2b9bf355174b60558b7bd11762aea
Opcode Fuzzy Hash: d8f138040bdd515ababe6e43f625a2086947bc12e516270ddf1c4974ebab5937
Instruction Fuzzy Hash: C9519E711083159FC700EF20DC919AAB3E4EF84758F04882EF88A57261DB35ED0AEB82

Function 00F7F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F7F8DF
LoadStringW.USER32(00000000,?,00F5E029,00000001), ref: 00F7F8E8

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

GetModuleHandleW.KERNEL32(00000000,00FE5310,?,00000FFF,?,?,00F5E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F7F90A
LoadStringW.USER32(00000000,?,00F5E029,00000001), ref: 00F7F90D
__swprintf.LIBCMT ref: 00F7F95D
__swprintf.LIBCMT ref: 00F7F96E
_wprintf.LIBCMT ref: 00F7FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F7FA2E

Strings

Line %d:, xrefs: 00F7F968
%s (%d) : ==> %s: %s %s, xrefs: 00F7FA12
Line %d (File "%s"):, xrefs: 00F7F957
Error: , xrefs: 00F7F9E5
^ ERROR, xrefs: 00F7F9C3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 0dc5b04cb2d71078059f383ab8275335b4884de1494815a25dd49c332ae96917
Instruction ID: 0c3193ee6db92b575963e444d76fc0788128e82a14bf8fb53fe74a7e803641b7
Opcode Fuzzy Hash: 0dc5b04cb2d71078059f383ab8275335b4884de1494815a25dd49c332ae96917
Instruction Fuzzy Hash: 8C41307280421DAACF04FFE0ED86DEE7778AF54340F500065B509B6192EA396F4DEB61

Function 00FABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FA9207,?,?), ref: 00FABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA85
GlobalLock.KERNEL32(00000000), ref: 00FABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABA9D
GlobalUnlock.KERNEL32(00000000), ref: 00FABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FA9207,?,?,00000000,?), ref: 00FABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00FB2CAC,?), ref: 00FABAD7
GlobalFree.KERNEL32(00000000), ref: 00FABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00FABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00FABB36
DeleteObject.GDI32(00000000), ref: 00FABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FABB74

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 578604257eab56d5de5fcb99cfd86647e2c3c8fb6756d469aaaf230704cd124e
Instruction ID: e4f1079d76331e442e54f43258df606a80bfdd04cd12b96d22623cc5e63e5f73
Opcode Fuzzy Hash: 578604257eab56d5de5fcb99cfd86647e2c3c8fb6756d469aaaf230704cd124e
Instruction Fuzzy Hash: 49413DB5600208EFDB119FA5DC48EAB7BB8FF8A721F104068F906DB261D7349D05EB60

Function 00F8D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F8DA10
_wcscat.LIBCMT ref: 00F8DA28
_wcscat.LIBCMT ref: 00F8DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F8DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DA63
GetFileAttributesW.KERNEL32(?), ref: 00F8DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F8DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F8DAA7

Strings

*.*, xrefs: 00F8DAE6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 3b6322d8c22d1b621faf7b1ef07811179a21d89a74fb53ff401601f7f352504c
Instruction ID: 3ecf7fb7fa48c5802e67bfdd6ce18ca99bc438b156de47dc4c5eeb574d650e85
Opcode Fuzzy Hash: 3b6322d8c22d1b621faf7b1ef07811179a21d89a74fb53ff401601f7f352504c
Instruction Fuzzy Hash: A28184729042459FCB24EF64C845AEAB7E4BF85324F18482EF889C7291E734DD45EB52

Function 00FAC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FAC1FC
GetFocus.USER32 ref: 00FAC20C
GetDlgCtrlID.USER32(00000000), ref: 00FAC217
_memset.LIBCMT ref: 00FAC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FAC36D
GetMenuItemCount.USER32(?), ref: 00FAC38D
GetMenuItemID.USER32(?,00000000), ref: 00FAC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FAC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FAC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FAC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FAC489

Strings

0, xrefs: 00FAC33A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: dc9328698d9169b848ab27bfdac57f06a77439564cdcf9ebfa1bee538ba00a5d
Instruction ID: 14d2a7f99dbf6fed66d3f729d377d5d0449035ee87e92f9015d48a4fde0d22e0
Opcode Fuzzy Hash: dc9328698d9169b848ab27bfdac57f06a77439564cdcf9ebfa1bee538ba00a5d
Instruction Fuzzy Hash: 1881B1B1A083059FDB10CF54C894A7BBBE8FF8A724F00492DF99597291C730D905EBA2

Function 00F9731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F9738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F9739B
CreateCompatibleDC.GDI32(?), ref: 00F973A7
SelectObject.GDI32(00000000,?), ref: 00F973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F97408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F97444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F97468
SelectObject.GDI32(00000006,?), ref: 00F97470
DeleteObject.GDI32(?), ref: 00F97479
DeleteDC.GDI32(00000006), ref: 00F97480
ReleaseDC.USER32(00000000,?), ref: 00F9748B

Strings

(, xrefs: 00F97410

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: faecadbb774529b46e62acb564b96407e070462d8048b31eb3b9be280a2bd786
Instruction ID: ed8b6267649a6441d262c3f642db6dd621893a4cf68e00d7eeff4e1e1c4b264c
Opcode Fuzzy Hash: faecadbb774529b46e62acb564b96407e070462d8048b31eb3b9be280a2bd786
Instruction Fuzzy Hash: 50515CB5904309EFDB14DFA9CC84EAEBBB9EF49310F14842DF95A97211C731A944DB50

Function 00F26A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F40957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F26B0C,?,00008000), ref: 00F40973

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F26BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F26CFA

Part of subcall function 00F2586D: _wcscpy.LIBCMT ref: 00F258A5

Part of subcall function 00F4363D: _iswctype.LIBCMT ref: 00F43645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F5E421
EA06, xrefs: 00F5E452
Unterminated string, xrefs: 00F5E7E4
>>>AUTOIT SCRIPT<<<, xrefs: 00F5E496
Error opening the file, xrefs: 00F5E43D, 00F5E4B8
AU3!, xrefs: 00F26B61
Bad directive syntax error, xrefs: 00F5E79D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 36311acbcc9e4e8f4a830dd58c5c616506c574a192db782ae2c763549f375398
Instruction ID: f7aa308ca019ae3264b16e41a9ec06037f89a28cda5196290cf4ce4473c933e5
Opcode Fuzzy Hash: 36311acbcc9e4e8f4a830dd58c5c616506c574a192db782ae2c763549f375398
Instruction Fuzzy Hash: 1B02ED315083419FC714EF20DC81AAFBBE5EF99354F14482DF989972A1DB38DA49EB42

Function 00F82D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F82DDD
GetMenuItemCount.USER32(00FE5890), ref: 00F82E66
DeleteMenu.USER32(00FE5890,00000005,00000000,000000F5,?,?), ref: 00F82EF6
DeleteMenu.USER32(00FE5890,00000004,00000000), ref: 00F82EFE
DeleteMenu.USER32(00FE5890,00000006,00000000), ref: 00F82F06
DeleteMenu.USER32(00FE5890,00000003,00000000), ref: 00F82F0E
GetMenuItemCount.USER32(00FE5890), ref: 00F82F16
SetMenuItemInfoW.USER32(00FE5890,00000004,00000000,00000030), ref: 00F82F4C
GetCursorPos.USER32(?), ref: 00F82F56
SetForegroundWindow.USER32(00000000), ref: 00F82F5F
TrackPopupMenuEx.USER32(00FE5890,00000000,?,00000000,00000000,00000000), ref: 00F82F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F82F7E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 712e89b27412da9bc1848491b87ba5e05986410412fd5b68dce1126b715359b7
Instruction ID: edf1227bf9d6409af4ddf1268c7ec38deceec1ce82cf18657558e24773f481d1
Opcode Fuzzy Hash: 712e89b27412da9bc1848491b87ba5e05986410412fd5b68dce1126b715359b7
Instruction Fuzzy Hash: 9771D271A00209BEEB61AF54DC89FEABF64FF05724F140216F625AA1E1C7B17810FB94

Function 00F777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

_memset.LIBCMT ref: 00F7786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F77902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F7792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F77935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F7793A

Strings

\IPC$, xrefs: 00F77882
SOFTWARE\Classes\, xrefs: 00F7780C
\CLSID, xrefs: 00F77822

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 86e5fb359d9775b4aaa628dd8ad7eb405e150344f4f281f85df83564731c6030
Instruction ID: 3928328abe9da5821228182095fccfbbd6894ae7f6a6b4407c48bba5b494d1cd
Opcode Fuzzy Hash: 86e5fb359d9775b4aaa628dd8ad7eb405e150344f4f281f85df83564731c6030
Instruction Fuzzy Hash: 74410872C1422DABCF11FFA4EC85DEEB778BF04710F44442AE905A7261EA349D08EB91

Function 00FA0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

Strings

HKCR, xrefs: 00FA0ED9
HKCU, xrefs: 00FA0F21
HKU, xrefs: 00FA0F43
HKEY_CURRENT_CONFIG, xrefs: 00FA0EEE
HKEY_LOCAL_MACHINE, xrefs: 00FA0E9A
HKEY_USERS, xrefs: 00FA0F32
HKEY_CURRENT_USER, xrefs: 00FA0F10
HKLM, xrefs: 00FA0EAF
HKCC, xrefs: 00FA0EFF
HKEY_CLASSES_ROOT, xrefs: 00FA0EC4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: c73b06763563606eb2aaf137b3db5f8bedd3da9c6cce855de4ca04424eb1d628
Instruction ID: 1d19fbaf6f7f04da10e9617f98dee2cd007002b2808b430ea6d420ce5d7937fb
Opcode Fuzzy Hash: c73b06763563606eb2aaf137b3db5f8bedd3da9c6cce855de4ca04424eb1d628
Instruction Fuzzy Hash: 97416A7254424A8FCF10EF50ECA1AEE3765EF12350F184415FC552B292DF78A91AFBA0

Function 00F7F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F5E2A0,00000010,?,Bad directive syntax error,00FAF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F7F7C2
LoadStringW.USER32(00000000,?,00F5E2A0,00000010), ref: 00F7F7C9

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

_wprintf.LIBCMT ref: 00F7F7FC
__swprintf.LIBCMT ref: 00F7F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F7F88D

Strings

Error: , xrefs: 00F7F85B
Line %d:, xrefs: 00F7F818
Line %d (File "%s"):, xrefs: 00F7F833
%s (%d) : ==> %s.: %s %s, xrefs: 00F7F7F7
., xrefs: 00F7F873

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: f95d5df408de0806af6466dbc95871a7f97edae2cc1e8a4b042485c22291d770
Instruction ID: a648f9d78355a1e8712225f1b21bc53c57dd36d621f5569c6d77ba6dbbea7645
Opcode Fuzzy Hash: f95d5df408de0806af6466dbc95871a7f97edae2cc1e8a4b042485c22291d770
Instruction Fuzzy Hash: 0D21803294021EEBCF11EFA0DC4AEEE7739BF18300F044466F509661A1EA75A61CFB52

Function 00F852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Part of subcall function 00F27924: _memmove.LIBCMT ref: 00F279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F85330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F85346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F85357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F85369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F8537A

Strings

open , xrefs: 00F852DF
play PlayMe, xrefs: 00F85375
status PlayMe mode, xrefs: 00F8532B
alias PlayMe, xrefs: 00F85309
close PlayMe, xrefs: 00F85341, 00F8536E
play PlayMe wait, xrefs: 00F85364

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 147ed119f808204509e159e814a05c5aacaaad517fe5c99ab01b953f3da2d375
Instruction ID: 088939a52b70d15f158be8d986f8d46fbe3ac2b81c16d3a01226090cb227caf0
Opcode Fuzzy Hash: 147ed119f808204509e159e814a05c5aacaaad517fe5c99ab01b953f3da2d375
Instruction Fuzzy Hash: 2B119431E5022D7AD720B775DC4ADFF7B7DEB92F90F04042AB401A21D1DEA08D45E6A1

Function 00F846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F846D2
gethostname.WSOCK32(?,00000100), ref: 00F846EC
gethostbyname.WSOCK32(?), ref: 00F846F9
_wcscpy.LIBCMT ref: 00F84721
_memmove.LIBCMT ref: 00F84734
inet_ntoa.WSOCK32(?), ref: 00F8473F
_strcat.LIBCMT ref: 00F8474D
_wcscpy.LIBCMT ref: 00F84764
WSACleanup.WSOCK32 ref: 00F84772
_wcscpy.LIBCMT ref: 00F84780

Strings

0.0.0.0, xrefs: 00F8471B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 309e1e837e88806d260a8c0d17fe126dd536b976d39d9008152f8ea52dad99b6
Instruction ID: fcf8ce577f857dd1d718e1961e7ebfd966e5606c1068b5561aadc3efbbbebb53
Opcode Fuzzy Hash: 309e1e837e88806d260a8c0d17fe126dd536b976d39d9008152f8ea52dad99b6
Instruction Fuzzy Hash: EB11D571D001196BCB20BB709C4AEEE7BBCEF02721F0401B6F94596091EF789985AB55

Function 00F84F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F84F7A

Part of subcall function 00F4049F: timeGetTime.WINMM(?,75A8B400,00F30E7B), ref: 00F404A3

Sleep.KERNEL32(0000000A), ref: 00F84FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F84FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F84FEC
SetActiveWindow.USER32 ref: 00F8500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F85019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F85038
Sleep.KERNEL32(000000FA), ref: 00F85043
IsWindow.USER32 ref: 00F8504F
EndDialog.USER32(00000000), ref: 00F85060

Strings

BUTTON, xrefs: 00F84FDE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 058c9b6f548a7fa431260393041882b539ae13a9d5581d7e38353d8570b06c39
Instruction ID: 5e2d09e6b0b4d2140a057ceb96d097de92ece91e3779588a9c63eaea95daa285
Opcode Fuzzy Hash: 058c9b6f548a7fa431260393041882b539ae13a9d5581d7e38353d8570b06c39
Instruction Fuzzy Hash: E521A7B0A0074EAFE7106F60ECC9B763BA9EB15B95F0C1029F102CA2B5DB719D04B761

Function 00F8D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

CoInitialize.OLE32(00000000), ref: 00F8D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F8D67D
SHGetDesktopFolder.SHELL32(?), ref: 00F8D691
CoCreateInstance.OLE32(00FB2D7C,00000000,00000001,00FD8C1C,?), ref: 00F8D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F8D74C
CoTaskMemFree.OLE32(?,?), ref: 00F8D7A4
_memset.LIBCMT ref: 00F8D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00F8D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F8D840
CoTaskMemFree.OLE32(00000000), ref: 00F8D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F8D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00F8D880

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 67596bc9743af29616068b4a718604514ae1132c32d7420d5c8e4c3761552e62
Instruction ID: b96148f142b1755b682e0ed628ad04aec3041f22b816922ab2c59bffcec8504e
Opcode Fuzzy Hash: 67596bc9743af29616068b4a718604514ae1132c32d7420d5c8e4c3761552e62
Instruction Fuzzy Hash: EEB10975A00119AFDB04EFA4CC88DAEBBB9FF49314F148069E909EB261DB34ED45DB50

Function 00F7C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F7C283
GetWindowRect.USER32(00000000,?), ref: 00F7C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F7C2F3
GetDlgItem.USER32(?,00000002), ref: 00F7C2FE
GetWindowRect.USER32(00000000,?), ref: 00F7C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F7C364
GetDlgItem.USER32(?,000003E9), ref: 00F7C372
GetWindowRect.USER32(00000000,?), ref: 00F7C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F7C3C6
GetDlgItem.USER32(?,000003EA), ref: 00F7C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F7C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00F7C3FE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d62a840b8a52bbb55c249faef55824f19376e8cc29a2b3b4a63904f9a3c860f4
Instruction ID: f413bc29111624c4bf2133dddaf3c6ad9a817b088a4a884a2338bc749675843c
Opcode Fuzzy Hash: d62a840b8a52bbb55c249faef55824f19376e8cc29a2b3b4a63904f9a3c860f4
Instruction Fuzzy Hash: 715153B1F00209AFDB18CFA9DD85A6DBBB6EF88310F14812DF519D7290D7709D049B50

Function 00F2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F22036,?,00000000,?,?,?,?,00F216CB,00000000,?), ref: 00F21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F220D3
KillTimer.USER32(-00000001,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F5BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F5BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F5BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F216CB,00000000,?,?,00F21AE2,?,?), ref: 00F5BD0A
DeleteObject.GDI32(00000000), ref: 00F5BD1C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 841e5687b2e3c22cc4e63d87dcb46208d51ccd2cac4bdfaeaa35ae568ded00dd
Instruction ID: de94315261def64256cc3a1a822a4d541e186da57dd4dcda11b5b0d82e5e2f87
Opcode Fuzzy Hash: 841e5687b2e3c22cc4e63d87dcb46208d51ccd2cac4bdfaeaa35ae568ded00dd
Instruction Fuzzy Hash: 5561AF32900A64EFCB35DF14E988B25B7F1FF41726F108529EA424E570C774A994FB80

Function 00F221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F225DB: GetWindowLongW.USER32(?,000000EB), ref: 00F225EC

GetSysColor.USER32(0000000F), ref: 00F221D3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5c6615dea411bb451a3f0a963417dc3f99b3ae248814750bd70fb64743cd9a5e
Instruction ID: dd85d5ae566cd4f7e9d808ea9b3d8385cf1962981b01b827f6ce7e012f36036b
Opcode Fuzzy Hash: 5c6615dea411bb451a3f0a963417dc3f99b3ae248814750bd70fb64743cd9a5e
Instruction Fuzzy Hash: 97419F31400554EBEB655F68EC88BB93B65EB06331F184365FE659E1E2C7328C46FB21

Function 00F8A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00FAF910), ref: 00F8A90B
GetDriveTypeW.KERNEL32(00000061,00FD89A0,00000061), ref: 00F8A9D5
_wcscpy.LIBCMT ref: 00F8A9FF

Strings

cdrom, xrefs: 00F8A927
fixed, xrefs: 00F8A953
ramdisk, xrefs: 00F8A97F
unknown, xrefs: 00F8A996
removable, xrefs: 00F8A93D
network, xrefs: 00F8A969
all, xrefs: 00F8A911

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 6968413e31efd21beef5b0e6f52187fb5d526b4b633375c8fb013f7ac604d7b1
Instruction ID: 8fcca76723c78381b29312620de27b29112956506c05d9379fd9e3cc4dd2f3d1
Opcode Fuzzy Hash: 6968413e31efd21beef5b0e6f52187fb5d526b4b633375c8fb013f7ac604d7b1
Instruction Fuzzy Hash: 3451CC315083019BD304FF14DC92AAFB7A5EF84750F48482EF999572A2DB74D909EB93

Function 00F29837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F29862
__swprintf.LIBCMT ref: 00F298AC
__i64tow.LIBCMT ref: 00F5F5E6

Strings

%.15g, xrefs: 00F298A6
True, xrefs: 00F5F5A7
0x%p, xrefs: 00F5F5C8
False, xrefs: 00F5F5AE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c10b4077eceda79707463f72f48b6654a63492477ace0dedaf63c28ad2d137d4
Instruction ID: 548e6c4c23c7aa24c1649cda6d0ed0a4bd2836173f4919b58840e4f5337ad0f2
Opcode Fuzzy Hash: c10b4077eceda79707463f72f48b6654a63492477ace0dedaf63c28ad2d137d4
Instruction Fuzzy Hash: 4241F532904205AFDB24DF34DC42EBA77E8EF05310F6844BEEA49D7291EA759949BB10

Function 00FA7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA716A
CreateMenu.USER32 ref: 00FA7185
SetMenu.USER32(?,00000000), ref: 00FA7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA7221
IsMenu.USER32(?), ref: 00FA7237
CreatePopupMenu.USER32 ref: 00FA7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA726E
DrawMenuBar.USER32 ref: 00FA7276

Strings

F, xrefs: 00FA7262
0, xrefs: 00FA7160

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 12c03ccc3771083b57676c02b48d518ef97370a657320e9f38f2597bdfbed4e4
Instruction ID: bf3a504c2853fac65d8c95c761e181bd44f3dcf962f42ca0dc29f3825726a009
Opcode Fuzzy Hash: 12c03ccc3771083b57676c02b48d518ef97370a657320e9f38f2597bdfbed4e4
Instruction Fuzzy Hash: E84114B5A01209AFDB20EFA4DD84F9ABBF5FB4A310F144029F9459B361D731A914EF90

Function 00FA74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FA755E
CreateCompatibleDC.GDI32(00000000), ref: 00FA7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FA7578
SelectObject.GDI32(00000000,00000000), ref: 00FA7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FA758B
DeleteDC.GDI32(00000000), ref: 00FA7594
GetWindowLongW.USER32(?,000000EC), ref: 00FA759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00FA75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00FA75BE

Strings

static, xrefs: 00FA74F6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: de3bc62de002b97bd98d0678fa8c20d6c6fd3703b6601169bac303cb6d1486dc
Instruction ID: bcdc8068c9fe1231eb5327285629bb3844bb1a46f1289ae0270a680d3488cbb6
Opcode Fuzzy Hash: de3bc62de002b97bd98d0678fa8c20d6c6fd3703b6601169bac303cb6d1486dc
Instruction Fuzzy Hash: E9318FB2904218BFDF11AFA4DC08FDB3B69FF0A320F154224FA559A1A0C735D815EBA4

Function 00F46E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F46E3E

Part of subcall function 00F48B28: __getptd_noexit.LIBCMT ref: 00F48B28

__gmtime64_s.LIBCMT ref: 00F46ED7
__gmtime64_s.LIBCMT ref: 00F46F0D
__gmtime64_s.LIBCMT ref: 00F46F2A
__allrem.LIBCMT ref: 00F46F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F46F9C
__allrem.LIBCMT ref: 00F46FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F46FD1
__allrem.LIBCMT ref: 00F46FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F47006
__invoke_watson.LIBCMT ref: 00F47077

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 44f71f522405d168b39e5bae17931ce48c1ca162568e2640d5c397b04a30d1cb
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 16712476E00716ABE714AE6CCC41BAABBF8AF01374F144229FD14D6281F778ED44A791

Function 00F82527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82542
GetMenuItemInfoW.USER32(00FE5890,000000FF,00000000,00000030), ref: 00F825A3
SetMenuItemInfoW.USER32(00FE5890,00000004,00000000,00000030), ref: 00F825D9
Sleep.KERNEL32(000001F4), ref: 00F825EB
GetMenuItemCount.USER32(?), ref: 00F8262F
GetMenuItemID.USER32(?,00000000), ref: 00F8264B
GetMenuItemID.USER32(?,-00000001), ref: 00F82675
GetMenuItemID.USER32(?,?), ref: 00F826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F82700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F82714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F82735

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 4715d7210a725d603cba14cf309f71eb8fca553ab9ae3e977483159a8df317e0
Instruction ID: 3177cf605d2e65eada4683c86216f3194bea464b0ac4ec1d9f92c9b5b7323d35
Opcode Fuzzy Hash: 4715d7210a725d603cba14cf309f71eb8fca553ab9ae3e977483159a8df317e0
Instruction Fuzzy Hash: 656190B1900249AFDF51EFA4DC88EFE7BB8EB01314F140059E842AB251E735BD05EB21

Function 00FA6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FA6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FA6FA8
GetWindowLongW.USER32(?,000000F0), ref: 00FA6FCC
_memset.LIBCMT ref: 00FA6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FA7067

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 20370b9d614205ccbce4728059010c1d4e8dc0fe76339b31b7d9b218136ecb90
Instruction ID: 6928710658254dae7371647a7b05c6ceaeddf5250ebf8b1c88e3ee685ea13cb2
Opcode Fuzzy Hash: 20370b9d614205ccbce4728059010c1d4e8dc0fe76339b31b7d9b218136ecb90
Instruction Fuzzy Hash: AA61ACB5900248AFDB11DFA4CC81EEE77F8EB09710F144169FA04EB2A1C775AE45EB90

Function 00F76B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F76BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00F76C18
VariantInit.OLEAUT32(?), ref: 00F76C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F76C4A
VariantCopy.OLEAUT32(?,?), ref: 00F76C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F76CB1
VariantClear.OLEAUT32(?), ref: 00F76CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F76CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F76CDC
VariantClear.OLEAUT32(?), ref: 00F76CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F76CF9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6ad2468c17ab87079141689dd5603c3f9a3f4e97a96e735abe933efc7c841eb9
Instruction ID: 74ebd6ae8963fb196b20d35d61e4d068a0a056a5357e4286f6478ee7c30b0a93
Opcode Fuzzy Hash: 6ad2468c17ab87079141689dd5603c3f9a3f4e97a96e735abe933efc7c841eb9
Instruction Fuzzy Hash: 5B416071A0021D9FCF00DFA8DC449EEBBB9EF48350F00C069E955EB261DB35A949EB91

Function 00F95732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F95793
inet_addr.WSOCK32(?), ref: 00F957D8
gethostbyname.WSOCK32(?), ref: 00F957E4
IcmpCreateFile.IPHLPAPI ref: 00F957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F95862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F95878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F958ED
WSACleanup.WSOCK32 ref: 00F958F3

Strings

Ping, xrefs: 00F95816

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 16f2e6d83e5dfb538443616683b32965c973439b95694bc47e03c30bb2188938
Instruction ID: 3e8d267b1928df0795ddc9af623a83eb20a16c1c413e861cd1c7a887e805aa39
Opcode Fuzzy Hash: 16f2e6d83e5dfb538443616683b32965c973439b95694bc47e03c30bb2188938
Instruction Fuzzy Hash: 1A51A171A04700DFEB11EF64DC45B2A77E4EF45B20F044929F956DB2A1DB74E904EB42

Function 00F8B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F8B546
GetLastError.KERNEL32 ref: 00F8B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00F8B5BD

Strings

READY, xrefs: 00F8B596
INVALID, xrefs: 00F8B58F
NOTREADY, xrefs: 00F8B57C
UNKNOWN, xrefs: 00F8B575
READONLY, xrefs: 00F8B588

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6edb9ed45998b69fabed8012fc87f72bdddd07363bf6b4621da3dae190c9407d
Instruction ID: df033936e670d3cf1c847d1404cfe4f05a8f67318c3c5ec819f02f630ea38b73
Opcode Fuzzy Hash: 6edb9ed45998b69fabed8012fc87f72bdddd07363bf6b4621da3dae190c9407d
Instruction Fuzzy Hash: E631AF75A002099FCB10FBA8DC85EEE7BB4FF49310F184026E505DB295DB749A46EB81

Function 00F78F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F79014
GetDlgCtrlID.USER32 ref: 00F7901F
GetParent.USER32 ref: 00F7903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F7903E
GetDlgCtrlID.USER32(?), ref: 00F79047
GetParent.USER32(?), ref: 00F79063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F79066

Strings

ListBox, xrefs: 00F78FD1
ComboBox, xrefs: 00F78F9C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 89986cc3e0c8dcb2e09c2ca4fda3ae0321da3d8a2f8052c4469320ff48b64004
Instruction ID: d0e6b2131598c77ecc6039100b6ce8d56514d3c09b7b5114540915b94f216e0a
Opcode Fuzzy Hash: 89986cc3e0c8dcb2e09c2ca4fda3ae0321da3d8a2f8052c4469320ff48b64004
Instruction Fuzzy Hash: E321F870A00208BBDF04ABB0CC85EFEBB75EF4A310F104116F925972A1DB799819FB61

Function 00F7907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F790FD
GetDlgCtrlID.USER32 ref: 00F79108
GetParent.USER32 ref: 00F79124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F79127
GetDlgCtrlID.USER32(?), ref: 00F79130
GetParent.USER32(?), ref: 00F7914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F7914F

Strings

ListBox, xrefs: 00F790BC
ComboBox, xrefs: 00F79087

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 65b50fcfd911281aad5b5242cfd22f28149ebc84e2449417e104882074e354ba
Instruction ID: e194e45f2c2b1a9beb053413928a6ae02467a4957e9a682cd227b9d9f21f547c
Opcode Fuzzy Hash: 65b50fcfd911281aad5b5242cfd22f28149ebc84e2449417e104882074e354ba
Instruction Fuzzy Hash: 0B21F874A00208BBDF10ABA0CC85EFEBB78EF45300F504016B515972A1DB799419FB21

Function 00F79163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F7916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00F79184
_wcscmp.LIBCMT ref: 00F79196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F79211

Strings

list, xrefs: 00F791F3
SHELLDLL_DefView, xrefs: 00F79190
details, xrefs: 00F791BF
largeicons, xrefs: 00F791A5
smallicons, xrefs: 00F791D9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 3f08e47314108752691932db077db3bb9e3b6bef8dfc95b28139cedd4536c998
Instruction ID: e026296899f76a85fdb8ce64634c70db29d1b002e745723921909ec4b0deee51
Opcode Fuzzy Hash: 3f08e47314108752691932db077db3bb9e3b6bef8dfc95b28139cedd4536c998
Instruction Fuzzy Hash: AE110A7768C307BAFA113624EC16EA73B9D9B15730B204027FD04E81D2FEE1A951B597

Function 00F988AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F988D7
CoInitialize.OLE32(00000000), ref: 00F98904
CoUninitialize.OLE32 ref: 00F9890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00F98A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F98B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00FB2C0C), ref: 00F98B6F
CoGetObject.OLE32(?,00000000,00FB2C0C,?), ref: 00F98B92
SetErrorMode.KERNEL32(00000000), ref: 00F98BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F98C25
VariantClear.OLEAUT32(?), ref: 00F98C35

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 022867290e95f89ca28c3afb234ad606bd3af93d2f46acc360e33abaf019e56d
Instruction ID: b781549c47cc2671d3adae329e793b222ebc0172bce9aa8838659008e240c8ae
Opcode Fuzzy Hash: 022867290e95f89ca28c3afb234ad606bd3af93d2f46acc360e33abaf019e56d
Instruction Fuzzy Hash: 43C158B1608305AFDB00DF64C88492BB7E9FF8A388F04491DF8899B251DB75ED06DB52

Function 00F87990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F87A6C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: cfe9ebe628996ec166006fa687707bdd7b66002e0ffb12077dc62c1db87c488c
Instruction ID: dbcc628473bed3e1300a381218cad54dcf9f39dbf1d352cc3cead61e71b3d668
Opcode Fuzzy Hash: cfe9ebe628996ec166006fa687707bdd7b66002e0ffb12077dc62c1db87c488c
Instruction Fuzzy Hash: 98B15E719082199FDB00FFA4C885BFEBBB5EF49321F244429E901EB251D778E945EB90

Function 00F811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F81204
GetWindowThreadProcessId.USER32(00000000), ref: 00F8120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F80268,?,00000001), ref: 00F8121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F8122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F80268,?,00000001), ref: 00F81245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F80268,?,00000001), ref: 00F81257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F8129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F80268,?,00000001), ref: 00F812BC

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 3dff9cf6a9def4f38974db2c6e8403e2882bbc4ec45f5fe16f021001ac6ac986
Instruction ID: d8aa97e4606f4cb659e2956c6f8dd839553e97a1789000379bcdc718abdf3bff
Opcode Fuzzy Hash: 3dff9cf6a9def4f38974db2c6e8403e2882bbc4ec45f5fe16f021001ac6ac986
Instruction Fuzzy Hash: 223193B5A0024CFBDB60AF54EC88FA977AEFB65361F104215F904CA2A0E7B49D45AB50

Function 00F2FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F2FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F2FB45
UnregisterHotKey.USER32(?), ref: 00F2FC9C
DestroyWindow.USER32(?), ref: 00F645D6
FreeLibrary.KERNEL32(?), ref: 00F6463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F64668

Strings

close all, xrefs: 00F2FAA1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 1e594ebdf28672b8d09dceef625ede98224e962e264713fd006aae45c7ffd7f2
Instruction ID: 46fdb008e793673ebf53be824ce6d40fb6af464a3c20aed801a9dbf063279d64
Opcode Fuzzy Hash: 1e594ebdf28672b8d09dceef625ede98224e962e264713fd006aae45c7ffd7f2
Instruction Fuzzy Hash: 53A18C31B01226CFCB19EF14D994A69F764BF05720F5442BDE80AAB261CB35ED1AEF50

Function 00F7A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F7A439), ref: 00F7A377

Strings

NAME, xrefs: 00F7A1A9
CLASSNN, xrefs: 00F7A119
REGEXPCLASS, xrefs: 00F7A13C
TEXT, xrefs: 00F7A2AE
CLASS, xrefs: 00F7A0F6
INSTANCE, xrefs: 00F7A285

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 220626e58e249e2d25636c602ee3d6506d1a8a602a2a816dda0018ade0ad59c8
Instruction ID: 8629ea948f18bf92e837be205124aff02856f2e662afb9ffa8a496bf4b95041c
Opcode Fuzzy Hash: 220626e58e249e2d25636c602ee3d6506d1a8a602a2a816dda0018ade0ad59c8
Instruction Fuzzy Hash: 94910331A00606AACB08EFA0C841BEDFB75BF44310F55C11BE84DA7252DF356999FB92

Function 00F22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F22EAE

Part of subcall function 00F21DB3: GetClientRect.USER32(?,?), ref: 00F21DDC
Part of subcall function 00F21DB3: GetWindowRect.USER32(?,?), ref: 00F21E1D
Part of subcall function 00F21DB3: ScreenToClient.USER32(?,?), ref: 00F21E45

GetDC.USER32 ref: 00F5CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F5CD45
SelectObject.GDI32(00000000,00000000), ref: 00F5CD53
SelectObject.GDI32(00000000,00000000), ref: 00F5CD68
ReleaseDC.USER32(?,00000000), ref: 00F5CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F5CDFB

Strings

U, xrefs: 00F5CCD0

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 89665e7084b83d94795ffadf77c8cbce871e920950a760f6e8eb4f869cae7399
Instruction ID: b6f12209a1a8586c23cfbcf11360ca27b78c1c9f0e3a5b3b1cfb7fe26d0dd349
Opcode Fuzzy Hash: 89665e7084b83d94795ffadf77c8cbce871e920950a760f6e8eb4f869cae7399
Instruction Fuzzy Hash: A871C531900309EFCF218F64DC84AAA7BB5FF49365F14427AEE569A266C7309C45FB90

Function 00F91A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F91A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F91A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F91ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F91AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F91AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F91B10
InternetCloseHandle.WININET(00000000), ref: 00F91B57

Part of subcall function 00F92483: GetLastError.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F92498
Part of subcall function 00F92483: SetEvent.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F924AD

Strings

, xrefs: 00F91B01

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 1b27c24d0acf8d4fe85336f5bcf6ae5016206d6bbffd8cd19c39326102cd383d
Instruction ID: 27dad6667123578f4b44a11d2658cf92ce7ebc2f353fd70d090ca474ccc4f076
Opcode Fuzzy Hash: 1b27c24d0acf8d4fe85336f5bcf6ae5016206d6bbffd8cd19c39326102cd383d
Instruction Fuzzy Hash: CC4171B190121ABFFF118F50CC85FBA7BADFF49354F004126F9059A141E7749E44ABA0

Function 00F98C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00FAF910), ref: 00F98D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00FAF910), ref: 00F98D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F98ED6
SysFreeString.OLEAUT32(?), ref: 00F98F00

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 44089a24daccf94ffcdd0c85ac64ca2384a4c7c12105d0029c1cfea949efcc8e
Instruction ID: d1a37f47126862dadba919a7a75ef99ccd9a22de39635eeb59e996eafde56d57
Opcode Fuzzy Hash: 44089a24daccf94ffcdd0c85ac64ca2384a4c7c12105d0029c1cfea949efcc8e
Instruction Fuzzy Hash: C0F16B71A00209EFEF04DFA4C884EAEB7B9FF49354F108458F915AB251DB71AE46EB50

Function 00F9F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F9FA7C
CloseHandle.KERNEL32(?), ref: 00F9FAAB
CloseHandle.KERNEL32(?), ref: 00F9FB22

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 8478b001340c1a727e89ca0ded2c8e5c62099058b51293d6f65a25417caa80db
Instruction ID: 270ca4347268c6db236d608f04492f953325d76827f3c575d7fb38e713b4b1fd
Opcode Fuzzy Hash: 8478b001340c1a727e89ca0ded2c8e5c62099058b51293d6f65a25417caa80db
Instruction Fuzzy Hash: 34E1D4316043019FDB14EF24CC81B6ABBE1EF85364F18856DF8998B2A1CB35DC49EB52

Function 00F84CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F83697,?), ref: 00F8468B

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F83697,?), ref: 00F846A4

Part of subcall function 00F84A31: GetFileAttributesW.KERNEL32(?,00F8370B), ref: 00F84A32

lstrcmpiW.KERNEL32(?,?), ref: 00F84D40
_wcscmp.LIBCMT ref: 00F84D5A
MoveFileW.KERNEL32(?,?), ref: 00F84D75

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 7688d130454d61fcd28ad746cd2371dfd27149a2170343e6a202a298fec88c51
Instruction ID: 07250c56c298435a5b51d24df7a225f133edad95a11cfc7a3d4c2ea12a947a99
Opcode Fuzzy Hash: 7688d130454d61fcd28ad746cd2371dfd27149a2170343e6a202a298fec88c51
Instruction Fuzzy Hash: A25161B25083459BC724EBA0DC819DFB7ECAF85310F40092EB689D3151EF38B688D766

Function 00FA8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FA86FF

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ca6572bf540eecfaf335f27d5a843979ab8adc6ab6dd6d3b15add1f0b9d734ba
Instruction ID: d8fc057db104afab9bf9c0d54609cf71e8dec280460db3b7ef1c204796d5610d
Opcode Fuzzy Hash: ca6572bf540eecfaf335f27d5a843979ab8adc6ab6dd6d3b15add1f0b9d734ba
Instruction Fuzzy Hash: 6251D4B0900254BEEB249B64DC85FAD3B65EB077A0F600121F951D62E1CFF5AD81FB50

Function 00F22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F5C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F5C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F5C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F5C370
DestroyIcon.USER32(00000000), ref: 00F5C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F5C39C
DestroyIcon.USER32(?), ref: 00F5C3AB

Part of subcall function 00FAA4AF: DeleteObject.GDI32(00000000), ref: 00FAA4E8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 0c3c9a171f6d48653321d675e12b2587eacc470556a3ab36de2186d2902f8ca0
Instruction ID: 33356eb90a37a3a9f32f096276e58bfc80c1bba9745062cb103bf5dfa892e02e
Opcode Fuzzy Hash: 0c3c9a171f6d48653321d675e12b2587eacc470556a3ab36de2186d2902f8ca0
Instruction Fuzzy Hash: 4D516B71A00309EFDB20DF64DC45FAA3BB5EB48721F104529FA029B2A0DB74AD54FB90

Function 00F7966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F7A84C
Part of subcall function 00F7A82C: GetCurrentThreadId.KERNEL32 ref: 00F7A853
Part of subcall function 00F7A82C: AttachThreadInput.USER32(00000000,?,00F79683,?,00000001), ref: 00F7A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F7968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F796FB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 37b9e7ace8c085076e69cd81a1cce88e697b8e5a85de1f4993ef893a536ce5c4
Instruction ID: 40b705720ee58a7156d4f7a0e69960e7e5895665bfafab15779f82fe97b79495
Opcode Fuzzy Hash: 37b9e7ace8c085076e69cd81a1cce88e697b8e5a85de1f4993ef893a536ce5c4
Instruction Fuzzy Hash: 5A11E1B1910618BEF6106FA0DC89F6A3B2DEB4D750F110426F248AF1E1C9F26C11EAA5

Function 00F78921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F7853C,00000B00,?,?), ref: 00F7892A
HeapAlloc.KERNEL32(00000000,?,00F7853C,00000B00,?,?), ref: 00F78931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F7853C,00000B00,?,?), ref: 00F78946
GetCurrentProcess.KERNEL32(?,00000000,?,00F7853C,00000B00,?,?), ref: 00F7894E
DuplicateHandle.KERNEL32(00000000,?,00F7853C,00000B00,?,?), ref: 00F78951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F7853C,00000B00,?,?), ref: 00F78961
GetCurrentProcess.KERNEL32(00F7853C,00000000,?,00F7853C,00000B00,?,?), ref: 00F78969
DuplicateHandle.KERNEL32(00000000,?,00F7853C,00000B00,?,?), ref: 00F7896C
CreateThread.KERNEL32(00000000,00000000,00F78992,00000000,00000000,00000000), ref: 00F78986

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e8c05f92bb1d343edae0a53a9b21491c575f9e1f53724c1420e1930bd98e13fb
Instruction ID: 9dbb4030237b6015060ccfaebf0bf7a0ddaaf00304def1ff6cb01537af440c54
Opcode Fuzzy Hash: e8c05f92bb1d343edae0a53a9b21491c575f9e1f53724c1420e1930bd98e13fb
Instruction Fuzzy Hash: 0101BBB5240348FFE760ABA5DC4DF6B3BACEB89711F418421FA05DF1A1DA709804DB21

Function 00F99B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00F99B7B
NULL Pointer assignment, xrefs: 00F99BA4, 00F99EC8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 8c850d5f6c236c49c8293da07c974d1aee2c19627ed42851829d0128e4f7a805
Instruction ID: 86554ff11450dbd72ee28fa829d79ef819045c8c3642cbbd42ff09fcfccd5cb5
Opcode Fuzzy Hash: 8c850d5f6c236c49c8293da07c974d1aee2c19627ed42851829d0128e4f7a805
Instruction Fuzzy Hash: 19C19171E0420A9BEF14DF98D884BAEB7F5BB48314F15846DE905AB280E7B09D45DBA0

Function 00F99113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F99167
VariantInit.OLEAUT32(?), ref: 00F99238
VariantInit.OLEAUT32(?), ref: 00F99339
VariantClear.OLEAUT32(?), ref: 00F99343
VariantClear.OLEAUT32(?), ref: 00F993A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F9931C
Null Object assignment in FOR..IN loop, xrefs: 00F991C8, 00F992F6, 00F993AE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 9fcf4010255acc8a269e3b81cc190ba80a9eae0a34af2584018f184ceb44ee42
Instruction ID: f6b058691fba7214d2483406ec3c3bd49d00e140a980538cadd98243119a2d96
Opcode Fuzzy Hash: 9fcf4010255acc8a269e3b81cc190ba80a9eae0a34af2584018f184ceb44ee42
Instruction Fuzzy Hash: C4918F71E04215ABEF24DFA9CC48FAEB7B8EF45720F11811DF505AB280D7B09945DBA0

Function 00F9975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F7710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?,?,00F77455), ref: 00F77127
Part of subcall function 00F7710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77142
Part of subcall function 00F7710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77150
Part of subcall function 00F7710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?), ref: 00F77160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F99806
_memset.LIBCMT ref: 00F99813
_memset.LIBCMT ref: 00F99956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F99982
CoTaskMemFree.OLE32(?), ref: 00F9998D

Strings

NULL Pointer assignment, xrefs: 00F999DB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7b3dc9b4329f408c95b0c69083161a2dd867592b73bd7f4761665e0a6d3d31b1
Instruction ID: 1c630de61d6ad6cfb4709c6669c30464efeb48b50964b85919d8fb73bb6ff477
Opcode Fuzzy Hash: 7b3dc9b4329f408c95b0c69083161a2dd867592b73bd7f4761665e0a6d3d31b1
Instruction Fuzzy Hash: 70912671D00229ABDF10DFA5DC40EDEBBB9EF09710F20416AF419A7291EB759A44DFA0

Function 00FA6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FA6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00FA6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FA6E52
_wcscat.LIBCMT ref: 00FA6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00FA6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FA6EF2

Strings

SysListView32, xrefs: 00FA6DF6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b3c27c3a6f96ea7ec63f1fd4332799648034460b1f53e0c325296a8a3fd9b0e1
Instruction ID: c607b7a025651466a9f6702a2d18efe715c88d291087200e21174c621bc8174b
Opcode Fuzzy Hash: b3c27c3a6f96ea7ec63f1fd4332799648034460b1f53e0c325296a8a3fd9b0e1
Instruction Fuzzy Hash: BE41A1B1A00348AFDB219FA4CC85BEA77A9EF09360F14042AF544E7291D6759D84AB64

Function 00F9E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F83C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F83C7A
Part of subcall function 00F83C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F83C88
Part of subcall function 00F83C55: CloseHandle.KERNEL32(00000000), ref: 00F83D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9E9A4
GetLastError.KERNEL32 ref: 00F9E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F9EA63
GetLastError.KERNEL32(00000000), ref: 00F9EA6E
CloseHandle.KERNEL32(00000000), ref: 00F9EAA3

Strings

SeDebugPrivilege, xrefs: 00F9E9C2

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 591c985d3095fda71aa765d773dcbcbe6fc059958ae8ee0ed6985915bf2d5a72
Instruction ID: d22854cdaf5c13d28d7e6161899ab67c072db2afb7fdc87454e183ddeacbfa18
Opcode Fuzzy Hash: 591c985d3095fda71aa765d773dcbcbe6fc059958ae8ee0ed6985915bf2d5a72
Instruction Fuzzy Hash: 1041CE717042009FDB14EF54CC95FADB7A5AF41314F188419F9469F2D2CBB8E809EB92

Function 00F82F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F83033

Strings

stop, xrefs: 00F83004
question, xrefs: 00F82FEC
blank, xrefs: 00F82FB5
warning, xrefs: 00F8301C
info, xrefs: 00F82FD4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 731605b45219729645dba40291700889abed6029c5188a3c61114ce78246899a
Instruction ID: 28a2df2b8596e486425497e3d8813301b315c7127adffe5c47689679453a006b
Opcode Fuzzy Hash: 731605b45219729645dba40291700889abed6029c5188a3c61114ce78246899a
Instruction Fuzzy Hash: 3A112B32748346BED714AB54DC42EEB7B9C9F15774B14002AFD00A6281EB74AF4077A5

Function 00F842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F84312
LoadStringW.USER32(00000000), ref: 00F84319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F8432F
LoadStringW.USER32(00000000), ref: 00F84336
_wprintf.LIBCMT ref: 00F8435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F8437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F84357

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e99f92a77456692203f4bf59c288b6d3cac9a2763e94369ae6c3ba52839b4b8e
Instruction ID: cbc4fa957607fbe3caac1030ae1bb5787281271862a72e3bb0f957cd1a9eefcb
Opcode Fuzzy Hash: e99f92a77456692203f4bf59c288b6d3cac9a2763e94369ae6c3ba52839b4b8e
Instruction Fuzzy Hash: B301A2F290020CBFE710A7E0DD89EE7776CDB09300F4000A1BB05E6111EA349E896B70

Function 00FAD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

GetSystemMetrics.USER32(0000000F), ref: 00FAD47C
GetSystemMetrics.USER32(0000000F), ref: 00FAD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FAD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FAD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FAD716
ShowWindow.USER32(00000003,00000000), ref: 00FAD735
InvalidateRect.USER32(?,00000000,00000001), ref: 00FAD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00FAD77D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 488b6874f930efb04ec0b05ea6a4d1edb085c37d0a41221ca62344f7ad93b008
Instruction ID: b264c0da52c015b0987a5e831c572fdd34f505a482e246427fe5ec643ac449de
Opcode Fuzzy Hash: 488b6874f930efb04ec0b05ea6a4d1edb085c37d0a41221ca62344f7ad93b008
Instruction Fuzzy Hash: 92B1BCB5A00219EFDF18CF68C9C47AD3BB1BF09710F088069EC4A9F695D734A950EB90

Function 00F22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000), ref: 00F22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000), ref: 00F5C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F5C1C7,00000004,00000000,00000000,00000000), ref: 00F5C286

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0b3dabf67819817472ec09bbb8d681f112a7d2b8d723f4a665297642879d38c8
Instruction ID: f7ffcaad954b1ca74ea836d4f0d007dc912c9447dbcd99068ba4eef07e1b0269
Opcode Fuzzy Hash: 0b3dabf67819817472ec09bbb8d681f112a7d2b8d723f4a665297642879d38c8
Instruction Fuzzy Hash: 76414231A047D0BEC7B55F78EC8C76B7BD1AF86320F14842DE54786960C6799889FB50

Function 00F870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F870DD

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F87114
EnterCriticalSection.KERNEL32(?), ref: 00F87130
_memmove.LIBCMT ref: 00F8717E
_memmove.LIBCMT ref: 00F8719B
LeaveCriticalSection.KERNEL32(?), ref: 00F871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F871DE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0dd74d63ae3a7b2778b230e0aba0827e47373f37f73420f11e2f9df2617be962
Instruction ID: b35a9afb4d806bd76238268fc86e4a0fc02cc720668d6b9f472720048e3818b1
Opcode Fuzzy Hash: 0dd74d63ae3a7b2778b230e0aba0827e47373f37f73420f11e2f9df2617be962
Instruction Fuzzy Hash: A4317071900205EBCB10EFA4DC89AAEBBB8EF45710F2441B5ED04AB256DB34DE14EB60

Function 00FA61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00FA61EB
GetDC.USER32(00000000), ref: 00FA61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA61FE
ReleaseDC.USER32(00000000,00000000), ref: 00FA620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FA6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FA6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FA902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00FA6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FA62B1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: b0ef8349b02b87df3959cae4cd09ac6f98ff2e19235ef8c3119c17c23cfc5044
Instruction ID: 9adadd11c32d1d0c42bca0dd5522a4f4e2ebea7bb0581eedf56c0d713f254ad0
Opcode Fuzzy Hash: b0ef8349b02b87df3959cae4cd09ac6f98ff2e19235ef8c3119c17c23cfc5044
Instruction Fuzzy Hash: F5316DB2101214BFEF118F50CC8AFEA3BA9EF4A765F084065FE08DE291C6759841DB64

Function 00F7BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F7BBC4
_memcmp.LIBCMT ref: 00F7BBE6
_memcmp.LIBCMT ref: 00F7BBFE
_memcmp.LIBCMT ref: 00F7BC11
_memcmp.LIBCMT ref: 00F7BC2B
_memcmp.LIBCMT ref: 00F7BC3E
_memcmp.LIBCMT ref: 00F7BC56
_memcmp.LIBCMT ref: 00F7BC71

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 10c4d81fe22442429d07a9b1719e1173ccd109cde86f7268b1680a6486c34ec0
Instruction ID: bd89f6cbe566b1d3673fab7185446805b9c4c9dfaa96d03966492032ab8eae8f
Opcode Fuzzy Hash: 10c4d81fe22442429d07a9b1719e1173ccd109cde86f7268b1680a6486c34ec0
Instruction Fuzzy Hash: B721FC616012057BE205B615DD42FFB7B5DAE53368F04C022FD0C56647EB18DE11B5A3

Function 00F8EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

_wcstok.LIBCMT ref: 00F8EC94
_wcscpy.LIBCMT ref: 00F8ED23
_memset.LIBCMT ref: 00F8ED56

Strings

X, xrefs: 00F8ED93

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d268077c6b7a780bc9a08fca174b2d601f085e8bc9c79995c9c8481594b78004
Instruction ID: fbd00f83a4f1bd626c02210f7e5892ef7bdc92c845e2c957e6ded2ad5584d99e
Opcode Fuzzy Hash: d268077c6b7a780bc9a08fca174b2d601f085e8bc9c79995c9c8481594b78004
Instruction Fuzzy Hash: D7C191719087119FC754FF24D881A9AB7E0FF85310F04492DF8999B2A2DB74ED49EB42

Function 00F96B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00F96C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F96C21
WSAGetLastError.WSOCK32(00000000), ref: 00F96C34
htons.WSOCK32(?), ref: 00F96CEA
inet_ntoa.WSOCK32(?), ref: 00F96CA7

Part of subcall function 00F7A7E9: _strlen.LIBCMT ref: 00F7A7F3
Part of subcall function 00F7A7E9: _memmove.LIBCMT ref: 00F7A815

_strlen.LIBCMT ref: 00F96D44
_memmove.LIBCMT ref: 00F96DAD

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: d41d937ce9240379040222603e753dd0d8fbe70f8f13d2505833b30accb71481
Instruction ID: 278ad0019d5db78446096cec9c69e84de740ee585c066c8079d1454af09c5a47
Opcode Fuzzy Hash: d41d937ce9240379040222603e753dd0d8fbe70f8f13d2505833b30accb71481
Instruction Fuzzy Hash: 5F811272608300ABDB10EF24DC82F6AB7A8AFC4724F40491DF555DB2D2DA78DD05EB52

Function 00F21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2a22066df4185512bbdb4915d635a09ef0b41f5328b3881b54b787b48b9249
Instruction ID: 4be7b7481fce7844eb6bc3e8519d75e2e7c6e78e4771f3dad6b9cf600dca84bc
Opcode Fuzzy Hash: 8e2a22066df4185512bbdb4915d635a09ef0b41f5328b3881b54b787b48b9249
Instruction Fuzzy Hash: 9571BE31900119EFCB04DF98DC49ABEBB79FF86320F248149F915AA251C734AA11EF64

Function 00FAB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012F63D8), ref: 00FAB3EB
IsWindowEnabled.USER32(012F63D8), ref: 00FAB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FAB4DB
SendMessageW.USER32(012F63D8,000000B0,?,?), ref: 00FAB512
IsDlgButtonChecked.USER32(?,?), ref: 00FAB54F
GetWindowLongW.USER32(012F63D8,000000EC), ref: 00FAB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FAB589

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a7fb12d491009976a5eba96b2dbd5067b47178e6974d3b75df068a88de229653
Instruction ID: 71010201b95fe68bc15e854f372733bf885ee26f969a7b9714396189b365a196
Opcode Fuzzy Hash: a7fb12d491009976a5eba96b2dbd5067b47178e6974d3b75df068a88de229653
Instruction Fuzzy Hash: E0717CB4A04348EFDB20DF95C894FBA7BA9EF0B320F144059E955972A3C736A950FB50

Function 00F9F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9F448
_memset.LIBCMT ref: 00F9F511
ShellExecuteExW.SHELL32(?), ref: 00F9F556

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

GetProcessId.KERNEL32(00000000), ref: 00F9F5CD
CloseHandle.KERNEL32(00000000), ref: 00F9F5FC

Strings

@, xrefs: 00F9F525

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 7131bd7a2bde8fba3dabd7f7cdf4e1cbf431a0bead1bc950cf3334297b6e8c79
Instruction ID: dfe830e33b71de8865db25434110752f10f3d8beb592611ba128ed741e77eab2
Opcode Fuzzy Hash: 7131bd7a2bde8fba3dabd7f7cdf4e1cbf431a0bead1bc950cf3334297b6e8c79
Instruction Fuzzy Hash: D8619F75A006299FCF04DFA4C8819AEBBF5FF49320F188069E855AB351CB34AD45EF90

Function 00F80F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F80F8C
GetKeyboardState.USER32(?), ref: 00F80FA1
SetKeyboardState.USER32(?), ref: 00F81002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F81030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F8104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F81095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F810B8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fbd363c0ddbd205bacf62204c2a5a3f2799ab869f489d9ab6e8ce899c2f0cf82
Instruction ID: 1f8e4e05332027ee66140b94f2728bb469eb586cf3eaf5e0c5eb38aa7411bfc7
Opcode Fuzzy Hash: fbd363c0ddbd205bacf62204c2a5a3f2799ab869f489d9ab6e8ce899c2f0cf82
Instruction Fuzzy Hash: 7551D4A09047D53DFB3662348C09BF6BEAD6B06314F088689E2D9858D3C699DCCAF751

Function 00F80D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F80DA5
GetKeyboardState.USER32(?), ref: 00F80DBA
SetKeyboardState.USER32(?), ref: 00F80E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F80E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F80E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F80EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F80EC9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fc9165702bb4b5ac380ec80ca1a71c93b3a2a8e2f8bd49d1047306da1b191baa
Instruction ID: 0498ad4e0698cc70201247d8c130ffad156d13ce7972cdd2fc800d22b47624ae
Opcode Fuzzy Hash: fc9165702bb4b5ac380ec80ca1a71c93b3a2a8e2f8bd49d1047306da1b191baa
Instruction Fuzzy Hash: 1C5107A19047D53DFB7263748C45BFB7EA96B06310F488989F1D48A4C2CB95AC8DF750

Function 00F855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F8560A
_wcsncpy.LIBCMT ref: 00F8563F
_wcsncpy.LIBCMT ref: 00F85671
_wcsncpy.LIBCMT ref: 00F856A4
_wcsncpy.LIBCMT ref: 00F856E6
_wcsncpy.LIBCMT ref: 00F85720
_wcsncpy.LIBCMT ref: 00F8574F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 93ba6e5663b7868d9153d267785e8fb6f0e75a15817e0d07e5593d686821ef5d
Instruction ID: 8921f04987789884dc62ba60c74a8b5d59f3ecc311c077bac2cefdebac2c5c15
Opcode Fuzzy Hash: 93ba6e5663b7868d9153d267785e8fb6f0e75a15817e0d07e5593d686821ef5d
Instruction Fuzzy Hash: 8141B565C1061876CB11FBF48C46ACFBBB89F04710F508966F909E3221FB38A755E7A6

Function 00F83671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F83697,?), ref: 00F8468B

Part of subcall function 00F8466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F83697,?), ref: 00F846A4

lstrcmpiW.KERNEL32(?,?), ref: 00F836B7
_wcscmp.LIBCMT ref: 00F836D3
MoveFileW.KERNEL32(?,?), ref: 00F836EB
_wcscat.LIBCMT ref: 00F83733
SHFileOperationW.SHELL32(?), ref: 00F8379F

Strings

\*.*, xrefs: 00F8372D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: f17a71f71f2e9f80b998d3548d422b90f9e3e7ab2e00b811dc42288962f0e29c
Instruction ID: 3cbcd1fee0d4098a3eda2e6cc5daa2b89c5d0997b61c04a8aef7d1643e70e962
Opcode Fuzzy Hash: f17a71f71f2e9f80b998d3548d422b90f9e3e7ab2e00b811dc42288962f0e29c
Instruction Fuzzy Hash: A741B1B1508345AEC751FF64C841ADFB7E8AF89790F40082EF48AC7261EA38D689D752

Function 00FA7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA7351
IsMenu.USER32(?), ref: 00FA7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA73B1
DrawMenuBar.USER32 ref: 00FA73C4

Strings

0, xrefs: 00FA729E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: afbea60df9bae5c9d8a67fa6ae7ebe75cfd494d6d72046265bb4ee8a8b1466ea
Instruction ID: b336a39deb79e4a05dda6e83d885fdaa4535edc1b0efe2dd066df3e9fe99484d
Opcode Fuzzy Hash: afbea60df9bae5c9d8a67fa6ae7ebe75cfd494d6d72046265bb4ee8a8b1466ea
Instruction Fuzzy Hash: B74116B5A04308AFDF20EF50D884E9ABBB8FF06324F158429FD059B250D730AD54EB50

Function 00FA0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00FA0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FA0FFE
FreeLibrary.KERNEL32(00000000), ref: 00FA10B5

Part of subcall function 00FA0FA5: RegCloseKey.ADVAPI32(?), ref: 00FA101B
Part of subcall function 00FA0FA5: FreeLibrary.KERNEL32(?), ref: 00FA106D
Part of subcall function 00FA0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00FA1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00FA1058

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: d50034092995dff085f5f176ade50fb805c451bf2ed07411529a66837449f46a
Instruction ID: 9449bc869c2c6fa290e17dccbec853d983b203e5035ae385751102fd607635be
Opcode Fuzzy Hash: d50034092995dff085f5f176ade50fb805c451bf2ed07411529a66837449f46a
Instruction Fuzzy Hash: 0E312DB1D00109BFDB159F90DC89EFFB7BCEF09310F004169E502E6141EA749E89AAA0

Function 00FA62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FA62EC
GetWindowLongW.USER32(012F63D8,000000F0), ref: 00FA631F
GetWindowLongW.USER32(012F63D8,000000F0), ref: 00FA6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FA6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FA63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00FA63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FA63DB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f14131f8caec1f3cec1d81d7c5664f2df057776350cfa06aa95e2a2118e69c2c
Instruction ID: 827ec24ea4137a311993dc067825d8d83baae6de19547190c6dd0b901238c7bc
Opcode Fuzzy Hash: f14131f8caec1f3cec1d81d7c5664f2df057776350cfa06aa95e2a2118e69c2c
Instruction Fuzzy Hash: F8310FB5A40284EFEB208F58DC84F5537E1FB4A724F1901A4F551CF3B2CB61A845AB50

Function 00F7DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DB54
SysAllocString.OLEAUT32(00000000), ref: 00F7DB57
SysAllocString.OLEAUT32(?), ref: 00F7DB75
SysFreeString.OLEAUT32(?), ref: 00F7DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00F7DBA3
SysAllocString.OLEAUT32(?), ref: 00F7DBB1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d9a329c623159ece98474f7099ba52dd6ef9a278aa9c35bfcb5ec1b85009e9f6
Instruction ID: 90590df3bb4a4234dec67e9d3dcfe09e811ae569db0b78f88d6957e0bc1bcca1
Opcode Fuzzy Hash: d9a329c623159ece98474f7099ba52dd6ef9a278aa9c35bfcb5ec1b85009e9f6
Instruction Fuzzy Hash: E0218076A01219AFDB10DFB8DC84CAB77BCEF49360B418126FD18DB250D6749C45A761

Function 00F96173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97D8B: inet_addr.WSOCK32(00000000), ref: 00F97DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 00F961C6
WSAGetLastError.WSOCK32(00000000), ref: 00F961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F9620E
connect.WSOCK32(00000000,?,00000010), ref: 00F96217
WSAGetLastError.WSOCK32 ref: 00F96221
closesocket.WSOCK32(00000000), ref: 00F9624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F96263

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: d965e584a6cce12402a6293df401661b19510238d5a4955e42db85365e56db82
Instruction ID: 3be999133fd8607638e387e430b551a960a9eedf210872ae639b5818624a8aa7
Opcode Fuzzy Hash: d965e584a6cce12402a6293df401661b19510238d5a4955e42db85365e56db82
Instruction Fuzzy Hash: 0031B371600218AFEF10AF64DC85BBE77ACEF45760F044029FD05EB291DB78AD44ABA1

Function 00F7F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F7F671
__wcsnicmp.LIBCMT ref: 00F7F692
__wcsnicmp.LIBCMT ref: 00F7F6AC

Strings

#OnAutoItStartRegister, xrefs: 00F7F6A6
#notrayicon, xrefs: 00F7F669
#requireadmin, xrefs: 00F7F68C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: c8a5131e9eb7e1245a3a8f6666d8624d4bf8352f14a085aed5374d2b98e29179
Instruction ID: a84b3079f2698e370520bcb8942828fa50f25bd47e5c93bde2893695a93d1cec
Opcode Fuzzy Hash: c8a5131e9eb7e1245a3a8f6666d8624d4bf8352f14a085aed5374d2b98e29179
Instruction Fuzzy Hash: 6021467261421166D324AA34AC02FA773D8EF55360F10C03BF98AC7091EB689E5AF297

Function 00F7DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7DC2F
SysAllocString.OLEAUT32(00000000), ref: 00F7DC32
SysAllocString.OLEAUT32 ref: 00F7DC53
SysFreeString.OLEAUT32 ref: 00F7DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00F7DC76
SysAllocString.OLEAUT32(?), ref: 00F7DC84

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1660a5706389d3a9e1e4f55a87af67a596dee3101ad237618105a67106e5fa47
Instruction ID: 05dbaaea0194ef3439280866fd9acdd669832f0dddc5cc21ae87bf6961c1f07f
Opcode Fuzzy Hash: 1660a5706389d3a9e1e4f55a87af67a596dee3101ad237618105a67106e5fa47
Instruction Fuzzy Hash: 88213E76604208AF9B11DBE8DC88DAA77BCEF09360B50C126F918CB261DAB49C45E765

Function 00FA75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F21D73
Part of subcall function 00F21D35: GetStockObject.GDI32(00000011), ref: 00F21D87
Part of subcall function 00F21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FA7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FA763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FA764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FA7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FA7665

Strings

Msctls_Progress32, xrefs: 00FA7603

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: d1ddcec7a3b2927b4448003df835ea23eb56a5b4a4ed8eb94ffad163f3597f88
Instruction ID: f26cb34b8c35d7bdad3be44ee84aecf453056f54e8ead8dddd451703f24cd66f
Opcode Fuzzy Hash: d1ddcec7a3b2927b4448003df835ea23eb56a5b4a4ed8eb94ffad163f3597f88
Instruction Fuzzy Hash: EC11B6B251021DBFEF119F64CC85EE77F6DEF09798F014115B604A6150CA729C21EBA4

Function 00F49AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F49AE6

Part of subcall function 00F43187: EncodePointer.KERNEL32(00000000), ref: 00F4318A
Part of subcall function 00F43187: __initp_misc_winsig.LIBCMT ref: 00F431A5
Part of subcall function 00F43187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F49EA0
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F49EB4
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F49EC7
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F49EDA
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F49EED
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F49F00
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F49F13
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F49F26
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F49F39
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F49F4C
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F49F5F
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F49F72
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F49F85
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F49F98
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F49FAB
Part of subcall function 00F43187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F49FBE

__mtinitlocks.LIBCMT ref: 00F49AEB
__mtterm.LIBCMT ref: 00F49AF4

Part of subcall function 00F49B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F49AF9,00F47CD0,00FDA0B8,00000014), ref: 00F49C56
Part of subcall function 00F49B5C: _free.LIBCMT ref: 00F49C5D
Part of subcall function 00F49B5C: DeleteCriticalSection.KERNEL32(00FDEC00,?,?,00F49AF9,00F47CD0,00FDA0B8,00000014), ref: 00F49C7F

__calloc_crt.LIBCMT ref: 00F49B19
__initptd.LIBCMT ref: 00F49B3B
GetCurrentThreadId.KERNEL32 ref: 00F49B42

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b4be91ff31c80a6107a1fedd1afa11b960448fc25ca8bda01909ad9a2a9467f2
Instruction ID: 9df20b88d54cde454340737d3bd8add35a1455cb445c5d6938002d902710dba2
Opcode Fuzzy Hash: b4be91ff31c80a6107a1fedd1afa11b960448fc25ca8bda01909ad9a2a9467f2
Instruction Fuzzy Hash: 57F06D32B1E7115AE634B674BC03A4B3EA1DF42734B200A1AFC60891D2FEA8954171A1

Function 00F4406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F43F85), ref: 00F44085
GetProcAddress.KERNEL32(00000000), ref: 00F4408C
EncodePointer.KERNEL32(00000000), ref: 00F44097
DecodePointer.KERNEL32(00F43F85), ref: 00F440B2

Strings

combase.dll, xrefs: 00F44080
RoUninitialize, xrefs: 00F44074

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2cde8e73eb0426a679a79b2b41b1c0f811fb2f6d35afa1d39ebbd479f878f14f
Instruction ID: 27731b8c3dafd9f8ebbe3870ddb81603066acf37e0fb1877c54b6a73a52d80ba
Opcode Fuzzy Hash: 2cde8e73eb0426a679a79b2b41b1c0f811fb2f6d35afa1d39ebbd479f878f14f
Instruction Fuzzy Hash: 88E0BFB0941348EFEB50AFA2EC4DB453AA4B715742F10442DF501EA0A0CB7A9604FE15

Function 00F864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F8660B
_memmove.LIBCMT ref: 00F86546

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

_memmove.LIBCMT ref: 00F865B9
_memmove.LIBCMT ref: 00F866A0
_memmove.LIBCMT ref: 00F866B9
_memmove.LIBCMT ref: 00F866D5

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction ID: dada10fc8514ab830dc301d144322ace7fc88ebd20f469c94b2db0a84890f153
Opcode Fuzzy Hash: 01f6861b9c9f464f3e444165d26c031541feffe0c99e54a007fe9ecc55138285
Instruction Fuzzy Hash: A0619C3190429A9BCF01FF60CC82EFE3BA5AF05308F484519FD599B292EB7C9955EB50

Function 00FA01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00FA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FA02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00FA0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FA0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FA038C
RegCloseKey.ADVAPI32(00000000), ref: 00FA0399

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: e502bbb49cdc1a38a141571c40875c26bbf1efe767916faa6e88ee868cefc304
Instruction ID: 5525664a2090cf627777050033ae345767c81747f6a7bf205ac331fe6127d299
Opcode Fuzzy Hash: e502bbb49cdc1a38a141571c40875c26bbf1efe767916faa6e88ee868cefc304
Instruction Fuzzy Hash: A4513871508304AFCB14EF64DC85E6ABBE8FF86314F04491DF5458B2A2DB35E909EB52

Function 00FA5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00FA57FB
GetMenuItemCount.USER32(00000000), ref: 00FA5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FA585A
GetMenuItemID.USER32(?,?), ref: 00FA58C9
GetSubMenu.USER32(?,?), ref: 00FA58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00FA5928

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 804d4d400eca7972cf70720b1c9c3f5b30c3efe8e4484145f274ec76a90d1c31
Instruction ID: b3c42847888c74c9e0f1a6e05cc35a46b6931ec0130285b3ffb557a1ee579f65
Opcode Fuzzy Hash: 804d4d400eca7972cf70720b1c9c3f5b30c3efe8e4484145f274ec76a90d1c31
Instruction Fuzzy Hash: FC515D75E00615AFCF11EFA4C845AAEBBB4EF49720F144069EC41BB351CB78AE41AB90

Function 00F7EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F7EF06
VariantClear.OLEAUT32(00000013), ref: 00F7EF78
VariantClear.OLEAUT32(00000000), ref: 00F7EFD3
_memmove.LIBCMT ref: 00F7EFFD
VariantClear.OLEAUT32(?), ref: 00F7F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F7F078

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: ca5fa5abb0d0ed9a4d2b6388daa65ee43a1e2d7f638161765ba951d0727b5c7e
Instruction ID: 95732b8bb10c6d3cc0582967998e2c04c87e3267f859424b16e3ff50834a8b92
Opcode Fuzzy Hash: ca5fa5abb0d0ed9a4d2b6388daa65ee43a1e2d7f638161765ba951d0727b5c7e
Instruction Fuzzy Hash: 6D5168B5A00209EFCB14CF58C884AAAB7B8FF4D314B15856AED59DB305E334E915CFA1

Function 00F8220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F822A3
IsMenu.USER32(00000000), ref: 00F822C3
CreatePopupMenu.USER32 ref: 00F822F7
GetMenuItemCount.USER32(000000FF), ref: 00F82355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F82386

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b7d3a44687aeffb1c101d95c234cb5e20dac210b7040fe0ecd6910ff4ef2eb6c
Instruction ID: 84a4fbf7a0f06b81539d37d53476e1901f84ec479b54c9dff9dedf52f84be8ea
Opcode Fuzzy Hash: b7d3a44687aeffb1c101d95c234cb5e20dac210b7040fe0ecd6910ff4ef2eb6c
Instruction Fuzzy Hash: 2651D270A00209DFDF61EF68D898BEDBBF5FF06324F144129E8559B290D778A904EB51

Function 00F21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F2179A
GetWindowRect.USER32(?,?), ref: 00F217FE
ScreenToClient.USER32(?,?), ref: 00F2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F2182C
EndPaint.USER32(?,?), ref: 00F21876

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 9b6292f9134be949bb004e1b8100f972d719d023045225329351ca9da7dc8a5f
Instruction ID: fe8b2efd612c9a90d0293922c4dae98cbb92a3b9332ec60de9c2b07037b630f6
Opcode Fuzzy Hash: 9b6292f9134be949bb004e1b8100f972d719d023045225329351ca9da7dc8a5f
Instruction Fuzzy Hash: DE41CC71504754AFC710DF24DCC4FBA7BE8FB5A724F140228FAA48B2A1C7309949EB62

Function 00FAB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00FE57B0,00000000,012F63D8,?,?,00FE57B0,?,00FAB5A8,?,?), ref: 00FAB712
EnableWindow.USER32(00000000,00000000), ref: 00FAB736
ShowWindow.USER32(00FE57B0,00000000,012F63D8,?,?,00FE57B0,?,00FAB5A8,?,?), ref: 00FAB796
ShowWindow.USER32(00000000,00000004,?,00FAB5A8,?,?), ref: 00FAB7A8
EnableWindow.USER32(00000000,00000001), ref: 00FAB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FAB7EF

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 769722182a8e160464e1b358ac2f685b7119b5c79c3a0ebe76915a025927d38e
Instruction ID: b2d45ef2d2b6b6a109ed07908af941686131a1667fafa6238fa625b3f2e39e5a
Opcode Fuzzy Hash: 769722182a8e160464e1b358ac2f685b7119b5c79c3a0ebe76915a025927d38e
Instruction Fuzzy Hash: A74173B4A00244AFDB26CF24C499B947BE1FF46320F1841B9F9488F6A3C771AC56EB51

Function 00F9709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F94E41,?,?,00000000,00000001), ref: 00F970AC

Part of subcall function 00F939A0: GetWindowRect.USER32(?,?), ref: 00F939B3

GetDesktopWindow.USER32 ref: 00F970D6
GetWindowRect.USER32(00000000), ref: 00F970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F9710F

Part of subcall function 00F85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

GetCursorPos.USER32(?), ref: 00F9713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F97199

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: bf7ce2b1ebac70eb50d428ee5856202f928a91846ca2bcef0ce2973092be2d5a
Instruction ID: bdefaf14b6a7f09fce18e319e17db71cd0308aed84c225a2f2cb412cf3fc51ad
Opcode Fuzzy Hash: bf7ce2b1ebac70eb50d428ee5856202f928a91846ca2bcef0ce2973092be2d5a
Instruction Fuzzy Hash: 0D31D272509309AFDB20EF54CC49B9BB7EAFF89314F000919F58597191CB34EA49DB92

Function 00F78879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F780C0
Part of subcall function 00F780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F780CA
Part of subcall function 00F780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F780D9
Part of subcall function 00F780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F780E0
Part of subcall function 00F780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F780F6

GetLengthSid.ADVAPI32(?,00000000,00F7842F), ref: 00F788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F788D6
HeapAlloc.KERNEL32(00000000), ref: 00F788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F788F6
GetProcessHeap.KERNEL32(00000000,00000000,00F7842F), ref: 00F7890A
HeapFree.KERNEL32(00000000), ref: 00F78911

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 50935f48329f06c7de89a5991535f6d6195a00516d47f64389dfbab4b9b92cba
Instruction ID: a74886ece0df29703acd094755f86836d8453ec994708f8a37998132e1c0a48a
Opcode Fuzzy Hash: 50935f48329f06c7de89a5991535f6d6195a00516d47f64389dfbab4b9b92cba
Instruction Fuzzy Hash: 6311B471A41209FFDB109F94DC09BBE7B78EB45361F10C02AE94997111CB329D05EB62

Function 00F785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F785E2
OpenProcessToken.ADVAPI32(00000000), ref: 00F785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F785F8
CloseHandle.KERNEL32(00000004), ref: 00F78603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F78632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F78646

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 5e92ef9a7aa6f2538549d200ed50054c6cf530aa03adc82d1b174d0df934c670
Instruction ID: 77667cf9748b9cdb3d5c8e8e8482e5f87f93417d59a6e1a601af95a86cc8398e
Opcode Fuzzy Hash: 5e92ef9a7aa6f2538549d200ed50054c6cf530aa03adc82d1b174d0df934c670
Instruction Fuzzy Hash: 25115CB254020DABDF018FA4DD49BDE7BA9EF09354F048065FE05A6160C7718D65EB61

Function 00F7B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F7B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F7B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F7B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00F7B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F7B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00F7B7FE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 2a2755be9436a8676fe8f3ee00f6c2e62733e27732b0e8eb669c433f57c92538
Instruction ID: ed53a8ef14e24f60f53b8a9eaf69b79192e1e005c9f5cdaa1bb6d5b80a0118a9
Opcode Fuzzy Hash: 2a2755be9436a8676fe8f3ee00f6c2e62733e27732b0e8eb669c433f57c92538
Instruction Fuzzy Hash: 500175B5E00209BBEB105BE69C45A5ABFA8EB49321F008066FA08AB291D6709C00DF91

Function 00F40162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F40193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F4019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F401C1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 996521e29cd677699d667c631696cb72d7e3cac99f57e89b717177d821fc993f
Instruction ID: 28ef2a0a41ba0148394e45b6955c62ba314cf17218137ec9a8af94a574f62da4
Opcode Fuzzy Hash: 996521e29cd677699d667c631696cb72d7e3cac99f57e89b717177d821fc993f
Instruction Fuzzy Hash: 97016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4BA41C7F5A868CBE5

Function 00F853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F8540F
GetWindowThreadProcessId.USER32(?,?), ref: 00F8541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F85437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8543E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 94e9b7f4633f5b8b6ef529872522a2308157e2e84d49d09f29cef41ca0d7d7ba
Instruction ID: ad7388bfa1f9f3bad8e771235f29ee45f3b12c96c73fcc30e6460a880d3c5350
Opcode Fuzzy Hash: 94e9b7f4633f5b8b6ef529872522a2308157e2e84d49d09f29cef41ca0d7d7ba
Instruction Fuzzy Hash: 07F06D7224115CBBE7205BE2DC0DEEB7A7CEBC7B11F000169FA04D515096A01A05A6B5

Function 00F87230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F87243
EnterCriticalSection.KERNEL32(?,?,00F30EE4,?,?), ref: 00F87254
TerminateThread.KERNEL32(00000000,000001F6,?,00F30EE4,?,?), ref: 00F87261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F30EE4,?,?), ref: 00F8726E

Part of subcall function 00F86C35: CloseHandle.KERNEL32(00000000,?,00F8727B,?,00F30EE4,?,?), ref: 00F86C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F87281
LeaveCriticalSection.KERNEL32(?,?,00F30EE4,?,?), ref: 00F87288

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: da01b751f37bb04e5c15574ab9556e29442dd65b8003d8a72aefe519212ef921
Instruction ID: a6da4ed81f03e44a995370f04553bd310f13c7e58f1458406704e63dd23ef96e
Opcode Fuzzy Hash: da01b751f37bb04e5c15574ab9556e29442dd65b8003d8a72aefe519212ef921
Instruction Fuzzy Hash: EDF0BEB6540216EBD7622BA4ED4CBEA7779EF07312B100131F103980A0CB765805EB50

Function 00F78992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F7899D
UnloadUserProfile.USERENV(?,?), ref: 00F789A9
CloseHandle.KERNEL32(?), ref: 00F789B2
CloseHandle.KERNEL32(?), ref: 00F789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00F789C3
HeapFree.KERNEL32(00000000), ref: 00F789CA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 659e19df5a668a31bacc5a39fe346846e8a1ab5c2b68204ea6682954ca900e88
Instruction ID: 3a459874c8f4af6e345412489f6ba03243f9bbbd058d3ef11f056233ef82a429
Opcode Fuzzy Hash: 659e19df5a668a31bacc5a39fe346846e8a1ab5c2b68204ea6682954ca900e88
Instruction Fuzzy Hash: CFE052B6104509FFDB011FE5EC0C95ABB79FB8A762B508631F21989470CB329469EB50

Function 00F985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F98613
CharUpperBuffW.USER32(?,?), ref: 00F98722
VariantClear.OLEAUT32(?), ref: 00F9889A

Part of subcall function 00F87562: VariantInit.OLEAUT32(00000000), ref: 00F875A2
Part of subcall function 00F87562: VariantCopy.OLEAUT32(00000000,?), ref: 00F875AB
Part of subcall function 00F87562: VariantClear.OLEAUT32(00000000), ref: 00F875B7

Strings

AUTOIT.ERROR, xrefs: 00F98728
Incorrect Parameter format, xrefs: 00F9864B, 00F9880D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: ced09367905af0b965e833188bf467e0160939c575522ac130e67d318571c9f3
Instruction ID: 916dc9ece5af6c1c571f99d67e6cd587df027f45c778992d3e2e802cdf903794
Opcode Fuzzy Hash: ced09367905af0b965e833188bf467e0160939c575522ac130e67d318571c9f3
Instruction Fuzzy Hash: 88918071A083019FCB10DF24C88495ABBF4EF8A754F14892EF88A8B351DB35ED46DB52

Function 00F82A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

_memset.LIBCMT ref: 00F82B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F82BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F82C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F82C97

Strings

0, xrefs: 00F82B73

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 585e7ad13c27cb0db5f79ec38719b55346c08bb6f180e568af13ed6c2d3d084c
Instruction ID: c376a6e61907506ea77979805be6756a88be0de6ba44f4ffc21f3d0291574c19
Opcode Fuzzy Hash: 585e7ad13c27cb0db5f79ec38719b55346c08bb6f180e568af13ed6c2d3d084c
Instruction Fuzzy Hash: DC51BF71A093019ED7A4AE28D845ABFBBE4EF86330F040A2DF895D61D1DB74ED04B752

Function 00F7D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F7D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F7D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F7D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F7D69D

Strings

DllGetClassObject, xrefs: 00F7D610

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 163aa1e1923ddb7a686dd8514d8a350d5ca4389879b6b7338e263f4f8c992b97
Instruction ID: a0d70eef84894e198f47cd759fb76ea48e871e112d0d4c65208ad68a2e36b836
Opcode Fuzzy Hash: 163aa1e1923ddb7a686dd8514d8a350d5ca4389879b6b7338e263f4f8c992b97
Instruction Fuzzy Hash: 0A418EB1600204EFDB15DF64CC84A9ABBB9EF84314F55C1AEAC0D9F206D7B1D944EBA1

Function 00F82753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00F82822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FE5890,00000000), ref: 00F8286B

Strings

0, xrefs: 00F827B5

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 279647daec9e0b894273fb2f269a29551fa43ff09bc448a69d1205944ec1e3e6
Instruction ID: b7b29eddf239820713f7afd9edc300e31d29ba258f6a05d42da736e21646c196
Opcode Fuzzy Hash: 279647daec9e0b894273fb2f269a29551fa43ff09bc448a69d1205944ec1e3e6
Instruction Fuzzy Hash: 7141BF71604301AFDB60EF24CC44B9ABBE8EF85324F04492EF8A597291D734F805DB52

Function 00F9D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F9D7C5

Part of subcall function 00F2784B: _memmove.LIBCMT ref: 00F27899

Strings

stdcall, xrefs: 00F9D847
cdecl, xrefs: 00F9D81C
none, xrefs: 00F9D8A0
winapi, xrefs: 00F9D836

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 9e76ea3f31d2bdfe52bb2cbcffa011d87c0cf95fd44b2d50d3d0d9060d993fc1
Instruction ID: 3cf81c1802189a271efea33afa522c50d81661f71f3f9c6dba4b2768ee510282
Opcode Fuzzy Hash: 9e76ea3f31d2bdfe52bb2cbcffa011d87c0cf95fd44b2d50d3d0d9060d993fc1
Instruction Fuzzy Hash: DB31B071904619ABDF00EF94CC519FEB7B5FF05320B10862AE829977D2DB75A905EB80

Function 00F78E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F78F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F78F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F78F57

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

Strings

ListBox, xrefs: 00F78ED3
ComboBox, xrefs: 00F78E9E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ec7eba0b0778980dadcb389fb269bc674aaa0e3338d9f4e79197cc39bde0f5c5
Instruction ID: 2ad806faba1ac157db30ef7508bc8d1c4e9e56b8119d5ba8bb6606386d57cdfc
Opcode Fuzzy Hash: ec7eba0b0778980dadcb389fb269bc674aaa0e3338d9f4e79197cc39bde0f5c5
Instruction Fuzzy Hash: B8210471A40208BEDB14ABB0DC49DFFB769DF46360F14812AF829972E0DF39580AB651

Function 00F9182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F91872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F918A2
InternetCloseHandle.WININET(00000000), ref: 00F918E9

Part of subcall function 00F92483: GetLastError.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F92498
Part of subcall function 00F92483: SetEvent.KERNEL32(?,?,00F91817,00000000,00000000,00000001), ref: 00F924AD

Strings

, xrefs: 00F91893

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 906bc69c9984733b512c6e55ac9d971b9d7beef01115ca7ead6d7c3facacbca7
Instruction ID: c42e406c1ad7c570b122b3dcba3f0f98a1d515b2aef405bb3a16f1716b636d02
Opcode Fuzzy Hash: 906bc69c9984733b512c6e55ac9d971b9d7beef01115ca7ead6d7c3facacbca7
Instruction Fuzzy Hash: 81217FB550020DBFFB129B649C85EBF76ADFB49754F10413AF80596140DA249D0977A1

Function 00FA63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F21D73
Part of subcall function 00F21D35: GetStockObject.GDI32(00000011), ref: 00F21D87
Part of subcall function 00F21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FA6461
LoadLibraryW.KERNEL32(?), ref: 00FA6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FA647D
DestroyWindow.USER32(?), ref: 00FA6485

Strings

SysAnimate32, xrefs: 00FA643C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 203de6a918ef41663fe3c06786b4e917cab3583174eb05f38fe7a2d238205f30
Instruction ID: a9e31e0b4c3ca9bd1bef0f4854aca6620d7ea493994b0b809cdcbe0f00f3fd9a
Opcode Fuzzy Hash: 203de6a918ef41663fe3c06786b4e917cab3583174eb05f38fe7a2d238205f30
Instruction Fuzzy Hash: E3218BB2600209ABEF108FA4DC80EBA77A9EB5A738F184629FA10D6190D775DC51B760

Function 00F86D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F86DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F86DEF
GetStdHandle.KERNEL32(0000000C), ref: 00F86E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F86E3B

Strings

nul, xrefs: 00F86E36

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ed69facce0338e19a995edc0b24331821b7550935b59f5aa2b7238d87f409cf0
Instruction ID: 24edddc178c909686b569266306188a5b737e51b729252ffbba890aee8f31bd8
Opcode Fuzzy Hash: ed69facce0338e19a995edc0b24331821b7550935b59f5aa2b7238d87f409cf0
Instruction Fuzzy Hash: 1221A476A00209ABDB20AF69DC04BDA77F4EF45730F204619FCA1D72D0D7709955EB54

Function 00F86E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F86E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F86EBB
GetStdHandle.KERNEL32(000000F6), ref: 00F86ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F86F06

Strings

nul, xrefs: 00F86F01

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2e9e761554ef588c7566bb962f47c6597e962537083d2541540e20add128ec53
Instruction ID: 40f7621ecc6e7405b721166d9a6abdd3e2cb2451f11a44c4beddd7d4a949501c
Opcode Fuzzy Hash: 2e9e761554ef588c7566bb962f47c6597e962537083d2541540e20add128ec53
Instruction Fuzzy Hash: 1C2186759003059BDB20AF69DC04BDA77E8EF45730F200A19FDA1D72D0DB709855E755

Function 00F8AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F8AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F8ACA8
__swprintf.LIBCMT ref: 00F8ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00FAF910), ref: 00F8ACFF

Strings

%lu, xrefs: 00F8ACBB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: fe69a0d887fe7361d7dcab72e458719e76acefc46513e0ac911feea3f072133a
Instruction ID: 7e6d9d442df1f1351f7131321c95681d4d450b25b1ba6899b726f1ff19d18c1f
Opcode Fuzzy Hash: fe69a0d887fe7361d7dcab72e458719e76acefc46513e0ac911feea3f072133a
Instruction Fuzzy Hash: 3E21B370A00109AFCB10EFA4DD45EEE7BB8FF49714B044069F909DB251DB75EA45EB21

Function 00F81AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F81B19

Strings

APPEND, xrefs: 00F81B52
EXISTS, xrefs: 00F81B41
KEYS, xrefs: 00F81B30
REMOVE, xrefs: 00F81B1F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 0c1d12f28f63120b5ac3cf47632555074f47a0b531a43c4916252c07ec42c3b1
Instruction ID: 5701efc651b5f5dfeda2a0f6bf192e94cf2c558ba319c2bddf242e8323050bc0
Opcode Fuzzy Hash: 0c1d12f28f63120b5ac3cf47632555074f47a0b531a43c4916252c07ec42c3b1
Instruction Fuzzy Hash: 27117C709402089BCF00FF94E8519EEB7B4BF66314F1845A5D814A7292EB365906EB50

Function 00F9EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F9EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F9EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F9ED6A
CloseHandle.KERNEL32(?), ref: 00F9EDEB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f5a0e1ef781173378734dfd0a8c461158e97394e8b84040c5a979481a4868d2e
Instruction ID: fab3182f6e1f6f60fc93ffc1d5c4aecb511df2932eac4615fea95b6e35a06fd6
Opcode Fuzzy Hash: f5a0e1ef781173378734dfd0a8c461158e97394e8b84040c5a979481a4868d2e
Instruction Fuzzy Hash: EA8191716043109FEB20EF28DC46F6AB7E5AF88720F44881DF999DB2D2D6B4AC45DB41

Function 00FA0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00FA0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9FDAD,?,?), ref: 00FA0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FA00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FA013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FA0183
RegCloseKey.ADVAPI32(?,?), ref: 00FA01AF
RegCloseKey.ADVAPI32(00000000), ref: 00FA01BC

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a3faae06603fbe315bb4943452ea8013f4ef85146c587eaab32199e674ed3ddf
Instruction ID: 1ed4382f5942010ac9f27ccddd8fb041c22a25d38ec2daeccd07bbdbf4ff0713
Opcode Fuzzy Hash: a3faae06603fbe315bb4943452ea8013f4ef85146c587eaab32199e674ed3ddf
Instruction Fuzzy Hash: C9518BB1608204AFC704EF54DC81EAAB7E8FF85314F44882DF5858B2A2DB35E904EB52

Function 00F9D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F9D927
GetProcAddress.KERNEL32(00000000,?), ref: 00F9D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F9D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00F9DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F9DA21

Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F87896,?,?,00000000), ref: 00F25A2C
Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F87896,?,?,00000000,?,?), ref: 00F25A50

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 43fd892341d1ef3cb6069407d580c0e3c89d7ccf001e7a22eb5fbfd512c0b28c
Instruction ID: b1365bec6f55410e2099e6463412bd59f67c6f23f49a8d1bb9629e01b8e03315
Opcode Fuzzy Hash: 43fd892341d1ef3cb6069407d580c0e3c89d7ccf001e7a22eb5fbfd512c0b28c
Instruction Fuzzy Hash: 95514775A04219DFDB00EFA8D8849ADB7F4FF09320B148069E819AB312D738ED45EF90

Function 00F8E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F8E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F8E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F8E687

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F8E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F8E6B4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: fb7729b21765cf6c62f3bd90c564979c489a85d93c6597b434ad3e04edf6a79d
Instruction ID: 36d453b8fdd715595c1366201928980099d81058b6c2ecec2aff31df61b633c1
Opcode Fuzzy Hash: fb7729b21765cf6c62f3bd90c564979c489a85d93c6597b434ad3e04edf6a79d
Instruction Fuzzy Hash: AB514D35A00115DFCB01EF64D981AADBBF5EF09314F1880A9E809AB361DB35ED11EF50

Function 00FAA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8013edf51351e6a96066b2cbef027b6e4625b78435a904a8c70d310eaab44dc
Instruction ID: c154fe19c996038c97c0501cb639403c39c9baf2c239483c9c5ecd49836ffa3f
Opcode Fuzzy Hash: b8013edf51351e6a96066b2cbef027b6e4625b78435a904a8c70d310eaab44dc
Instruction Fuzzy Hash: 5A41A4B5D04108BFD720DF64CC88FA9BBA4EB0B320F144165F815AB2E1C730AD59FA51

Function 00F22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F22357
ScreenToClient.USER32(00FE57B0,?), ref: 00F22374
GetAsyncKeyState.USER32(00000001), ref: 00F22399
GetAsyncKeyState.USER32(00000002), ref: 00F223A7

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 03eeb608a7a975ea889da3b0e983fbb509229fd206598f510b3381d0e9bc39bb
Instruction ID: 55da3c1d8a89361624433da7b53e62c58f306395f62b227250ff3d3168ad0df8
Opcode Fuzzy Hash: 03eeb608a7a975ea889da3b0e983fbb509229fd206598f510b3381d0e9bc39bb
Instruction Fuzzy Hash: FB416F75A04219FFCB159FA8CC44AE9BBB4BB05361F204319E92996290CB349D54EB91

Function 00F763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00F76433
TranslateMessage.USER32(?), ref: 00F7645C
DispatchMessageW.USER32(?), ref: 00F76466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F76475

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 281225008972e8d6be106f3e92098f291b2ce5a09dc7e0f174af00b48644097d
Instruction ID: 48a19d36c35966f313cb6c1dc3376b61ff928d92765455f406802fac8b80d435
Opcode Fuzzy Hash: 281225008972e8d6be106f3e92098f291b2ce5a09dc7e0f174af00b48644097d
Instruction Fuzzy Hash: 6D31FD71D00A4AAFDB64CFB0CC84BB67BECAB01714F148177E519CA1A0D7359449F752

Function 00F78A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F78A30
PostMessageW.USER32(?,00000201,00000001), ref: 00F78ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F78AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00F78AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F78AF8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 3163225f899aaa3a7829e8befefa82c1f0bc60b35e5b68233ba2d9a05e963b2a
Instruction ID: 9ab63de986b8e7b20181fe23bdd1ecb9f0cbb91bfdffbe1ad63e61e56a86ed77
Opcode Fuzzy Hash: 3163225f899aaa3a7829e8befefa82c1f0bc60b35e5b68233ba2d9a05e963b2a
Instruction Fuzzy Hash: 07310471900219FBDF10CFA8DD4CA9E3BB5EB05325F10822AF829DB2D0C7749915EB91

Function 00F7B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F7B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F7B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F7B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F7B27F
_wcsstr.LIBCMT ref: 00F7B289

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f58af661e7b9e1949093d3d8e5c51ebe0bd44a81b9429eac731514e13e2b84e5
Instruction ID: 5fe047d40d668d183b14150571c0a2c56ee0510b7f472fe0d5fc02605933e4c2
Opcode Fuzzy Hash: f58af661e7b9e1949093d3d8e5c51ebe0bd44a81b9429eac731514e13e2b84e5
Instruction Fuzzy Hash: B521F5726052057AEB165B759C09F7F7BA8DF4A720F00813AFC08DA162EF659C40F2A1

Function 00FAB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

GetWindowLongW.USER32(?,000000F0), ref: 00FAB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00FAB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FAB1CF
GetSystemMetrics.USER32(00000004), ref: 00FAB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F90E90,00000000), ref: 00FAB216

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 248cdddf89360a20ff4871075af275fd926346d247ba80e67412ca00b4415d59
Instruction ID: 97ad49956b959c311143c45644796477e05ffa57fc15fbe642d06abac2e5983f
Opcode Fuzzy Hash: 248cdddf89360a20ff4871075af275fd926346d247ba80e67412ca00b4415d59
Instruction Fuzzy Hash: 222180B1910265AFCB109F78DC54B6A3BA4EB06731F144729B922D71E1E7309960EB90

Function 00F79307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F79320

Part of subcall function 00F27BCC: _memmove.LIBCMT ref: 00F27C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F79352
__itow.LIBCMT ref: 00F7936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F79392
__itow.LIBCMT ref: 00F793A3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: a3d046e68251f8c2e2fa4805aadf4e6c7f0b94f32f8516c0a23d4682c19bf41d
Instruction ID: 53e0931bc758a572ac4782eed998044a38ebadf8565bd6b5644318a03c950af4
Opcode Fuzzy Hash: a3d046e68251f8c2e2fa4805aadf4e6c7f0b94f32f8516c0a23d4682c19bf41d
Instruction Fuzzy Hash: 08210A31B052086BDB10AEA09C85EEE3BADEB49720F048026FD08DB2D0D6F0DD45B793

Function 00F95A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F95A6E
GetForegroundWindow.USER32 ref: 00F95A85
GetDC.USER32(00000000), ref: 00F95AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00F95ACD
ReleaseDC.USER32(00000000,00000003), ref: 00F95B08

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c987a485663d52187dfcf9c882c10b3bf4577ce896446aba618248c8ff354960
Instruction ID: 55c4722fe00bcfb79802eb0edba3fbd99ee899206d6957c954aaf4970e43e36b
Opcode Fuzzy Hash: c987a485663d52187dfcf9c882c10b3bf4577ce896446aba618248c8ff354960
Instruction Fuzzy Hash: 9B21C375A00108AFDB14EFA4DC84A9ABBF5EF49350F148079F809DB362CA74AD05EB90

Function 00F212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F2134D
SelectObject.GDI32(?,00000000), ref: 00F2135C
BeginPath.GDI32(?), ref: 00F21373
SelectObject.GDI32(?,00000000), ref: 00F2139C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5abcdf99c9f21b267ff8754a7a5017209d7490d33a2eb864d89c85fafaa13628
Instruction ID: 16d374ffbec65feb4c794c6394cbc89a8376bc2b52b7cfe7c230323606f36474
Opcode Fuzzy Hash: 5abcdf99c9f21b267ff8754a7a5017209d7490d33a2eb864d89c85fafaa13628
Instruction Fuzzy Hash: 0721897080065CEBDB10CF65EC847693BA9FB10B2AF148226E8109E1B0D3B19E95FF94

Function 00F84A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F84ABA
__beginthreadex.LIBCMT ref: 00F84AD8
MessageBoxW.USER32(?,?,?,?), ref: 00F84AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F84B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F84B0A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ea47997dad2824e7c26774a38c21874df90b2bb060f5cd8b0eb3e434b1feea98
Instruction ID: 16bf2ae4209b4b12694b9c3bdc48d879d2fd498864e9a6a81e2bcab26bc37e04
Opcode Fuzzy Hash: ea47997dad2824e7c26774a38c21874df90b2bb060f5cd8b0eb3e434b1feea98
Instruction Fuzzy Hash: D21144B690424DBBCB00AFA8EC48ADB7FACEB85324F144269F914D7250D675D904ABA0

Function 00F78202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F7821E
GetLastError.KERNEL32(?,00F77CE2,?,?,?), ref: 00F78228
GetProcessHeap.KERNEL32(00000008,?,?,00F77CE2,?,?,?), ref: 00F78237
HeapAlloc.KERNEL32(00000000,?,00F77CE2,?,?,?), ref: 00F7823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F78255

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8b4e3990f89a73a339dc6c737763b58cbe673c4b6eb6e67f3aa8b60a09dda2e9
Instruction ID: 3eb07270f92aeac188a9335d8667f6e6ac98ca6894b8d45efc0289c339f81902
Opcode Fuzzy Hash: 8b4e3990f89a73a339dc6c737763b58cbe673c4b6eb6e67f3aa8b60a09dda2e9
Instruction Fuzzy Hash: 3B0162B1740208BFDB204FA5DC4CD677B6DEF867A57504469F809C6220DA318C05EA61

Function 00F7710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?,?,00F77455), ref: 00F77127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F77150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?), ref: 00F77160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F77044,80070057,?,?), ref: 00F7716C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 520a1965b1df729776388e2a7dee7350d80f229835d3edbd76a1e6193645c0ae
Instruction ID: 44d43f4a74e08fffef21a67188329a330dfe22945be68e9d77b9ff2f3f2cd24b
Opcode Fuzzy Hash: 520a1965b1df729776388e2a7dee7350d80f229835d3edbd76a1e6193645c0ae
Instruction Fuzzy Hash: 3A01D4B6610308BBCB105F64DC44BAA7BADEF49761F144175FD08D6220D7B1DD00A7A0

Function 00F85244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F85260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F8526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F85276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F85280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 63d3f1c478bb6233b4f2c2d2e2834a91e4f6e61cda9b7994a4824017cb7c75c4
Instruction ID: b2c6adfaad52a32fcc81814806793463236b4cdf9ab1c08e39d449dfa0418857
Opcode Fuzzy Hash: 63d3f1c478bb6233b4f2c2d2e2834a91e4f6e61cda9b7994a4824017cb7c75c4
Instruction Fuzzy Hash: 2E011B71D01A1DDBCF00EFE4DC49AEDBB78BB09B11F400555E981B6141CF305554ABA1

Function 00F7810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F78121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F7812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78157

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 51b754d05d1aca093e0de4318965bd144396a8c2d5b5ddcbd408bfc2a6265ffe
Instruction ID: 09b83753a14c66ac3f151073b7821472737d595c28cfc189a5f4300f33429ba6
Opcode Fuzzy Hash: 51b754d05d1aca093e0de4318965bd144396a8c2d5b5ddcbd408bfc2a6265ffe
Instruction Fuzzy Hash: 9AF068B1740308AFDB110FA5DC8CE673BADFF467A5B404036F549C6150CFA19D46EA61

Function 00F7C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F7C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F7C20E
MessageBeep.USER32(00000000), ref: 00F7C226
KillTimer.USER32(?,0000040A), ref: 00F7C242
EndDialog.USER32(?,00000001), ref: 00F7C25C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7b3659c309ad96a6a4553dbe9dd0c0f5a87301f733e766e65083ed65721b3c4a
Instruction ID: ad0402eb5eb82c43f9385398ef36d75864a4619f9e06ebcf08960229853affab
Opcode Fuzzy Hash: 7b3659c309ad96a6a4553dbe9dd0c0f5a87301f733e766e65083ed65721b3c4a
Instruction Fuzzy Hash: 7401A770804308ABEB205B90ED4EB967778BF01706F00426EE586A55E1DBE46948EB91

Function 00F213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F213BF
StrokeAndFillPath.GDI32(?,?,00F5B888,00000000,?), ref: 00F213DB
SelectObject.GDI32(?,00000000), ref: 00F213EE
DeleteObject.GDI32 ref: 00F21401
StrokePath.GDI32(?), ref: 00F2141C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 42c5ffe31d1d4b086453242cadd75a429bdb6b344d9a375404f68e2b66df1948
Instruction ID: cd78694be74e5dd89f82599ab9094217e66c48e1c465e1310a35e91027aa2ddb
Opcode Fuzzy Hash: 42c5ffe31d1d4b086453242cadd75a429bdb6b344d9a375404f68e2b66df1948
Instruction Fuzzy Hash: 2BF0C970004A4CEBDB159F66EC8C7593BA5BB1272AF08C224E4698D0F1C7714A99FF54

Function 00F8C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F8C432
CoCreateInstance.OLE32(00FB2D6C,00000000,00000001,00FB2BDC,?), ref: 00F8C44A

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

CoUninitialize.OLE32 ref: 00F8C6B7

Strings

.lnk, xrefs: 00F8C3C6, 00F8C3EE, 00F8C3F8

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 610ea01cc1d456c3b4445c8d6147eff97f28d53dabad3c67db97616f9e643c9f
Instruction ID: d05db844ccce76df07cf2697484a3f29164cd7cb28886d36d6b719c213926335
Opcode Fuzzy Hash: 610ea01cc1d456c3b4445c8d6147eff97f28d53dabad3c67db97616f9e643c9f
Instruction Fuzzy Hash: 95A15CB1108205AFD300EF54DC81EABB7E8FF85354F40492CF5558B1A2EBB5EA49DB62

Function 00F32CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F40DB6: std::exception::exception.LIBCMT ref: 00F40DEC
Part of subcall function 00F40DB6: __CxxThrowException@8.LIBCMT ref: 00F40E01

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F27A51: _memmove.LIBCMT ref: 00F27AAB

__swprintf.LIBCMT ref: 00F32ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F32D66

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: caee31dac6a75a23b8d8b407a2898eba3f806d1fc76d449f3da990ab6c34853e
Instruction ID: fbc0542f10b1c0cc89138c26c4fbf18b59fad599227f0f8722d3546506e147ea
Opcode Fuzzy Hash: caee31dac6a75a23b8d8b407a2898eba3f806d1fc76d449f3da990ab6c34853e
Instruction Fuzzy Hash: E4915C715083119FC714EF24DC86D6EB7B8EF85720F00491DF9569B2A2DA38ED44EB52

Function 00F8B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F24750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F24743,?,?,00F237AE,?), ref: 00F24770

CoInitialize.OLE32(00000000), ref: 00F8B9BB
CoCreateInstance.OLE32(00FB2D6C,00000000,00000001,00FB2BDC,?), ref: 00F8B9D4
CoUninitialize.OLE32 ref: 00F8B9F1

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

Strings

.lnk, xrefs: 00F8B99D, 00F8B9AB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: e01735b5b0f4dcb7691320628869b4ecd8cf6f4643760484f7eb1a0386b0b9ba
Instruction ID: b4359e0f6554cdfeeaca58235e13aa24d157137c1b768155788c43da636baa41
Opcode Fuzzy Hash: e01735b5b0f4dcb7691320628869b4ecd8cf6f4643760484f7eb1a0386b0b9ba
Instruction Fuzzy Hash: 2EA178756043159FCB04EF14C884DAABBE5FF89324F048998F8999B3A2CB35EC45DB91

Function 00F4501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F450AD

Part of subcall function 00F500F0: __87except.LIBCMT ref: 00F5012B

Strings

pow, xrefs: 00F45085, 00F450A2

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bc9fb46aca21e634668567b9ad82e03636cbcb2b52a5874886d869203f4715b5
Instruction ID: ca113419b4c6e3209e71b2c1ae8445d4734f59dab8527d8a2ea7e9cca4b0eb73
Opcode Fuzzy Hash: bc9fb46aca21e634668567b9ad82e03636cbcb2b52a5874886d869203f4715b5
Instruction Fuzzy Hash: 84515C65D0CA0687DB117728CC4536E3F909B81B21F208D59EDD5862ABDE388DCCBA86

Function 00F36192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F36248
_memmove.LIBCMT ref: 00F362E4
_memset.LIBCMT ref: 00F36308

Strings

ERCP, xrefs: 00F361B3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 510f58c946de3ee107eab1de51a3c4455db006a288b9f4d2e02817764c922518
Instruction ID: cc687c5b5a326a9a28da588b5e31100a6aaeae0a7da8779a9402e56eb37159b8
Opcode Fuzzy Hash: 510f58c946de3ee107eab1de51a3c4455db006a288b9f4d2e02817764c922518
Instruction Fuzzy Hash: A951A171900705EBDB24CF95C841BABBBF5AF04324F20856EE94ACB241EB74E950EB41

Function 00F797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F79296,?,?,00000034,00000800,?,00000034), ref: 00F814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F7983F

Part of subcall function 00F81487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F814B1

Part of subcall function 00F813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F81409
Part of subcall function 00F813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F7925A,00000034,?,?,00001004,00000000,00000000), ref: 00F81419
Part of subcall function 00F813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F7925A,00000034,?,?,00001004,00000000,00000000), ref: 00F8142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F798F9

Strings

@, xrefs: 00F79911

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ce4221f84ac8fed2043beb9de1d6617cc90118557e02a10571a25727dee57eee
Instruction ID: 992734feaf54aa83a4ab9f603d85245652517c4415feb62361f11d86aaf1b734
Opcode Fuzzy Hash: ce4221f84ac8fed2043beb9de1d6617cc90118557e02a10571a25727dee57eee
Instruction Fuzzy Hash: 3541507690021CBFDB10EFA4CC41ADEBBB8EB09310F104159FA45B7141DA746E45DBA1

Function 00FA7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FAF910,00000000,?,?,?,?), ref: 00FA79DF
GetWindowLongW.USER32 ref: 00FA79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA7A0C

Strings

SysTreeView32, xrefs: 00FA79B1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: fe7261b9f521216f285b8c702d915ed535c8e365ed4d21af3c7caaaa11ff2b2b
Instruction ID: df4003da677d0177fa05374d0643c1fc0f77040be0e03e51fe0609180a5e0852
Opcode Fuzzy Hash: fe7261b9f521216f285b8c702d915ed535c8e365ed4d21af3c7caaaa11ff2b2b
Instruction Fuzzy Hash: 7431BDB160420AABDB119E78DC41FEB77A9EB0A334F248725F875922E0D735ED50AB50

Function 00FA73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FA7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FA7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA7499

Strings

SysMonthCal32, xrefs: 00FA742C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7b462b9260f3013792fa8875613b97d7fcbb9d8bc8f17ad6922d9ea416262c9b
Instruction ID: f5948ceada702d964929c070c1c72075e2bd5bdb5be6db5f6f31c1dbe5c8d4a2
Opcode Fuzzy Hash: 7b462b9260f3013792fa8875613b97d7fcbb9d8bc8f17ad6922d9ea416262c9b
Instruction Fuzzy Hash: 7421BF72500218ABDF11DEA4CC42FEA3B7AEB4D724F110214FE156B190DAB5AC51ABA0

Function 00FA7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FA7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FA7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FA7C5F

Strings

msctls_updown32, xrefs: 00FA7BC4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 602207b6867f693265d15f0fb407722ae97c77da967a9c610af92902c4ac6fdf
Instruction ID: c3691cab7a57c218a55d4f28bbc1331cb8e2a1d0cdd30cfa824efce181d5e137
Opcode Fuzzy Hash: 602207b6867f693265d15f0fb407722ae97c77da967a9c610af92902c4ac6fdf
Instruction Fuzzy Hash: 5B215EF5604208AFDB11EF64DCC1DA737EDEF5A7A4B140059FA019B3A1CB71EC11AAA0

Function 00FA6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FA6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FA6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FA6D70

Strings

Listbox, xrefs: 00FA6D08

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c80548eb55ef80e8d3997f65e3d7870b7a44cb21f97440da6b76bfe1210ba0cb
Instruction ID: 35be8536c6c899745469920f66f638449325d8df7af8be7ed3673c7736eaf9ca
Opcode Fuzzy Hash: c80548eb55ef80e8d3997f65e3d7870b7a44cb21f97440da6b76bfe1210ba0cb
Instruction Fuzzy Hash: 1F21C672A10118BFDF118F54DC45FBB3BBAEF8A774F058124FA459B1A0CA719C51ABA0

Function 00FA770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FA7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FA7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FA7794

Strings

msctls_trackbar32, xrefs: 00FA7749

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 00b58b3b6f80aa8971a4167f51ab6fcad76a8c9dd637b6d83c9a9ad08f4321a9
Instruction ID: 0073fdb8bc561fce929f8f6182d78a4c8e5b4ea89d94614cb0ccb80392acb67d
Opcode Fuzzy Hash: 00b58b3b6f80aa8971a4167f51ab6fcad76a8c9dd637b6d83c9a9ad08f4321a9
Instruction Fuzzy Hash: 29113AB2614308BFEF106F70CC01FD77769EF89B64F010118F64196090C671E811EB20

Function 00F24C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F24B83,?), ref: 00F24C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F24C56

Strings

kernel32.dll, xrefs: 00F24C3F
Wow64RevertWow64FsRedirection, xrefs: 00F24C50

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 909ec9ce0c21d84bd70d24ea759c13af11fed956c4ea6ff16037626ebdbac594
Instruction ID: 0793416f21003dde1f2b11ba8e772d42dcd96be1837655b4875881e1307a2ab3
Opcode Fuzzy Hash: 909ec9ce0c21d84bd70d24ea759c13af11fed956c4ea6ff16037626ebdbac594
Instruction Fuzzy Hash: 34D02B70910723CFC7205F75E80820673E4EF02355B14C83ED4E2DA160E7B0D480E610

Function 00F24C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F24BD0,?,00F24DEF,?,00FE52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F24C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F24C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F24C1D
kernel32.dll, xrefs: 00F24C0C

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 5729efc2592e6fc092749c60ec399ba3de1dec7227e24bf716921a32a7e4eb1c
Instruction ID: a8042efbf00b2ed7b048fb44743f6d95fe6cc2777be77f583f416f33ea86afec
Opcode Fuzzy Hash: 5729efc2592e6fc092749c60ec399ba3de1dec7227e24bf716921a32a7e4eb1c
Instruction Fuzzy Hash: 7CD0C270910723CFC720AFB4EC08206B6E5EF0A356B048C3AD481CA250E6B0D480E611

Function 00FA0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00FA1039), ref: 00FA0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FA0E07

Strings

RegDeleteKeyExW, xrefs: 00FA0E01
advapi32.dll, xrefs: 00FA0DF0

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 0982f2332d42f5e27c7fe35f347e908cc99f2cd0d4630b8e45a514c68d8f93a4
Instruction ID: f150622d1d7850b8863d4181dcea62db6b9c476d5d221286185259f95ae0191b
Opcode Fuzzy Hash: 0982f2332d42f5e27c7fe35f347e908cc99f2cd0d4630b8e45a514c68d8f93a4
Instruction Fuzzy Hash: A1D0C2B0850316CFC3205FB0E84834272D5AF12351F088C3ED481C6250DAB0D490E600

Function 00F990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F98CF4,?,00FAF910), ref: 00F990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F99100

Strings

kernel32.dll, xrefs: 00F990E9
GetModuleHandleExW, xrefs: 00F990FA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 74bf1d99a1432ef64fc40322368946b0fa09d18bc138cdcb00f1387e1605a1c0
Instruction ID: 11ff92075948252936c8a0893d726080d359c08101547c69fee449b5b9e614d9
Opcode Fuzzy Hash: 74bf1d99a1432ef64fc40322368946b0fa09d18bc138cdcb00f1387e1605a1c0
Instruction Fuzzy Hash: 51D0C274910313CFDB209F75C80810272E4AF02392B068C3ED482CA150E6B0C4C0EA90

Function 00F61714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F61718
__swprintf.LIBCMT ref: 00F61749

Strings

%.3d, xrefs: 00F61723
WIN_XPe, xrefs: 00F61788

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 326f64afaca9dd769c2ce7e69c14ccc4f7f4bb504a836d6a2e856c64c73fde32
Instruction ID: cc89177936835a4705ff7a7d169e3a942afd22d4f99f8c147cdae9f120d3e224
Opcode Fuzzy Hash: 326f64afaca9dd769c2ce7e69c14ccc4f7f4bb504a836d6a2e856c64c73fde32
Instruction Fuzzy Hash: D0D01273804119EAC7009A909C88EB9777CBB09301F180462F806D2040E2259758FA21

Function 00F7717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2e53310905a1db7fc60f55070bd2f2cf4e16dde5e4426d3587a42eb2f9107
Instruction ID: 7d33c40a4be362e6ad393175de36e88f2efb41b012ebd7e963ae6889ab0586a4
Opcode Fuzzy Hash: a6a2e53310905a1db7fc60f55070bd2f2cf4e16dde5e4426d3587a42eb2f9107
Instruction Fuzzy Hash: ABC19175A14316EFCB14DFA4C884EAEBBB5FF48314B10859AE809EB251D730DD41EB91

Function 00F9E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F9E0BE
CharLowerBuffW.USER32(?,?), ref: 00F9E101

Part of subcall function 00F9D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F9D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F9E301
_memmove.LIBCMT ref: 00F9E314

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 27a9f66d70b6f0c242abbf5b7004d6586a9687c00403fc5129e6026a35acf476
Instruction ID: 9514d495883d9b6fb9270af797e8c4a92eb4eba35f3ca293095239c10a471f47
Opcode Fuzzy Hash: 27a9f66d70b6f0c242abbf5b7004d6586a9687c00403fc5129e6026a35acf476
Instruction Fuzzy Hash: 21C18C71A08311DFDB04DF28C880A6ABBE4FF89714F04896DF9999B351D731E945DB82

Function 00F98093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F980C3
CoUninitialize.OLE32 ref: 00F980CE

Part of subcall function 00F7D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F7D5D4

VariantInit.OLEAUT32(?), ref: 00F980D9
VariantClear.OLEAUT32(?), ref: 00F983AA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: bbaf5f5612532ff162a41282e28a6812dad03f75226d80bced187193d4859cc9
Instruction ID: d97edc61045947504436427ec6ebb613e291823e697c8dae4b23827b81214442
Opcode Fuzzy Hash: bbaf5f5612532ff162a41282e28a6812dad03f75226d80bced187193d4859cc9
Instruction Fuzzy Hash: 85A18C756087119FDB00DF64C881B6AB7E4BF8A364F08440CF9969B3A1CB78EC45EB46

Function 00F77530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FB2C7C,?), ref: 00F776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FB2C7C,?), ref: 00F77702
CLSIDFromProgID.OLE32(?,?,00000000,00FAFB80,000000FF,?,00000000,00000800,00000000,?,00FB2C7C,?), ref: 00F77727
_memcmp.LIBCMT ref: 00F77748

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 0d40b0737f3afecc771d22219fe7374c437ad80b6e8cdd6cd214e92b75ba1c24
Instruction ID: 2c7a3c802daf88733910b53d5d04ed392bb640a7d636aeb6f2532867981ec3cc
Opcode Fuzzy Hash: 0d40b0737f3afecc771d22219fe7374c437ad80b6e8cdd6cd214e92b75ba1c24
Instruction Fuzzy Hash: 7D814C71A10209EFCB04DFE4C984EEEB7B9FF89315F208159E505AB250DB71AE06DB61

Function 00F7687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F7688E
SysAllocString.OLEAUT32(00000000), ref: 00F76937
VariantCopy.OLEAUT32 ref: 00F76966
VariantClear.OLEAUT32(?), ref: 00F7698D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9f81f6c74d4a6382d412b31b83c7c815c28d226fc76cbb3a86cfb3cdb1408f04
Instruction ID: 8fec56331a512d77c8bef979fc41c2659fd7a696a4c76b2a0d419628ab210a24
Opcode Fuzzy Hash: 9f81f6c74d4a6382d412b31b83c7c815c28d226fc76cbb3a86cfb3cdb1408f04
Instruction Fuzzy Hash: 8F51E775B04B019ADB20EF65D891B2AB3E5AF45310F20C81FE58EDB291DE78D840A702

Function 00FA97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012FEAE8,?), ref: 00FA9863
ScreenToClient.USER32(00000002,00000002), ref: 00FA9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00FA9903

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bc423f116bbfc2cad54c01f873bcb594c3ca9129829c77ce19fd5e2e88bb322a
Instruction ID: ce72264e3f93baffb93463fe239dfe0fd8d1098de2d716a9ba319d0ec795fef6
Opcode Fuzzy Hash: bc423f116bbfc2cad54c01f873bcb594c3ca9129829c77ce19fd5e2e88bb322a
Instruction Fuzzy Hash: 88514074E04209EFCF10CF54C884AAE7BB5FF56360F548169F9659B2A0D770AD41EB90

Function 00F79A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F79AD2
__itow.LIBCMT ref: 00F79B03

Part of subcall function 00F79D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F79DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F79B6C
__itow.LIBCMT ref: 00F79BC3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: ddeb1d00a55aef9b5c21a444b367ed03e33094be1e0f2cfcea6bda5a73107663
Instruction ID: 22ed019322953054411b49f10a4cf13d1482436565ea141339956317747e3a46
Opcode Fuzzy Hash: ddeb1d00a55aef9b5c21a444b367ed03e33094be1e0f2cfcea6bda5a73107663
Instruction Fuzzy Hash: 5A41B570A04318ABDF11EF54DC45FEE7BB9EF85720F00405AF909A7291DBB49A44EB92

Function 00F969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F969D1
WSAGetLastError.WSOCK32(00000000), ref: 00F969E1

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F96A45
WSAGetLastError.WSOCK32(00000000), ref: 00F96A51

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 133f0181b4dd3bebe68f055ddcd1ab97793e2ad30a1d22d3a97099c8d1c0ddd2
Instruction ID: 29580e50436a5320ba35d5eca8ed0f3f005047c3ec4ace797e3209266589ea87
Opcode Fuzzy Hash: 133f0181b4dd3bebe68f055ddcd1ab97793e2ad30a1d22d3a97099c8d1c0ddd2
Instruction Fuzzy Hash: 6C41B175740210AFEB60AF64DC86F7A77A49F05B14F44801CFA59EF2C2DAB89D01AB91

Function 00F9641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00FAF910), ref: 00F964A7
_strlen.LIBCMT ref: 00F964D9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 1a1aef896c900b9253561b9043c23d4b835298c5a99c31b44f595fa37533707f
Instruction ID: b7703abe150ba9e3d780d0b6c569b89679ab2feb956ba67ea78892ddc9ad4ca5
Opcode Fuzzy Hash: 1a1aef896c900b9253561b9043c23d4b835298c5a99c31b44f595fa37533707f
Instruction Fuzzy Hash: 9241B571904214ABDF14EBA8EC85FAEB7A8AF44310F158159F819DB292DB38ED44EB50

Function 00F8B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F8B89E
GetLastError.KERNEL32(?,00000000), ref: 00F8B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F8B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F8B915

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ae76bacc2028e3665822d0348125349c9ef6f8194702570e9e753f17d70b29fa
Instruction ID: 6e89a831f7219338bd59bbd04b14c4d52f573518b6ff1ac06ff2ff51af73ec86
Opcode Fuzzy Hash: ae76bacc2028e3665822d0348125349c9ef6f8194702570e9e753f17d70b29fa
Instruction Fuzzy Hash: 1D412D35A00514DFCB10EF55D844A99BBE1EF4A320F498098EC4A9F362CB78FD01EB95

Function 00FA8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FA88DE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ab1bd9e56eae26a9f66a356804106cdca880ceeccfc9b32c6f833c369ce1a08b
Instruction ID: e424870119299917ec6905e55e7a32fa3817244d91d375d05fc9cba25129bfc9
Opcode Fuzzy Hash: ab1bd9e56eae26a9f66a356804106cdca880ceeccfc9b32c6f833c369ce1a08b
Instruction Fuzzy Hash: D831D6B4A40108AFEB209E54CC45BBA77B5EB0B7A0F544112FA51E62A1CEB4E942B752

Function 00FAAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FAAB60
GetWindowRect.USER32(?,?), ref: 00FAABD6
PtInRect.USER32(?,?,00FAC014), ref: 00FAABE6
MessageBeep.USER32(00000000), ref: 00FAAC57

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 11f4030ec9613d6c94f7b341a6610f4c94789eafdf27b2e17a84e1f5a003fe6d
Instruction ID: d555ff9b1a40eb23bcef0e33d643b7ab98a38ea26ccf920b6828d94f15f02c49
Opcode Fuzzy Hash: 11f4030ec9613d6c94f7b341a6610f4c94789eafdf27b2e17a84e1f5a003fe6d
Instruction Fuzzy Hash: FD419FB0A00219DFDB11DF58C884B697BF5FF4A760F1880A9E8159F364D730E949EB92

Function 00F80AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F80B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F80B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F80BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F80BFB

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b5dccc8fe248206e0ccf583ed53f5fba49504e3dbefef8ed1363653549dd3656
Instruction ID: 678e2ee8673d94987136379ee02783e0866624c17b7b60e8592960772ec60f8b
Opcode Fuzzy Hash: b5dccc8fe248206e0ccf583ed53f5fba49504e3dbefef8ed1363653549dd3656
Instruction Fuzzy Hash: A3314B70D40208AEFF70AB658C09BF9BBA5AB85334F88435AE491D21D1CB78894CB752

Function 00F80C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00F80C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F80C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F80CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00F80D33

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 73db30d4206c98d72443f7561eab55f157a5af2fa449382a6b8263240097ade6
Instruction ID: 61d56baf3fcf8b18bbcc888c508b313f8c9b1160d61bf538626664b1ee57a18d
Opcode Fuzzy Hash: 73db30d4206c98d72443f7561eab55f157a5af2fa449382a6b8263240097ade6
Instruction Fuzzy Hash: 68314B71E002185EFF70AFA5CC047FEBB65AB46330F84431AE485511D1CB39594DB752

Function 00F561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F561FB
__isleadbyte_l.LIBCMT ref: 00F56229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F56257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F5628D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3dde6ca2ecdd9b558a8616a3aa234d6bb42fa402a70bdf4256f7a9f08ee20965
Instruction ID: 1f2f2aa0386d5ea012beec756d4c9f6a806df3911f67703ef351a4ffa462c6c4
Opcode Fuzzy Hash: 3dde6ca2ecdd9b558a8616a3aa234d6bb42fa402a70bdf4256f7a9f08ee20965
Instruction Fuzzy Hash: 1331BC31A04246AFDF218F65CC44BBA7FA9BF42322F554128ED64C71A1DB30E958EB90

Function 00FA4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00FA4F02

Part of subcall function 00F83641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8365B
Part of subcall function 00F83641: GetCurrentThreadId.KERNEL32 ref: 00F83662
Part of subcall function 00F83641: AttachThreadInput.USER32(00000000,?,00F85005), ref: 00F83669

GetCaretPos.USER32(?), ref: 00FA4F13
ClientToScreen.USER32(00000000,?), ref: 00FA4F4E
GetForegroundWindow.USER32 ref: 00FA4F54

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 94767e9029481ddb20680769ad906a1ee048b7b2651f00201b1157f040e57988
Instruction ID: 0cd2f6afb7d7c5d7542d791e358c90bf56f91f769d1172a61fdc4d11f8345138
Opcode Fuzzy Hash: 94767e9029481ddb20680769ad906a1ee048b7b2651f00201b1157f040e57988
Instruction Fuzzy Hash: 87312FB1D00118AFDB00EFA5DC85DEFB7F9EF89300F11446AE415E7241DA759E059BA0

Function 00FAC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

GetCursorPos.USER32(?), ref: 00FAC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F5B9AB,?,?,?,?,?), ref: 00FAC4E7
GetCursorPos.USER32(?), ref: 00FAC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F5B9AB,?,?,?), ref: 00FAC56E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bbdf7ec4d431e3c58cc53e209d93cf38fcfdc0dc9189899a72a45eff945bc846
Instruction ID: 92f22419fc053335787fa69da7d7f74a83b0f0de2e24229bfada9f7e135fcaf6
Opcode Fuzzy Hash: bbdf7ec4d431e3c58cc53e209d93cf38fcfdc0dc9189899a72a45eff945bc846
Instruction Fuzzy Hash: C331647990045CEFCB15CF98C854EAA7BB9EF4A720F484155F9058B261C7316950EBE4

Function 00F78656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F78121
Part of subcall function 00F7810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F7812B
Part of subcall function 00F7810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7813A
Part of subcall function 00F7810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78141
Part of subcall function 00F7810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F78157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F786A3
_memcmp.LIBCMT ref: 00F786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F786FC
HeapFree.KERNEL32(00000000), ref: 00F78703

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: db731bd56e65c8fab7b53a4d288686694ae4e3d64bacdace511c1a0cfbbff42f
Instruction ID: bf59b5ce63e464be5d45f87530f231196434dd4d40c2d640cad48311b0785f68
Opcode Fuzzy Hash: db731bd56e65c8fab7b53a4d288686694ae4e3d64bacdace511c1a0cfbbff42f
Instruction Fuzzy Hash: 53217C71E80108EFDB10DFA4CD49BEEB7B8EF45354F15805AE448AB241DB30AE06EB61

Function 00F4098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F409AE

Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F87896,?,?,00000000), ref: 00F25A2C
Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F87896,?,?,00000000,?,?), ref: 00F25A50

_fprintf.LIBCMT ref: 00F409E5
OutputDebugStringW.KERNEL32(?), ref: 00F75DBB

Part of subcall function 00F44AAA: _flsall.LIBCMT ref: 00F44AC3

__setmode.LIBCMT ref: 00F40A1A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 01c3f94efa83d852090ceded5b7e7f11abe9dc1be00994b4b70782c5c30014b9
Instruction ID: e76af4a3eaa2a906bffce0a5f07e339eeed58b711aa5f547181b5a08687ed6fc
Opcode Fuzzy Hash: 01c3f94efa83d852090ceded5b7e7f11abe9dc1be00994b4b70782c5c30014b9
Instruction Fuzzy Hash: D8113A329082046FDB04B7B4AC47AFE7FA89F46320F64401AF60467282EE7C6C4677A5

Function 00F91767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F917A3

Part of subcall function 00F9182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9184C
Part of subcall function 00F9182D: InternetCloseHandle.WININET(00000000), ref: 00F918E9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 81a90a63797da56b0a4aca514d55d8f46a3114f232f53a666ebca6a40415eb6f
Instruction ID: ce70619e4cbcf188cf00be56e73e8b4dab430de64987a7cf4348e1b87b610501
Opcode Fuzzy Hash: 81a90a63797da56b0a4aca514d55d8f46a3114f232f53a666ebca6a40415eb6f
Instruction Fuzzy Hash: 1121A172600606BFFF169FA0DC41FBABBA9FF49710F10443AFA1196650DB759811BBA0

Function 00F83A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00FAFAC0), ref: 00F83A64
GetLastError.KERNEL32 ref: 00F83A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F83A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FAFAC0), ref: 00F83ADF

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f0e2357baaf27dbb0bbf2bc87dfe4786c1fe798160792a35d212c7d87cb2a1d0
Instruction ID: d645830b61fa62384326b6dbb2b22e1cc0237e9b2e127bcb3bea9abfdb656b1f
Opcode Fuzzy Hash: f0e2357baaf27dbb0bbf2bc87dfe4786c1fe798160792a35d212c7d87cb2a1d0
Instruction Fuzzy Hash: 1121D3785083058FC714FF28D8818AA77E4AE56764F104A2DF499C72A1D735DE4AEB42

Function 00F7DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F7F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F7DCD3,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?), ref: 00F7F0CB
Part of subcall function 00F7F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F7DCD3,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7F0F1
Part of subcall function 00F7F0BC: lstrcmpiW.KERNEL32(00000000,?,00F7DCD3,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?), ref: 00F7F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7DCEC
lstrcpyW.KERNEL32(00000000,?,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F7EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F7DD46

Strings

cdecl, xrefs: 00F7DD3D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 23fb7af707fd3a4f20262b9f81af9920e29667a6f4bac1d88530ac6e9b4690ac
Instruction ID: dffc13b77b9edfbd38f1506523d421d52025d1f5c1b44d6b3be513058489108a
Opcode Fuzzy Hash: 23fb7af707fd3a4f20262b9f81af9920e29667a6f4bac1d88530ac6e9b4690ac
Instruction Fuzzy Hash: 8211B43A600305EBCB259F74CC4597A77B5FF45350B80812BE90ACB250EB719850E792

Function 00F550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F55101

Part of subcall function 00F4571C: __FF_MSGBANNER.LIBCMT ref: 00F45733
Part of subcall function 00F4571C: __NMSG_WRITE.LIBCMT ref: 00F4573A
Part of subcall function 00F4571C: RtlAllocateHeap.NTDLL(012E0000,00000000,00000001,00000000,?,?,?,00F40DD3,?), ref: 00F4575F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7c1ee8c64a86c32150bcf87565ba0355dfc6a455c4cc054e94a2a33fe8301b3e
Instruction ID: c71864af85d548acb65e86a1fbbdd6385486c5df6357bd3228cc7700561c4685
Opcode Fuzzy Hash: 7c1ee8c64a86c32150bcf87565ba0355dfc6a455c4cc054e94a2a33fe8301b3e
Instruction Fuzzy Hash: 5611E372D00E15AFCF313FB0AC5976D3F989F41BB3B100529FE449A161DE388849BA90

Function 00F244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F244CF

Part of subcall function 00F2407C: _memset.LIBCMT ref: 00F240FC
Part of subcall function 00F2407C: _wcscpy.LIBCMT ref: 00F24150
Part of subcall function 00F2407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F24160

KillTimer.USER32(?,00000001,?,?), ref: 00F24524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F24533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F5D4B9

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 2421aec1316194adf4788d6fe6eaa57d32a5f9dfac5c9c6ba571263d4272286c
Instruction ID: 80331a0766228090049ca612086770d2f615942af5cc46cf08dde9a25cda4362
Opcode Fuzzy Hash: 2421aec1316194adf4788d6fe6eaa57d32a5f9dfac5c9c6ba571263d4272286c
Instruction Fuzzy Hash: 4E21D7B19057949FE732CB24DC56BE6BBEC9F06319F04009DEBDE5A141C3B42988EB51

Function 00F96369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F87896,?,?,00000000), ref: 00F25A2C
Part of subcall function 00F25A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F87896,?,?,00000000,?,?), ref: 00F25A50

gethostbyname.WSOCK32(?), ref: 00F96399
WSAGetLastError.WSOCK32(00000000), ref: 00F963A4
_memmove.LIBCMT ref: 00F963D1
inet_ntoa.WSOCK32(?), ref: 00F963DC

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: ee6cdfc71d2b9151f6cbeb5b964219a34429903d671de9be64ced5aea4d6696e
Instruction ID: 3fec4408c06ced34a64aa200ff0921522ad3a7fd83edd50909a6d6ba795a159f
Opcode Fuzzy Hash: ee6cdfc71d2b9151f6cbeb5b964219a34429903d671de9be64ced5aea4d6696e
Instruction Fuzzy Hash: B2116072900109AFCF00FBA4ED46CEEB7B8AF09310B144065F505E7261DB38EE18EBA1

Function 00F78B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F78B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F78B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F78B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F78BA4

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f92b88ef397250a14e0de973af31e0b75ab628d08162cf6d167c9361c9bc5ded
Instruction ID: 72568c332e82b6d78240ab56b5d898edff9a7ea9939af5fce87136ec381ad040
Opcode Fuzzy Hash: f92b88ef397250a14e0de973af31e0b75ab628d08162cf6d167c9361c9bc5ded
Instruction Fuzzy Hash: 02114C79940218FFDB10DF99CC84F9DBB74FB48350F204096E904B7250DA716E11EB94

Function 00F21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F22612: GetWindowLongW.USER32(?,000000EB), ref: 00F22623

DefDlgProcW.USER32(?,00000020,?), ref: 00F212D8
GetClientRect.USER32(?,?), ref: 00F5B5FB
GetCursorPos.USER32(?), ref: 00F5B605
ScreenToClient.USER32(?,?), ref: 00F5B610

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: d3d0499538941d460d65fa49f8ad76f2d16ea12a0e85bae8bde32e6dc9e48847
Instruction ID: 0050249d21d35745c6fdf462ed014366f0a77ffde7b6f32847d84d54c4780c03
Opcode Fuzzy Hash: d3d0499538941d460d65fa49f8ad76f2d16ea12a0e85bae8bde32e6dc9e48847
Instruction Fuzzy Hash: 05113A7690102DEFCB10DFA8E8859EE77B8FB16301F500456F901E7281D734BA55EBA9

Function 00F81142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F8115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F81184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F8118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00F7FCED,?,00F80D40,?,00008000), ref: 00F811C1

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 7babe4764742e980c9048d90fb42acb41b05bea22e7d7c0d366275604cd7d17c
Instruction ID: b241184e24f38d95d786ce3c83254ad7e2df8a4ce261ae078e5c41314b528a0e
Opcode Fuzzy Hash: 7babe4764742e980c9048d90fb42acb41b05bea22e7d7c0d366275604cd7d17c
Instruction Fuzzy Hash: FE117C72D0091DD7CF00AFE4D848AEEBB7CFF09711F104155EA80B6240CB709556EBA1

Function 00F7D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F7D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F7D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F7D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F7D897

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 840b41f67d17612ca972328d98daf589fd20d0b3833964f4247fc9c9deb673b8
Instruction ID: bab961d3967083c4a5680dded1319903afdee03f6312d536ee96777d19f21374
Opcode Fuzzy Hash: 840b41f67d17612ca972328d98daf589fd20d0b3833964f4247fc9c9deb673b8
Instruction Fuzzy Hash: 591161B5605304DBE320CF90DC08F93BBBCEF04B00F50856AA95ADA490D7B0E549ABA3

Function 00F56FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F56FDB

Part of subcall function 00F576C2: __fltout2.LIBCMT ref: 00F576EB

__cftog_l.LIBCMT ref: 00F57001
__cftoe_l.LIBCMT ref: 00F57033

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 270bdaf2d67df71e12e784d1126f08a6de00b503bc808132121978051b2dab26
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 95014E7244424ABBCF166E84EC01CED3FA6BB18352F598415FF1859071D336D9B9BB81

Function 00FAB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FAB2E4
ScreenToClient.USER32(?,?), ref: 00FAB2FC
ScreenToClient.USER32(?,?), ref: 00FAB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FAB33B

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: cb7cc85f93ebab761a245c1df11c88b8be15a49d3035d3eec7b36f3c2700bced
Instruction ID: 1ae4c2cd94170203b1849a9337c44505b17f0557211216cc3cbbdcb97b934854
Opcode Fuzzy Hash: cb7cc85f93ebab761a245c1df11c88b8be15a49d3035d3eec7b36f3c2700bced
Instruction Fuzzy Hash: 931143B9D0020DEFDB41CFA9C8849EEBBB9FB09311F108166E914E3220D735AA559F90

Function 00FAB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FAB644
_memset.LIBCMT ref: 00FAB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FE6F20,00FE6F64), ref: 00FAB682
CloseHandle.KERNEL32 ref: 00FAB694

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 9a008d80399f3e89d90f0b38a5cabe5d729ada7aae4908c7d81712694da020f6
Instruction ID: f8fb33e7cd4100b3988f41e0e1e651547dcb786dfd36cb1c636b9c809eeacd5b
Opcode Fuzzy Hash: 9a008d80399f3e89d90f0b38a5cabe5d729ada7aae4908c7d81712694da020f6
Instruction Fuzzy Hash: 9AF0FEF294038C7AE7102765BC46FBB7A9CEB197D5F404031BA08E9192E7755C10A7A8

Function 00F86BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F86BE6

Part of subcall function 00F876C4: _memset.LIBCMT ref: 00F876F9

_memmove.LIBCMT ref: 00F86C09
_memset.LIBCMT ref: 00F86C16
LeaveCriticalSection.KERNEL32(?), ref: 00F86C26

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 7fcf097bc6a9777e2fb667a9710cf41139075f021e28b9f661cea20bf1a77e7c
Instruction ID: dd2dfd54815b33b18dd565897bce7a07fc6e319676979d2d9465ed6250280466
Opcode Fuzzy Hash: 7fcf097bc6a9777e2fb667a9710cf41139075f021e28b9f661cea20bf1a77e7c
Instruction Fuzzy Hash: 6EF05E7A200204ABCF416F95DC85A8ABF69EF46360F048061FE085E227DB35E811EBB4

Function 00F22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F22231
SetTextColor.GDI32(?,000000FF), ref: 00F2223B
SetBkMode.GDI32(?,00000001), ref: 00F22250
GetStockObject.GDI32(00000005), ref: 00F22258
GetWindowDC.USER32(?,00000000), ref: 00F5BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F5BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00F5BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00F5BEC2
GetPixel.GDI32(00000000,?,?), ref: 00F5BEE2
ReleaseDC.USER32(?,00000000), ref: 00F5BEED

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 91459cb289d83475352bede458ec657f61dcb006510250dff2ebf38fa7e7e853
Instruction ID: fcf416c15483a11843792679b811f9c0ca7946e3c84efb0b304b43a0086e454c
Opcode Fuzzy Hash: 91459cb289d83475352bede458ec657f61dcb006510250dff2ebf38fa7e7e853
Instruction Fuzzy Hash: 49E03071904148EBDB215FA4FC0D7D83F10EB06332F148366FA69880E187714588EB12

Function 00F78712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F7871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F782E6), ref: 00F78722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F782E6), ref: 00F7872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F782E6), ref: 00F78736

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9e98b6379647f1937d9472a8b3fd499182d564380d60e70d100f5b377e3e4634
Instruction ID: 12d688012bffb973fadc8000a726b0f05bbff3cef09cf6e7b379394e9ef356d8
Opcode Fuzzy Hash: 9e98b6379647f1937d9472a8b3fd499182d564380d60e70d100f5b377e3e4634
Instruction Fuzzy Hash: 01E086B6A513159BD7605FF05D0CB973BACEF527E1F14C828F24ACE040DA34844AE751

Function 00F7B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F7B4BE

Strings

Container, xrefs: 00F7B43B
AutoIt3GUI, xrefs: 00F7B436

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 45490ed058385e9d6034f76252e492629ca18c4b88dc112dc1cbfb89fd9bd29e
Instruction ID: e11afa76f646b71ff00eee4cd6b4aae7808c2eb8aa5ff53c4d4e37636637f102
Opcode Fuzzy Hash: 45490ed058385e9d6034f76252e492629ca18c4b88dc112dc1cbfb89fd9bd29e
Instruction Fuzzy Hash: 58916870600601AFDB54DF64C884B6ABBF5FF4A710F24856EF94ACB291DB70E841DB51

Function 00F8AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3FC86: _wcscpy.LIBCMT ref: 00F3FCA9

Part of subcall function 00F29837: __itow.LIBCMT ref: 00F29862
Part of subcall function 00F29837: __swprintf.LIBCMT ref: 00F298AC

__wcsnicmp.LIBCMT ref: 00F8B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F8B0F6

Strings

LPT, xrefs: 00F8B027

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b9c49fe8c995c7d1de6130fd05f327c6e97157e7e0029a42c8702862e93474e7
Instruction ID: 8aadade329dec86900b33a841ca57e50c4d8ce7fa7397c04e8f915e00c50cea3
Opcode Fuzzy Hash: b9c49fe8c995c7d1de6130fd05f327c6e97157e7e0029a42c8702862e93474e7
Instruction Fuzzy Hash: 8761B072E00219AFCB14EF94C895EEEB7B4EF09310F044069F916AB391DB74AE44EB50

Function 00F32957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F32968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F32981

Strings

@, xrefs: 00F32975

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 372d4f093b245179bc7aeedbb098c41d922f66b235b52076222e3a7e6f193a13
Instruction ID: f428711ddffd397af76db80d8e31b8b837d91eee15e9d5a8f43a88e168e8655e
Opcode Fuzzy Hash: 372d4f093b245179bc7aeedbb098c41d922f66b235b52076222e3a7e6f193a13
Instruction Fuzzy Hash: 19518A714097589BD320EF50EC86BAFBBE8FF85350F82485DF2D8420A1DB709529DB66

Function 00F89734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F24F0B: __fread_nolock.LIBCMT ref: 00F24F29

_wcscmp.LIBCMT ref: 00F89824
_wcscmp.LIBCMT ref: 00F89837

Strings

FILE, xrefs: 00F89770

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fc84b35c310b0fffa23840d2c50d71ed5a2276540518f818109bb64c7b3df5a8
Instruction ID: c98260b2927bf764c949838eed86a5430a1d4ae0371ff6b7099d0b6f4ae30d9c
Opcode Fuzzy Hash: fc84b35c310b0fffa23840d2c50d71ed5a2276540518f818109bb64c7b3df5a8
Instruction Fuzzy Hash: F041D831A0421ABADF20AFA0DC45FEFBBBDDF85710F050069F904B7181DBB5A9049B61

Function 00F9258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F9259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F925D4

Strings

|, xrefs: 00F925A5

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 139f343e4a606a46c9d6894ec57b4a6761b503cf5b7990caed941b0760745ea1
Instruction ID: cf1762ebad982fee9c3f1c62aa9baf14d48a72e95aff4f6f936a0f9566f18c43
Opcode Fuzzy Hash: 139f343e4a606a46c9d6894ec57b4a6761b503cf5b7990caed941b0760745ea1
Instruction Fuzzy Hash: DE310871C00219ABDF41EFA5DC85EEEBFB8FF08350F100069F915A6162EB355956EB60

Function 00FA7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00FA7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA7B76

Strings

', xrefs: 00FA7ACA

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9165e885baf4bbdb4c683de371f9895b93fa27cbe8648c219305d0dfa70cb75c
Instruction ID: 78e42e2524e14b0f76d41c0d733c04649ad382a3a7724f00891bbdb5f1a95644
Opcode Fuzzy Hash: 9165e885baf4bbdb4c683de371f9895b93fa27cbe8648c219305d0dfa70cb75c
Instruction Fuzzy Hash: 2F4117B5A04309AFDB14DF65C880FEABBB5FB49340F10016AE904AB395D770AA51DFA0

Function 00FA6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00FA6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FA6B53

Strings

static, xrefs: 00FA6AB3

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 91e607804ad8a57481c98f690b0fc81015a8510a8dff71583dd232c6cee85865
Instruction ID: 22f891d54b7fbac7b4d97ad6f716570881912feb22b8cb5f27219a0ab128b697
Opcode Fuzzy Hash: 91e607804ad8a57481c98f690b0fc81015a8510a8dff71583dd232c6cee85865
Instruction Fuzzy Hash: 3F31A1B1500604AEDB109F74CC80BFB73B9FF89764F148619F9A5D7190DA34AC91E760

Function 00F828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F8294C

Strings

0, xrefs: 00F8290A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 6b9f1d41783834bfcae2ba9297797904e2519d3c84e5856d71b49877315c091b
Instruction ID: d06fc5fbd8ef8c11e789febc5cc6f97ed7aaf5a849501a388ebedbe6e5960861
Opcode Fuzzy Hash: 6b9f1d41783834bfcae2ba9297797904e2519d3c84e5856d71b49877315c091b
Instruction Fuzzy Hash: D631C331E00305AFEB64EF58CD85BEEBBB4EF45360F140029ED85A61A1D774A944FB51

Function 00F939E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F93A66

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00F93A58
, $, xrefs: 00F93AA6

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: f39c985652acf2756686d7f408c39f3d70ce8179b45aa8ec191fce08bd68112d
Instruction ID: 32468f0e0d2b7453e6880ee07ce174cf8925748619f0ceebee80ca478ae873e7
Opcode Fuzzy Hash: f39c985652acf2756686d7f408c39f3d70ce8179b45aa8ec191fce08bd68112d
Instruction Fuzzy Hash: 9B21A235600229AFCF10FF64DC82EAE77B5EF44740F444455F455AB282DB38EA46EB62

Function 00FA66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FA6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA676C

Strings

Combobox, xrefs: 00FA672E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ac922159dfc2021ead9bbd110953243c18419b417259d24cab01e29d941b6ad1
Instruction ID: c7238f735d426bf97e051d419630b835b232a8489ad27ca241ce95ed44a93017
Opcode Fuzzy Hash: ac922159dfc2021ead9bbd110953243c18419b417259d24cab01e29d941b6ad1
Instruction Fuzzy Hash: E711C8B5710208AFEF11DF54CC80EBB376AEB45368F150125F914DB290DA75DC51A7A0

Function 00FA6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F21D73
Part of subcall function 00F21D35: GetStockObject.GDI32(00000011), ref: 00F21D87
Part of subcall function 00F21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F21D91

GetWindowRect.USER32(00000000,?), ref: 00FA6C71
GetSysColor.USER32(00000012), ref: 00FA6C8B

Strings

static, xrefs: 00FA6C4E

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 435eed3769b74d656f78f1875837fea522d5b58bd020d1699924f5122627260e
Instruction ID: 2ea1328470bd3b3cfc9a25971b771206f34347340a6d814399d256b4fb7859d3
Opcode Fuzzy Hash: 435eed3769b74d656f78f1875837fea522d5b58bd020d1699924f5122627260e
Instruction Fuzzy Hash: AD2159B2910219AFDF05DFB8CC45AEA7BA9FB09315F044628F995D2250D635E850EB60

Function 00FA6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00FA69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FA69B1

Strings

edit, xrefs: 00FA6986

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 31dc3973357741f12833f8cffca214a580395baa95be33e939bee93330f17377
Instruction ID: ad8689c1ff0e860946345b14e5bd58a925a458d8e290e633c2aa8d78a2da7663
Opcode Fuzzy Hash: 31dc3973357741f12833f8cffca214a580395baa95be33e939bee93330f17377
Instruction Fuzzy Hash: E5116AB1910208AFEB108E64DC44AEB37A9EB0A3B8F544728F9A5D61E0C735DC55BB60

Function 00F829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F82A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F82A41

Strings

0, xrefs: 00F82A18

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 935e6e9b0842f2a0cf3216872fd93aa887f30025bb4134e2a8589fc272c78970
Instruction ID: cd0897f72cc132fde1992fc0d8d65f27a3d8071e4b3d9532d03ceea4eab2c855
Opcode Fuzzy Hash: 935e6e9b0842f2a0cf3216872fd93aa887f30025bb4134e2a8589fc272c78970
Instruction Fuzzy Hash: 0F11D336D01118ABCF78EB98DD44BDA77B8AF46724F044021E855EB2A0D738BD0AE791

Function 00F921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F9222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F92255

Strings

<local>, xrefs: 00F9221D

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 70233fd2bac1e343e64a27e400ab7d06d1f2d3fe693e59ad5d830616ff132a34
Instruction ID: 51d0d52a65574606388728329089215442ca2abfb71510f32761a922a243c08d
Opcode Fuzzy Hash: 70233fd2bac1e343e64a27e400ab7d06d1f2d3fe693e59ad5d830616ff132a34
Instruction Fuzzy Hash: 5611E070941225BAFF288F518C84FFBFBA8FF06761F10822AF90486000D3706994E6F0

Function 00F78E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F78E73

Strings

ListBox, xrefs: 00F78E3D
ComboBox, xrefs: 00F78E12

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5c00405fdeb6e0c4ee7e12b3903f11b648bcc1a8517bb688b35414338c7618ea
Instruction ID: b017bec39190b0fd842eaaa62994920bf69bf90a78e8ea83a03554dbe81951ac
Opcode Fuzzy Hash: 5c00405fdeb6e0c4ee7e12b3903f11b648bcc1a8517bb688b35414338c7618ea
Instruction Fuzzy Hash: 7401F571A41228AB9B14FBE0CC45DFE7369AF02360B14461AF825573D1EF39580CF651

Function 00F78CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F78D6B

Strings

ListBox, xrefs: 00F78D35
ComboBox, xrefs: 00F78D0A

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 441af9fad9b28490340004b690b85fe3b3fdc52ff97c7c99f2c5f7ef79f354f3
Instruction ID: 1ffcd0f82d0d9da9c1798024d58b5351a47b9bb4661e1a0d766b341207af0770
Opcode Fuzzy Hash: 441af9fad9b28490340004b690b85fe3b3fdc52ff97c7c99f2c5f7ef79f354f3
Instruction Fuzzy Hash: 9301D471A81218ABDB24EBA0CD56EFE77A89F15350F14401AB809672D1DE299E0CF272

Function 00F78D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F27DE1: _memmove.LIBCMT ref: 00F27E22

Part of subcall function 00F7AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F7AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F78DEE

Strings

ListBox, xrefs: 00F78DBA
ComboBox, xrefs: 00F78D8F

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d5edc45daec323cda68719c8cbefe8e3197be9e35e5af839ade4bb565e30aee9
Instruction ID: ec30f22c39b1c46933ca5cbffbc52470c53ca8a5473cce41fd235e90ec78ab19
Opcode Fuzzy Hash: d5edc45daec323cda68719c8cbefe8e3197be9e35e5af839ade4bb565e30aee9
Instruction Fuzzy Hash: EC01F771A81218A7DB25F6A4CD46EFE77AC8F11350F144016B809A7291DE298E0DF272

Function 00F84F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F84F46
_wcscmp.LIBCMT ref: 00F84F58

Strings

#32770, xrefs: 00F84F52

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cc35604a18ae65b88634747aceeeeab9fccc5ae25283a99a1c6e25045744b411
Instruction ID: 5054bdfdb5f700a99b6639ca852c64f35216b05a362f669a3ee1a4d30641a44f
Opcode Fuzzy Hash: cc35604a18ae65b88634747aceeeeab9fccc5ae25283a99a1c6e25045744b411
Instruction Fuzzy Hash: C9E06832A0032D2BD320AB99AC49FA7FBACEB51B70F04002BFD00D7040D960AA4587E0

Function 00F5B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F5B314: _memset.LIBCMT ref: 00F5B321

Part of subcall function 00F40940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F5B2F0,?,?,?,00F2100A), ref: 00F40945

IsDebuggerPresent.KERNEL32(?,?,?,00F2100A), ref: 00F5B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F2100A), ref: 00F5B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F5B2FE

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 5574d31519d4ca6b1a2a8cadd922a2766eb4abe255c0c911892c9375ae22e8fe
Instruction ID: 9d347de130d0389af628c6427adaf7f07f708861833d19762c915d152a37a7cf
Opcode Fuzzy Hash: 5574d31519d4ca6b1a2a8cadd922a2766eb4abe255c0c911892c9375ae22e8fe
Instruction Fuzzy Hash: 8DE092B02007158FD760DF68E9047427BE4EF00715F008A6CE956DB342EBB4D448EBA1

Function 00F61935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F61775

Part of subcall function 00F9BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F6195E,?), ref: 00F9BFFE
Part of subcall function 00F9BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F9C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F6196D

Strings

WIN_XPe, xrefs: 00F61788

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 7343b9a499ebc5560a5470422e03ae11c3fcf4725392eab9c6efbbd9c540ced4
Instruction ID: 0540debe6e351a96cc09cb35009087f7cd96a56899726ec26ce9fa1ff727714c
Opcode Fuzzy Hash: 7343b9a499ebc5560a5470422e03ae11c3fcf4725392eab9c6efbbd9c540ced4
Instruction Fuzzy Hash: 72F0C9B180010DDFDB15DB91D984BECBBF8BB18315F580095E102A6090D7755F88FF60

Function 00FA5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA59AE
PostMessageW.USER32(00000000), ref: 00FA59B5

Part of subcall function 00F85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

Strings

Shell_TrayWnd, xrefs: 00FA59A7

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 959d3d1afb512361c852601c075550cb55da1e9127d6b158421fe602d83a3892
Instruction ID: 8218e44e0ca78a40d109cdb05cae1681187d75fa87205999750b5bbf0e88950a
Opcode Fuzzy Hash: 959d3d1afb512361c852601c075550cb55da1e9127d6b158421fe602d83a3892
Instruction Fuzzy Hash: BDD0C9767803157BE664BBB0AC4BFD67A55AB05B50F080825B246AE2D4C9E4A804D654

Function 00FA5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FA5981

Part of subcall function 00F85244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F852BC

Strings

Shell_TrayWnd, xrefs: 00FA5967

Memory Dump Source

Source File: 00000000.00000002.2068270973.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true

Associated: 00000000.00000002.2068181880.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068391243.0000000000FD4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068443162.0000000000FDE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000000FE9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2068469033.0000000001016000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f20000_rlPy5vt1Dg.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5ed811fa8f800e6bd52fe94259fe80052bb6b9a8c600ffd7f0e31595f498a7f6
Instruction ID: da5bf8246804ad15c161e55766bc7ef61dcaacec9a07aae0ece8a0d77f3490fd
Opcode Fuzzy Hash: 5ed811fa8f800e6bd52fe94259fe80052bb6b9a8c600ffd7f0e31595f498a7f6
Instruction Fuzzy Hash: C8D0C976784315BBE664BBB0AC4BFD67A55AB01B50F080825B24AAE2D4C9E49804D654

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rlPy5vt1Dg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut242F.tmp

C:\Users\user\AppData\Local\Temp\harrowment

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
rlPy5vt1Dg.exe

Function 00F23B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F24E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00F89155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00F23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F2708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F23A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F23633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F23766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 014BC8E0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 014BC6A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Function 00F2407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00F4541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre